Post on 01-Nov-2014
description
transcript
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Quantifying Information Leaks usingReliability Analysis
Q. Sang Phan∗, Pasquale Malacaria∗, Corina S. Pasareanu†,
and Marcelo d’Amorim‡
∗Queen Mary University of London, UK
†Carnegie Mellon Silicon Valley and NASA Ames, USA
‡Federal University of Pernambuco, Brazil
July 23, 2014
1 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
Secret input (H) Public input (L)
Program P
Public Output (O)
Non-interference
Public input (L)
Program P
Secret input (H)
Information leaked
Public Output (O) √?
2 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
What violates non-interference?
Information flow from variable H to variable O
Direct flow (explicit flow)O = H - 10;
Indirect flow (implicit flow)if (H > 3) O = 3; else O = 100;
Approaches to non-interference:
Type systems: suffer from false positives, e.g. O = H - H;
Taint analysis: suffer from false positives and false negatives.
Self-composition: precise (but more expensive).
3 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
What violates non-interference?
Information flow from variable H to variable O
Direct flow (explicit flow)O = H - 10;
Indirect flow (implicit flow)if (H > 3) O = 3; else O = 100;
Approaches to non-interference:
Type systems: suffer from false positives, e.g. O = H - H;
Taint analysis: suffer from false positives and false negatives.
Self-composition: precise (but more expensive).
3 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
Non-interference is often unachievable.
int check(int H, int L){
int O;
if (L == H)
O = ACCEPT;
else O = REJECT;
return O;
}
password check
Secret input (H) Public input (L)
Program P
Public Output (O)
Non-interference
Public input (L)
Program P
Secret input (H)
Information leaked
Public Output (O) √?
Non-interference: Does it leak information?
Quantitative Information Flow: “How much” does it leak?
4 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
Non-interference is often unachievable.
int check(int H, int L){
int O;
if (L == H)
O = ACCEPT;
else O = REJECT;
return O;
}
password check
Secret input (H) Public input (L)
Program P
Public Output (O)
Non-interference
Public input (L)
Program P
Secret input (H)
Information leaked
Public Output (O) √?
Non-interference: Does it leak information?
Quantitative Information Flow: “How much” does it leak?
4 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Information Flow
Non-interference is often unachievable.
int check(int H, int L){
int O;
if (L == H)
O = ACCEPT;
else O = REJECT;
return O;
}
password check
Secret input (H) Public input (L)
Program P
Public Output (O)
Non-interference
Public input (L)
Program P
Secret input (H)
Information leaked
Public Output (O) √?
Non-interference: Does it leak information?
Quantitative Information Flow: “How much” does it leak?
4 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Quantitative Information Flow
Adversary
tries to infer
H from L and O
H
LO
f
Leaks = Secrecy before observing - Secrecy after observing
Formal definition
XH ,XL,XO : distributions of H, L, O.
E (entropy): function measuring secrecy.
∆E (XH) = E (XH)− E (XH |XL = l ,XO)
5 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Quantitative Information Flow
Adversary
tries to infer
H from L and O
H
LO
f
Leaks = Secrecy before observing - Secrecy after observing
Formal definition
XH ,XL,XO : distributions of H, L, O.
E (entropy): function measuring secrecy.
∆E (XH) = E (XH)− E (XH |XL = l ,XO)
5 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Information FlowQuantitative Information Flow
Quantitative Information Flow
∆E (XH) = E (XH)− E (XH |XL = l ,XO)
Theorem of Channel Capacity
∆E (XH) ≤ log2(|O|)
has been proved in the case:
E is Shannon entropy (Malacaria and Chen 2008)E is Renyi’s min-entropy (Smith 2009)
holds for all possible distributions of XH .
is basis of state-of-the-art techniques for QuantitativeInformation Flow analysis.
6 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
State of the art
What can’t be avoided:
Input: program P, inputs classified as H and L(Output: P leaks maximum k bits)
What users have to do?
(Heusser and Malacaria 2010): write a driver following atemplate.
(Meng and Smith 2011), (Meng and Smith 2013): manuallytransform the program into bit vector predicates.
(Klebanov 2012): provide hypothesis, loop invariants etc forthe interactive theorem prover.
. . .
This work: automated.
7 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
QILURA
Program Symbolic
PathFinder Labeling
Procedure
Z3 Omega
Quantifying Procedure
Latte
Input labels
k bits
8 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Preliminaries
P = (Σ, I ,F ,T )
A symbolic path ρ of P: ρ = σ0σ1..σn
σ0 ∈ I ; σn ∈ F , 〈σi , σi+1〉 ∈ T for all i ∈ {0, . . . , n − 1}Semantics of P: the set R of all symbolic paths ρi
Define the functions:
init(ρ) = σ0; fin(ρ) = σn
#in(ρ): the number of inputs that go to path ρ.#out(ρ): the number of outputs that go out from the path ρ.
Denote by X |y the value of the variable X at the symbolicstate y (i.e. y : X 7→ X |y )
9 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Symbolic PathFinder
Take symbols as inputs instead of concrete data.
Build path condition pci ≡ ci (α, β) for each symbolic path ρi .
