ANOSY: approximated knowledge synthesis with refinement types for declassification

  title={ANOSY: approximated knowledge synthesis with refinement types for declassification},
  author={Sankha Narayan Guria and Niki Vazou and Marco Guarnieri and James Parker},
  journal={Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation},
Non-interference is a popular way to enforce confidentiality of sensitive data. However, declassification of sensitive information is often needed in realistic applications but breaks non-interference. We present ANOSY, an approximate knowledge synthesizer for quantitative declassification policies. ANOSY uses refinement types to automatically construct machine checked over- and under-approximations of attacker knowledge for boolean queries on multi-integer secrets. It also provides an AnosyT… 

Figures and Tables from this paper


Liquid information flow control
Lifty is presented, a domain-specific language for data-centric applications that manipulate sensitive data that is sufficiently expressive to specify many real-world policies, and the Lifty type checker is able to verify secure programs and find leaks in insecure programs quickly.
Declassification: Dimensions and principles
A road map of the main directions of current research in information release is provided, by classifying the basic goals according to what information is released, who releases information, where in the system information isreleased and when information can be released.
Functional pearl: two can keep a secret, if one of them uses Haskell
This pearl presents a monadic API which statically protects confidentiality even in the presence of advanced features like exceptions, concurrency, and mutable data structures, and a mechanism to safely extend the library with new primitives.
Information-Flow Control for Database-Backed Applications
This work proposes a novel security monitor that automatically synthesizes program-level code that replicates the behavior of database features like triggers, thereby tracking information flows inside the database and introduces symbolic tuples, an efficient approximation of dependency-tracking over disclosure lattices.
Encoding information flow in Haskell
  • Peng Li, S. Zdancewic
  • Computer Science
    19th IEEE Computer Security Foundations Workshop (CSFW'06)
  • 2006
An embedded security sublanguage for enforcing information-flow policies in the standard Haskell programming language, designed using a standard combinator interface called arrows, which provides great flexibility and modularity for using security-policy frameworks.
Very Static Enforcement of Dynamic Policies
A straightforward extension to the principal flow-sensitive type system introduced by Hunt and Sands POPL '06, ESOP '11 to infer both end-to-end dependencies and dependencies at intermediate points in a program, which allows typings to be applied to verification of both static and dynamic policies.
Dynamic enforcement of knowledge-based security policies using probabilistic abstract interpretation
This paper explores the idea of knowledge-based security policies, which are used to decide whether to answer queries over secret data based on an estimation of the querier's possibly increased knowledge given the results, and develops an approach to augment standard abstract domains to include probabilities, and thus define distributions.
Information flow enforcement in monadic libraries
It is shown that information flow policies can be enforced on imperative-style monadic APIs in a modular and reasonably general way with only a minor impact on the interface provided to API users.
Exploring and enforcing security guarantees via program dependence graphs
We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows…
Approximation and Randomization for Quantitative Information-Flow Analysis
The approach relies on a sampling method to enumerate large or unbounded secret spaces, and applies both static and dynamic program analysis techniques to deliver necessary over- and under-approximations of information-theoretic characteristics.