Review of KIISC (정보보호학회지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지

정보흐름보안성 분석기술

  • 신승철 (한국기술교육대학교 인터넷미디어공학부)
  • Published : 2006.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

소프트웨어보안 분야는 정보보호, 소프트웨어공학, 프로그래밍언어 분야 등이 중첩되는 곳에 위치한다. 본 고는 프로그래밍언어 기술을 이용하여 소프트웨어 보안문제를 접근하는 한 예로서 정보흐름 보안성 분석법을 설명한다. 먼저 정보흐름 보안성이 관련되는 보안 문제들을 상기시킨 후에 이를 해결하는 프로그래밍언어 기술의 기본 개념들을 프로그램 분석법 중심으로 설명하고 최신 연구 경향을 소개한다.

Keywords

References

  1. K. Miyamoto and A. Igarashi, 'A Modal Foundation of Secure Information Flow', Proceedings of the Workshop on Foundations of Computer Security (FCS'04), pp. 187-203, July 2004
  2. H.R.Nielson, F.Nielson, and C.Hankin, Principles of Program Analysis, Springer-Verlag, 1999
  3. D.E. Denning, 'A Lattice Model of Secure Information Flow', Communications of the ACM, 19(5):236-242, 1976 https://doi.org/10.1145/360051.360056
  4. D.E. Denning and P.J. Denning, Certification of programs for secure information flow, Communications of ACM, 20(7), pp. 504-513, 1977 https://doi.org/10.1145/359636.359712
  5. J.A.Goguen and J.Meseguer, 'Unwinding and inference control', In Proc. IEEE Symp. on Security and Privacy, pp. 75-86, 1984
  6. P. Cousot and R. Cousot. 'Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints', In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238-252, 1977
  7. K.-G. Doh and S.C. Shin, 'Analysis of secure information flow by model checking', In Proc. of the 2nd Asian Workshop on Programming Languages and Systems, pp. 255-236, 2001
  8. D. Volpano, G. Smith, and C. Irvine, 'A sound type system for secure flow analysis,'J. Computer Security, vol. 4, no. 3, pp. 167-187, 1996 https://doi.org/10.3233/JCS-1996-42-304
  9. A. C. Myers and B. Liskov, 'A decentralized model for informationflow control,'in Proc. ACM Symp. on Operating System Principles, Oct. 1997, pp. 129-142
  10. N. Heintze and J. G. Riecke, 'The SLam calculus: programming with secrecy and integrity,' in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 365-377
  11. G. Smith and D. Volpano, 'Secure information flow in a multithreaded imperative language,' in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 355-364
  12. G. Barthe and B. Serpette, 'Partial evaluation and non-interference for object calculi,' in Proc. FLOPS. Nov. 1999, vol. 1722 of LNCS, pp. 53-57, Springer-Verlag
  13. D. Volpano and G. Smith, 'Probabilistic noninterference in a concurrent language,' J. Computer Security, vol. 7, no. 2-, pp. 231-253, Nov. 1999 https://doi.org/10.3233/JCS-1999-72-305
  14. A. Sabelfeld and D. Sands, 'Probabilistic noninterference for multithreaded programs,'in Proc. IEEE Computer Security Foundations Workshop, pp. 200-214, July 2000
  15. S. Zdancewic and A. C. Myers, 'Secure information flow and CPS,' in Proc. European Symposium on Programming. Apr. 2001, vol. 2028 of LNCS, pp. 46-61, Springer-Verlag
  16. A. Banerjee and D. A. Naumann, 'A secure information flow and pointer confinement in a Java-like language,' in Proc. IEEE Computer Security Foundations Workshop, pp. 253-267, June 2002
  17. F. Pottier and V. Simonet, 'Information flow inference for ML,' in Proc. ACM Symp. on Principles of Programming Languages, pp. 319-330, Jan. 2002
  18. M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, 'A core calculus of dependency,'in Proc. ACM Symp. on Principles of Programming Languages, pp. 147-160, Jan. 1999
  19. F. Pottier and S. Conchon, 'Information flow inference for free,' in Proc. ACM International Conference on Functional Programming, pp. 46-57, Sept. 2000
  20. A. Sabelfeld and D. Sands, 'A per model of secure information flow in sequential programs,' Higher Order and Symbolic Computation, vol.14, no. 1, pp. 59-1, Mar. 2001 https://doi.org/10.1023/A:1011553200337
  21. E. S. Cohen, 'Information transmission in computational systems,' ACM SIGOPS Operating Systems Review, vol. 11, no. 5, pp. 133-139, 1977 https://doi.org/10.1145/1067625.806556
