A Calculus for Flow-Limited Authorization
Owen Arden, Anitha Gollamudi, Ethan Cecchetti, Stephen Chong, Andrew C. Myers
Real-world applications routinely make authorization decisions based on
dynamic computation. Reasoning about dynamically computed authority is
challenging. Integrity of the system might be compromised if attackers can
improperly influence the authorizing computation. Confidentiality can also be
compromised by authorization, since authorization decisions are often based on
sensitive data such as membership lists and passwords. Previous formal models
for authorization do not fully address the security implications of permitting
trust relationships to change, which limits their ability to reason about
authority that derives from dynamic computation. Our goal is an approach to
constructing dynamic authorization mechanisms that do not violate
confidentiality or integrity.
The Flow-Limited Authorization Calculus (FLAC) is a simple, expressive model
for reasoning about dynamic authorization as well as an information flow
control language for securely implementing various authorization mechanisms.
FLAC combines the insights of two previous models: it extends the Dependency
Core Calculus with features made possible by the Flow-Limited Authorization
Model. FLAC provides strong end-to-end information security guarantees even for
programs that incorporate and implement rich dynamic authorization mechanisms.
These guarantees include noninterference and robust declassification, which
prevent attackers from influencing information disclosures in unauthorized
ways. We prove these security properties formally for all FLAC programs and
explore the expressiveness of FLAC with several examples.