It’s My Privilege: Controlling Downgrading in DC-Labels

• Published in: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) Vol. 9331; pp. 203 - 219
• Main Authors: Waye, Lucas, Buiras, Pablo, King, Dan, Chong, Stephen, Russo, Alejandro
• Format: Book Chapter Conference Proceeding
• Language: English
• Published: Cham Springer International Publishing 2015
• Series: Lecture Notes in Computer Science
• Subjects: Conjunctive Normal Form; Integrity Policy; Security Guarantee; Security Vulnerability; Semantic Characterization
• ISBN: 331924857X; 9783319248578
• ISSN: 0302-9743; 1611-3349; 1611-3349
• DOI: 10.1007/978-3-319-24858-5_13

Disjunction Category Labels (DC-labels) are an expressive label format used to classify the sensitivity of data in information-flow control systems. DC-labels use capability-like privileges to downgrade information. Inappropriate use of privileges can compromise security, but DC-labels provide no mechanism to ensure appropriate use. We extend DC-labels with the novel notions of bounded privileges and robust privileges. Bounded privileges specify and enforce upper and lower bounds on the labels of data that may be downgraded. Bounded privileges are simple and intuitive, yet can express a rich set of desirable security policies. Robust privileges can be used only in downgrading operations that are robust, i.e., the code exercising privileges cannot be abused to release or certify more information than intended. Surprisingly, robust downgrades can be expressed in DC-labels as downgrading operations using a weakened privilege. We provide sound and complete run-time security checks to ensure downgrading operations are robust. We illustrate the applicability of bounded and robust privileges in a case study as well as by identifying a vulnerability in an existing DC-label-based application.