  22. E. S. Cohen, 'Information transmission in sequential programs,' in Foundations of Secure Computation, R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, Eds., pp. 297-335. Academic Press, 1978
  23. J. McLean, 'Proving noninterference and functional correctness using traces,' J. Computer Security, vol. 1, no. 1, pp. 37-48, 1992 https://doi.org/10.3233/JCS-1992-1103
  24. J.-P. Bantre, C. Bryce, and D. Le M'etayer, 'Compile-time detection of information flow in sequential programs,' in Proc. European Symp. on Research in Computer Security, vol. 875 of LNCS, pp. 55-63, Springer-Verlag, 1994
  25. D. Volpano and G. Smith, 'A type-based approach to program security,' in Proc. TAPSOFT'7, vol. 1214 of LNCS, pp. 607-621, Apr. 1997
  26. M. Abadi, 'Secrecy by typing in security protocols,' in Proc. Theoretical Aspects of Computer Software, pp. 611-38, Sept. 1997
  27. S. Zdancewic and A. C. Myers, 'Robust declassification,' in Proc. IEEE Computer Security Foundations Workshop, pp. 15-23, June 2001
  28. R. Joshi and K. R. M. Leino, 'A semantic approach to secure information flow,' Science of Computer Programming, vol. 37, no.1, pp. 113-138, 2000 https://doi.org/10.1016/S0167-6423(99)00024-6
  29. M. Dam and P. Giambiagi, 'Confidentiality for mobile code: The case of a simple payment protocol,'in Proc. IEEE Computer Security Foundations Workshop, pp. 233-44, July 2000
  30. A. Di Pierro, C. Hankin, and H. Wiklicky, 'Approximate noninterference,' in Proc. IEEE Computer Security Foundations Workshop, pp. 1-7, 2002
  31. A.C.Myers, 'Flow: Practical mostlystatic information flow control,' in Proc. ACM Symp. on Principles of Programming Languages, pp. 228-241, 1999
  32. S. Zdancewic and A. C. Myers, 'Secure information flow via linear continuations,' Higher Order and Symbolic Computation, vol. 15, no.2, pp. 209-234, Sept. 2002 https://doi.org/10.1023/A:1020843229247
  33. F. Pottier and V. Simonet, 'Information flow inference for ML,'ACM TOPLAS, Volume 25, Issue 1, pp. 117-158, January 2003 https://doi.org/10.1145/596980.596983
  34. K. R. M. Leino and R. Joshi, 'A semantic approach to secure infor mation flow,' in Proc. Mathematics of Program Construction, vol. 1422 of LNCS, pp. 254-271, June 1998
  35. A. Sabelfeld and D. Sands, 'A per model of secure information flow in sequential programs,' in Proc. European Symposium on Programming, vol. 1576 of LNCS, pp. 40-58, Springer-Verlag, Mar. 1999
  36. D. Volpano and G. Smith, 'Probabilistic noninterference in a concurrent language,' in Proc. IEEE Computer Security Foundations Workshop, pp. 34-3, June 1998
  37. K. Honda, V. Vasconcelos, and N. Yoshida, 'Secure information flow as typed process behaviour,' in Proc. European Symposium on Programming, vol. 1782 of LNCS, pp. 180-99, Springer-Verlag, 2000
  38. K. Honda and N. Yoshida, 'An uniform type structure for secure information flow,' in Proc. ACM Symp. on Principles of Programming Languages, pp. 81-2, Jan. 2002
  39. F. Pottier, 'A simple view of typesecure information flow in the picalculus,' in Proc. IEEE Computer Security Foundations Workshop, pp. 320-30, June 2002
  40. P. Thiemann, 'Enforcing security properties by type specialization,' in Proc. European Symposium on Programming, vol. 2028 of LNCS, Springer-Verlag, Apr. 2001
  41. A. C. Myers and B. Liskov, 'Complete, safe information flow with decentralized labels,' in Proc. IEEE Symp. on Security and Privacy, pp. 186-97, May 1998
  42. M. Abadi and A. D. Gordon, 'A calculus for cryptographic protocols: The Spi calculus,' Information and Computation, vol. 148, no. 1, pp. 1-0, Jan. 1999 https://doi.org/10.1006/inco.1998.2740
  43. A. Di Pierro, C. Hankin, and H. Wiklicky, 'Probabilistic confinement in a declarative framework,' in Declarative Programming-elected papers from AGP 2000, vol. 48 of Electronic Notes in Theoretical Computer Science, Elsevier, 2001
  44. Peng Li and Steve Zdancewic, 'Downgrading Policies and Relaxed Noninterference,' In Proc. 32nd ACM Symp. on Principles of Programming Languages (POPL), pages 158-170, January 2005