Today, people rely extensively on the Internet for information exchange, professionally or socially. Many Internet applications such as WWW, e-mail, and instant messengers all provide people with different means to exchange information and collaborate with each other. As a result, the issue of security and privacy protection is becoming more critical. For example, if an information sharing system contains spyware, information may be stolen or destructed in an undesired way. The Center for Democracy Technol-ogy [CDT], a non-profit organization dedicated to promoting civil liberties values on the Internet, also summarizes potential security risks resulting from inadvertent sharing of sensitive personal information via spyware or adware. [Dav 03] also list some poten-tial security risks.
To simplify discussion, in this thesis we are concerned with information sharing sys-tems in general. As depicted in Figure 1, an information sharing system consists of data elements, tools that create and operate on these data, and users that establish connec-tions with the system to gain access to the data and tools inside. Information sharing is achieved when data created by one user can be accessed by another. Note that informa-tion sharing systems need not maintain data or tools in a centralized place. Many impor-tant Internet applications can be regarded as information sharing systems. For example, the most popular and successful one, i.e. WWW, conceptually forms a global informa-tion space that contains numerous Web pages interconnected through hyperlinks, and people use Web browsers to access Web pages created by others behind Web servers.
access
Figure 1. Illustration of a general information sharing system
Information security concerns the control of use and dissemination of information within an information sharing system. Privacy protection is the ability of a user to con-trol the availability of information about oneself, and is becoming an important topic of information security nowadays. Security policies are security and/or privacy require-ments that an information system needs to enforce. Some systems allow administrators or individual users to define security policies in terms of rules about different conditions under which certain data can be access by a particular user. Policy management is a general term that includes policy specification, deployment, and reason over policies, updating and maintain policies and enforcement. For example, Internet Explorer allows user to configure security and privacy settings. Security setting is done through config-uring the degree of trust for various web sites in terms of download permissions and execution permissions such as blocking advertisements from specific sites. Privacy pro-tection is done through setting the permissions for particular web sites to obtain sensi-tive information about the use through cookies.
Enforcing security policies within a complex system to prevent careless information leakage is nontrivial. There has been numerous security mechanisms developed over the last decades to address this challenge. Common security mechanisms include
authenti-User User
access User
Information Sharing Environment
access
cation, authorization, discretionary access control, and information flow. Authentication is the process of verifying whether a person is really someone he/she claims to be, while authorization is the process of checking whether that person is permitted to access a given system or resource. Further introduction to authentication and authorization is beyond the scope of this thesis.
Discretionary access control (DAC) is a kind of security mechanisms that prevents destruction of information by defining or restricting the rights of subjects (users, some-times also called principals) as well as processes that act for them to access a particular data object. One main objective of DAC is to protect information from accident or un-desired destruction. The mechanism provided by Internet Explorer as described above is an example of DAC. In general, DAC-based systems grant access rights based on data and subject labeling. For example, most operating systems provide DAC mechanisms that allow users to specify the access rights for individual directories and files they own, such as read, write, and execute operations, for different classes of users within the sys-tem. However, most DAC based systems support labeling an inefficient way, especially when the volume of data is large. Consider, for example, the strategies and amount of work needed to properly set access rights for all the files a user own in an operating system, to make sure no accidental leak of information occurs from time to time.
A more serious problem of DAC is that it does not control the dissemination of in-formation, that is, how a user uses the data objects after he/she gains access to them, including improper propagation of the information to other people. To prevent such information leakage, information flows, also called mandatory access control (MAC), is an approach to preventing unauthorized propagation of information. With data objects properly classified, MAC mechanisms ensure that high level information can not flow to low level user, and users are greatly relieved from otherwise tedious policy manage-ment.
Despite the advantage of MAC over DAC where information flow can be controlled more rigorously, such restriction also prevents user from releasing part of his/her infor-mation to other users or tools for further analysis – an important requirement for many information systems. To remedy this problem, certain declassification mechanisms are proposed to “breach” security requirements in an acceptable degree. For example, the
"acts-for" relation proposed in [Mye97] allows one principle to grant all access right to
subject A acts for subject B, subject A can get all information that principal B can get, even to change principal B's policy temporarily to facilitate certain data processing tasks principal A needs. However, as with most DAC mechanisms, the acts-for ap-proach to declassification relies heavily on mutual trust among principals, thus careful design and management of the acts-for relations are required.
Take a medical information system as an example, where a doctor may own certain diagnosis information that a statistician wants for further statistical analysis. To achieve this goal, the doctor can declassify such sensitive data by permitting the statistician to act for him, assuming certain agreement or mutual understanding has been established between the two, so that the statistician can get access to the diagnosis data. Obviously, once the act-for permission is granted, the doctor has no explicit control about how the statistician can evaluate the data. Moreover, even if the statistician has no bad intention, he may leak some sensitive information by accident, or when he/she under security at-tack unknowingly.
The discussion above about permitting one subject to act on behave of another, either through the acts-for mechanisms in [Mye97] or through other comparable mechanisms, brings up the issue of controlling privacy policies. Many systems, including both DAC and MAC-based systems, often rely on centralized security administration governing the protection and closure about private data. Individuals often have limited options about how their personal data can be protected and used. To deal with this problem, [Mye97] also proposes decentralized information flow model, so that different users can specify their own policies, respectively, yet the overall information flow is under con-trol.
When the complexity of policy management is concerned, MAC also faces the prob-lem of correctly managing security policies. It is easy to prevent improper dissemina-tion of informadissemina-tion in small systems. In large system, however, controlling informadissemina-tion flow is difficult, especially when the data, tools, and users involved are diverse and the relations among them become complicated.
In this thesis we propose a decentralized information flow model that attempts to ad-dress security and privacy issues highlighted above. Following Myers and Liskov’s work, we focus on mechanisms supporting decentralized policy management in a gen-eral information sharing environment. Specifically, in our model, users define their own information flow lattice structures, respectively, and associate data with security levels
drawn from such lattice structures using user-defined rules. Tools that process and gen-erate data are also an integral part of the model, to enable true secure information shar-ing.
Normally, tools respect the information flow jointly defined by the users. When de-classification is needed, our model does not rely on the acts-for relation. Instead, tools are labeled individually in a decentralized manner similar to data labeling, but with downgrading specification describing the tolerable range for each user using the same user-defined lattice. With this approach, users can grant different tools with different capacities based on their understanding of the input-output characteristics of the tools, thereby eliminating the dependency on mutual trust among users. To further reduce po-tential security risks, we also define a simple yet flexible programming language such that for tools written in the language, automated analysis and verification can be per-formed to give users definite security guarantee about these tools.
We have developed a prototype system implementing our ideas using Prolog, and de-scribed the system using type theoretical approach. Specifically, our system accepts a user query or processing request only when no security breach can happen. The rest of this thesis is organized as follows. In chapter 2, we first present some important back-ground on security mechanisms such as access control and information flow models, and the decentralized approach to information flows pioneered by Myers and Liskov. In chapter 3, we use two information sharing examples to help present the motivation be-hind our research. In chapter 4, we describe our decentralized information flow model in detail, followed by some analysis of the model using type systems in chapter 5. In chapter 6, we differentiate our model from the work by Myers and Liskov and explain how to achieve similar information sharing policies using our model. Finally we give some discussion about related work and conclude with some future research directions.