Execute program P with H = α and L = β
O =
f1(α, β) if c1(α, β)f2(α, β) if c2(α, β). . . . . .fm(α, β) if cm(α, β)
For the symbolic path ρi with final state σi ∈ F
O|σi = fi (α, β)
Define a function:
path(ρi ) = ci (α, β)
10 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Illustrative Example
int sanityCheck(int H){
int base = 8, O;
if (H < 16)
O = base + H;
else
O = base;
return O;
}
Sanity check
Running Symbolic Execution on the program with H = α, thereare two symbolic paths:
ρ1 : O|fin(ρ1) = α + 8, and c1(α) = α < 16
ρ2 : O|fin(ρ2) = 8, and c2(α) = ¬(α < 16)
11 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Labeling Procedure
Self-composition
P ′: copy of P with all variable renamed: H, L,O → H ′, L′,O ′
The following Hoare triple guarantees non-interference
{L = L′}P; P ′{O = O ′}
Suppose we run Symbolic Execution on P; P ′ with
H = α; H ′ = α1; L = L′ = β
The symbolic semantics of P and P ′ is R and R′
Fine-grained Self-composition by Symbolic Execution
∀ρ ∈ R, ρ′ ∈ R′.path(ρ) ∧ path(ρ′)→ O|fin(ρ) = O ′|fin(ρ′)
12 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Labeling Procedure
Self-composition
P ′: copy of P with all variable renamed: H, L,O → H ′, L′,O ′
The following Hoare triple guarantees non-interference
{L = L′}P; P ′{O = O ′}
Suppose we run Symbolic Execution on P; P ′ with
H = α; H ′ = α1; L = L′ = β
The symbolic semantics of P and P ′ is R and R′
Fine-grained Self-composition by Symbolic Execution
∀ρ ∈ R, ρ′ ∈ R′.path(ρ) ∧ path(ρ′)→ O|fin(ρ) = O ′|fin(ρ′)
12 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Illustrative Example
ρ1 : O|fin(ρ1) = α + 8, and c1(α) = α < 16
ρ2 : O|fin(ρ2) = 8, and c2(α) = ¬(α < 16)
Program P ′ also has two symbolic path ρ′1, ρ′2. There are 3
possible combinations:
〈ρ1, ρ′1〉 (α < 16 ∧ α1 < 16→ α + 8 = α1 + 8) : INVALID
〈ρ2, ρ′2〉 (¬(α < 16) ∧ ¬(α1 < 16)→ 8 = 8) : VALID
〈ρ1, ρ′2〉 (α < 16 ∧ ¬(α1 < 16))→ α + 8 = 8 : INVALID
⇒ ρ1 is direct flow, ρ2 is in indirect flow.
13 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Quantifying Procedure
CC (P) ≤ log2(Σ#out(ρc) + Σ#out(ρi ) + Σ#out(ρd ))
Σ#out(ρc ) = 1.
Σ#out(ρi ) is the number of indirect paths ρi .
Only Σ#out(ρd ) needs to be computed.
Reliability Analysis in Symbolic PathFinder. Filieri, Pasareanuand Visser. ICSE 2013.
Compute #in(ρ) for each ρ
Program as a function:
#out(ρd ) ≤ #in(ρd )
14 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Quantifying Procedure
CC (P) ≤ log2(Σ#out(ρc) + Σ#out(ρi ) + Σ#out(ρd ))
Σ#out(ρc ) = 1.
Σ#out(ρi ) is the number of indirect paths ρi .
Only Σ#out(ρd ) needs to be computed.
Reliability Analysis in Symbolic PathFinder. Filieri, Pasareanuand Visser. ICSE 2013.
Compute #in(ρ) for each ρ
Program as a function:
#out(ρd ) ≤ #in(ρd )
14 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Illustrative Example
Direct flow ρ1 : O|fin(ρ1) = α + 8, and c1(α) = α < 16
Indirect flow ρ2 : O|fin(ρ2) = 8, and c2(α) = ¬(α < 16)
Σ#out(ρi ) = 1.
Σ#out(ρd ) ≤ Σ#in(ρd )Reliability Analysis engine: Σ#in(ρd ) = 16
⇒ CC (P) ≤ log2(17) = 4.09
15 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Symbolic PathFinderLabeling ProcedureQuantifying ProcedurePreliminary Evaluation
Preliminary Evaluation
Case Studyjpf-qif QILURA BitPattern
Capacity Time Bound Time Bound Time
No Flow 0 2.304 0 0.790 - -
Sanity check 1 4 45.324 4.09 1.066 4 0.036
Sanity check 2 4 35.346 4.09 1.049 4.59 0.203
Implicit Flow 2.81 0.897 3 0.796 3 0.011
Electronic Purse 2 1.169 2.32 0.854 2 0.157
Ten random outputs 3.32 1.050 3.32 0.814 18.645 0.224
16 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
Conclusions
QILURA: a fully automated tool to quantify leaks in Javabytecode.
Two-steps analysis:
Fine-grained self-composition to label paths.Reliability analysis engine to quantify inputs in each path.
Download:https://github.com/qif/jpf-qilura
17 / 18
INFORMATION-LOW LEAKSQUANTIFYING LEAKS USING RELIABILITY ANALYSIS
CONCLUSION
THANK YOU FOR YOUR ATTENTION!
18 / 18