Exception-based information flow control in object-oriented systems

Abstract

We present an approach to control information flow in object-oriented systems. The decision of whether an information flow is permitted or denied depends on both the authorizations specified on the objects and the process by which information is obtained and transmitted. Depending on the specific computations, a process accessing sensitive information could still be allowed to release information to users who are not allowed to directly access it. Exceptions to the permissions and restrictions stated by the authorizations are specified by means of exceptions associated with methods. Two kinds of exceptions are considered: invoke exceptions, applicable during a mehtod execution and reply exceptions applicable to the information returned by a method. Information flowing from one object into another or returned to the user is subject to the different exceptions specified for the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction and define the conditions for safe information flow. We define security specifications and characterize safe information flows. We propose an approach to control unsafe flows and present an algorithm to enforce it. We also illustrate an efficient implementation of our controls and present some experimental results evaluating its performance.