The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지

An Information Flow Security Based on Protected Area in eCommerce

전자 거래에서 보호 영역을 기반으로 하는 정보 흐름 보안 방법

  • 서양진 (중앙대학교 컴퓨터공학과) ;
  • 한상용 (중앙대학교 공과대학 컴퓨터공학과)
  • Published : 2010.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Confidentiality is one of the most important requirements of information protection systems. The access control technique has been used to provide confidentiality, but it has fundamental problems in that it cannot prevent violations of confidentiality committed by authorized users. Information flow control is a technique introduced to resolve such problems, and many approaches based on programming languages have been proposed. However, it is not easy for a programmer to implement the technique at the source code level. Furthermore, the practicality of information flow control is difficult to demonstrate because it does not provide control over programs that have already been developed. This paper proposes a method that enables a practical information flow control through using a protected area, a separate part of computer system storage. Case studies are given to show its usefulness.

Keywords

References

  1. Abadi and A. D. Gordon., "A calculus for cryptographic protocols:The Spi calculus," Inform. Comput., Vol. 148, No. 1, Jan 1999, pp. 1-70. https://doi.org/10.1006/inco.1998.2740
  2. A. C. Myers., "JFlow:Practical mostlystatic information flow control," in Proc. ACM Symp, Principles Programming Languages, Jan 1999, pp. 228-241.
  3. A. C. Myers., and B. Liskov, "A decentralized model for information flow control," in Proc. ACM Symp. Operating System Principles, Oct. 1997, pp. 129-142.
  4. A. Sabelfeld and A. C. Myers, "Language-Based Information-Flow Security," IEEE Journal on Selected Areas in Communications, 21, 2003, pp. 5-19. https://doi.org/10.1109/JSAC.2002.806121
  5. Clark, C. Hankin., and S. Hunt, "Information flow for algol-like languages," J. Comput. Languages, 2002.
  6. D. E. Denning., and P. J. Denning, "Certification of programs for secure information flow," Commun. ACM, July 1977, Vol. 20, No. 7, pp. 504-513. https://doi.org/10.1145/359636.359712
  7. D. F. Ferraiolo., D. R. Kuhn., and R. Chandramouli, "Role-Based Access Control", Artech House, 2003.
  8. Eunyoung Lee, "Programming Language-based Information Flow Security," KIISC Review, Vol. 16, No. 5, 2006, pp. 35-44.
  9. G. V. Posta., and A. Kagan, "Evaluating information security tradeoffs:Restricting access can interfere with user tasks," Computersand Security, Vol. 26, No. 3, May 2007, pp. 229-237. https://doi.org/10.1016/j.cose.2006.10.004
  10. L. Zheng and A. C. Myers, "Dynamic security labels and noninterference," In Proc. 2nd Workshop on Formal Aspects in Security and Trust, IFIP TC1 WG1.7. Springer, Aug. 2004.
  11. N. Heintze and J. G. Riecke, "The SLam calculus:Programming with secrecy and integrity," in Proc. ACM Symp, Principles Programming Languages, Jan 1998, pp. 365-377.
  12. N. Vachharajani., M. J. Bridges., J. Chang., R. Rangan., G. Ottoni., J. A. Blome., G. A. Reis., M. Vachharajani., and D. I. August., "Rifle:An architectural framework for user-centric information-flow security," In 37th International Symposium on Microarchitecture, December 2004.
  13. R. S. Sandhu., E. J. Coyne., H. L. Feinstein., and C. E. Youman., "Role-Based Access Control Models," Computer, Vol. 29 No. 2, February 1996, pp. 38-47. https://doi.org/10.1109/2.485845
  14. Seungcheol Shin, "Analyzing Methods for Information Flow Security," KIISC Review, Vol. 16, No. 5, 2006, pp. 55-64.
  15. S. Tse and S. Zdancewic, "Run-time Principals inInformation-flow Type Systems," In Proc. IEEE Symposium on Security and Privacy, 2004.
  16. S. Zdancewic., and A. C. Myers., "Robust declassification," in Proc. IEEE Computer Security Foundations Workshop, June 2001, pp. 15-23.
  17. S. Zdancewic, "Challenges for information-flow security," In Proc. Programming Language Interference and Dependence (PLID), August 2004.
  18. U. S. Department of Defense, "Department of Defense Trusted Computer System Evaluation Criteria," DOD 5200.28-STD, National Computer Security Center, 1985.
  19. http://cristal.inria.fr/~simonet/soft/flowcaml/.
  20. http://www.cs.cornell.edu/jif/.