TY - GEN
T1 - Cryptographic Enforcement of Language-Based Information Erasure
AU - Askarov, Aslan
AU - Moore, Scott
AU - Dimoulas, Christos
AU - Chong, Stephen
N1 - Funding Information:
This work is supported by the National Science Foundation under Grant No. 1054172 and by the Air Force Research Laboratory. We would like to thank Anitha Gollamudi for her helpful feedback.
Publisher Copyright:
© 2015 IEEE.
PY - 2015/9/4
Y1 - 2015/9/4
N2 - Information erasure is a formal security requirement that stipulates when sensitive data must be removed from computer systems. In a system that correctly enforces erasure requirements, an attacker who observes the system after sensitive data is required to have been erased cannot deduce anything about the data. Practical obstacles to enforcing information erasure include: (1) correctly determining which data requires erasure, and (2) reliably deleting potentially large volumes of data, despite untrustworthy storage services. In this paper, we present a novel formalization of language-based information erasure that supports cryptographic enforcement of erasure requirements: sensitive data is encrypted before storage, and upon erasure, only a relatively small set of decryption keys needs to be deleted. This cryptographic technique has been used by a number of systems that implement data deletion to allow the use of untrustworthy storage services. However, these systems provide no support to correctly determine which data requires erasure, nor have the formal semantic properties of these systems been explained or proven to hold. We address these shortcomings. Specifically, we study a programming language extended with primitives for public-key cryptography, and demonstrate how information-flow control mechanisms can automatically track data that requires erasure and provably enforce erasure requirements even when programs employ cryptographic techniques for erasure.
AB - Information erasure is a formal security requirement that stipulates when sensitive data must be removed from computer systems. In a system that correctly enforces erasure requirements, an attacker who observes the system after sensitive data is required to have been erased cannot deduce anything about the data. Practical obstacles to enforcing information erasure include: (1) correctly determining which data requires erasure, and (2) reliably deleting potentially large volumes of data, despite untrustworthy storage services. In this paper, we present a novel formalization of language-based information erasure that supports cryptographic enforcement of erasure requirements: sensitive data is encrypted before storage, and upon erasure, only a relatively small set of decryption keys needs to be deleted. This cryptographic technique has been used by a number of systems that implement data deletion to allow the use of untrustworthy storage services. However, these systems provide no support to correctly determine which data requires erasure, nor have the formal semantic properties of these systems been explained or proven to hold. We address these shortcomings. Specifically, we study a programming language extended with primitives for public-key cryptography, and demonstrate how information-flow control mechanisms can automatically track data that requires erasure and provably enforce erasure requirements even when programs employ cryptographic techniques for erasure.
UR - http://www.scopus.com/inward/record.url?scp=84961317318&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84961317318&partnerID=8YFLogxK
U2 - 10.1109/CSF.2015.30
DO - 10.1109/CSF.2015.30
M3 - Conference contribution
AN - SCOPUS:84961317318
T3 - Proceedings of the Computer Security Foundations Workshop
SP - 334
EP - 348
BT - Proceedings - 2015 IEEE 28th Computer Security Foundations Symposium, CSF 2015
A2 - Kellenberger, Patrick
PB - IEEE Computer Society
T2 - 28th IEEE Computer Security Foundations Symposium, CSF 2015
Y2 - 13 July 2015 through 17 July 2015
ER -