William R. Harris, Nicholas A. Kidd, Sagar Chaki, Somesh Jha, and Thomas Reps TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Trusted Compromised Invalid Request Handler Worker0 Worker1 WorkerN Key: buffer.txt Privacy of information controlled by application Application uses labels, system enforces label semantics Not multi-trace properties Trusted Compromised Invalid Request Handler Worker0 Worker1 WorkerN {0} {1} {n} {0} Key: buffer.txt : ({0} {n}) void Handler() { while (*) { Request r = get_next_http_request(); Endpoint e0, e1; create_channel(&e0, &e1); spawn(/usr/bin/Worker, e1, r); send_ack(); } void Handler() { Label lab, cap; cap = empty_label(); while (*) { Request r = get_next_http_request(); lab = add_Tag(empty_label(), create_tag()); Endpoint e0, e1; create_channel(&e0, &e1); spawn(/usr/bin/Worker, e1, r, lab, cap); send_ack(); } DIFC gives powerful low-level mechanisms Semantic gap between high-level policy, low-level mechanisms Automatically validate that application follows policy DIFC policies are safety properties So apply a model checker for safety properties! Key system objects can be dynamically allocated Summarize? Trusted Compromised Invalid Request Handler Summary Worker 0 {S} Key: buffer.txt {S} {S} Summary Worker 1 Trusted Compromised Invalid Request Handler Worker0 {C} Key: buffer.txt : ({C} {S}) {S} Summary Worker Information flow control policies for DIFC systems are safety properties Summarization makes checking feasible Random isolation makes checking precise Program: Concrete semantics Program: Rand. Iso. semantics Program: Abstract semantics Copper [Chaki 04] SAFE Error Policy InstrumentationAbstraction tutuv lab := create_tag(); lab tu tuv lab := create_tag(); lab sum lab : iso lab tutuv : iso iso if (!has_alloc && nondet()) { lab := create_iso(); has_alloc = true; } else { lab := create_noniso(); } sum : iso conc : iso Instrument allocation functions Every relation is a function {C} {S} = 0 {C} {C} = 1 {C} {C, S} = 1 {S} {S} = * {C, S} {C, S} = * A wiki software package designed for secure information flow. Policies: No Worker sends to another Worker Handler to network never blocks Structure, correctness similar to FlumeWiki Compromised Must-be-valid Invalid ClamAV password.txt bar.txt Network Potential violations: No read Export private Key: OpenVPN Network2 Network1 Potential violations: No read Inter-network leak Trusted Invalid Key: Tool verified all correct programs, found all violations in buggy programs. For no random isolation, a few minutes For random isolation approx. 1 hour DIFC correctness is a safety problem Need summarization for feasibility, random isolation for precision DIFC properties can be checked for real- world programs ProgramSize (LOC) # Procs (runtime) VersionResultTime FlumeWiki110unboundedCorrectSafe1h 9m 16s InterferenceBug37m 53s Apache596unboundedCorrectSafe1h 13m 27s InterferenceBug18m 30s ClamAV34272CorrectSafe7m 55s No ReadBug3m 25s ExportBug3m 25s OpenVPN29,4943CorrectSafe2m 17s No ReadBug2m 52s LeakBug2m 53s