Security Labels, Enforcing Computer System Security

Today, computer system security enforcement is typically implemented by incorporating policy-specific monitors into software systems. Each time an operation is invoked, the monitor checks whether allowing that invocation to proceed violates the security policy. This approach, however, only handles certain kinds of security policies about information use, and privacy policies are, at best, awkward to enforce.

This project explores an alternative to monitors. Fred B. Schneider, Computer Science, investigates enforcement mechanisms that associate a policy-specific security label with each piece of information a system handles. Security labels are not widely used today because existing schemes lack expressive power—they cannot describe the various kinds of constraints we might like to have enforced. Yet labels do offer end-to-end guarantees, which enforce policies on data throughout the duration that it flows through the system. Operation monitors cannot offer these guarantees. Also, security labels are amenable to static enforcement and, therefore, computer scientists can automatically verify that a program using labels enforces all of the specified information flow restrictions.

The project’s study specifically begins with a new class of security labels called reactive information flow (RIF) specifications. Informally, an RIF specification for a piece of information gives allowed and prohibited uses, as well as the RIF specification for any values that might be directly or indirectly derived from the labeled information. RIF specifications therefore allow the restrictions on any information produced by a computation to differ from the restrictions on its inputs. This flexibility to reclassify information is important for writing use restrictions, and it allows for a more versatile and thorough alternative to current strategies.

Cornell Researchers

Funding Received

$1 Million spanning 3 years

Sponsored by