Regrading Policies for Flexible Information Flow Control in Session-Typed Concurrency

TL;DR

This paper presents a session-typed concurrency type system with regrading policies that enable safe downgrading of information levels during recursion, ensuring noninterference and security in message-passing processes.

Contribution

It introduces regrading policies expressed via integrity labels, allowing safe downgrading in session-typed concurrent processes and proving progress-sensitive noninterference.

Findings

Type checker implementation supports security-polymorphic processes.

Proves progress-sensitive noninterference for well-typed processes.

Enables safe downgrading of information levels during recursion.

Abstract

Noninterference guarantees that an attacker cannot infer secrets by interacting with a program. Information flow control (IFC) type systems assert noninterference by tracking the level of information learned (pc) and disallowing communication to entities of lesser or unrelated level than the pc. Control flow constructs such as loops are at odds with this pattern because they necessitate downgrading the pc upon recursion to be practical. In a concurrent setting, however, downgrading is not generally safe. This paper utilizes session types to track the flow of information and contributes an IFC type system for message-passing concurrent processes that allows downgrading the pc upon recursion. To make downgrading safe, the paper introduces regrading policies. Regrading policies are expressed in terms of integrity labels, which are also key to safe composition of entities with different regrading policies. The paper develops the type system and proves progress-sensitive noninterference for well-typed processes, ruling out timing attacks that exploit the relative order of messages. The type system has been implemented in a type checker, which supports security-polymorphic processes using local security theories.