Language-Based Information- Flow...

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

Language-Based Information-Flow Security

Andrei Sabelfeld Andrew C. Myers

Presented by Shiyi Wei




Literature review Information flow security

• Static program analysis to enforce information-flow • Confidentiality

Year: 2003 Jif (Java information flow) project Active since 1997 More than 34 publications

• System, language, security – SOSP, POPL, CCS, Oakland

Other work based on Jif

2

About the paper




Introduction Background Covert channels Mandatory access control

Basics of language-based information flow Research trends Open challenges

3

Overview




Protect data confidentiality End-to-end security Enforcement of confidentiality policies

• Information cannot flow to where policy is violated

Challenges • Concurrency • Covert channels

Applications • Military, medical, financial information systems • Web-based services: mail, shopping, social network

4

Introduction




Standard security mechanisms Discretionary access control

• Access files/objects based on privilege – Prevent processes not authorized by file owner from reading

• Place restrictions on the release of information, but not its propagation

– Does not control how the data is used after reading from file • To soundly enforce confidentiality

– Grant access privilege only to processes that will not leak confidential data

» A much stronger information-flow policy! » Access control cannot identify these processes

5

Introduction




Standard security mechanisms Encryption

• Secure an information channel – Only the communicating endpoints have access

• However, no assurance that once the data is decrypted

Antivirus software • Offers limited protection against new attacks

Firewall • Protects confidentiality by preventing communication • Checking confidentiality violation lies outside its scope

6

Introduction




Language-based approach security-typed language

• Use of type systems for information flow – Augmented with annotations

• Specify policies on the use of the typed data • Compile-time type checking

– Add little or no run-time overhead

• E.g. Jif[1], SLam calculus[2], …

7

Introduction

References [1] A.C.Myers and B. Liskov, “A decentralized model for information flow control,” in Proc. ACM Symp. on Operating System Principles, Oct. 1997, pp. 129-142 [2] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 365-377




Integrity: a dual to confidentiality “Confidentiality requires that information be

prevented from flowing to inappropriate destinations” “Integrity requires that information be prevented

from flowing from inappropriate sources”

8

Introduction




Implicit flows Signal information through the control structure

of a grogram Termination channels The termination/nontermination of a computation

Timing channels Signal information through the time at which an

action occurs rather than through the data • E.g. total execution time of a program

9

Background: Covert Channels

while secret=1 do skip




Probabilistic channels Signal information by changing the probability

distribution of observable data

Resource exhaustion channels Signal information by the possible exhaustion of a

finite, shared resource

Power channels Signal information in the power consumed by the

computer

10

Background: Covert Channels




Mandatory access control Label each data with a security level

• Run-time enforcement mechanism

Problem: implicit flow • Process sensitivity label

Label creep • Monotonically increase label • Too restrictive

11

Background: Mandatory Access control

h := h mod 2; l := 0; if h = 1 then l :=1 else skip

h := h mod 2;

l := 0;

if h = 1

l := 1 skip




Noninterference policy “a variation of confidential(high) input does not

cause a variation of public(low) output” The attacker cannot observe any difference

between two executions that differ only in their confidential input

Security-type system A collection of typing rules Let’s build one!

12

Basics of Language-Based Information Flow



Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 13


Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C






(1) :=

(2) :=

(3) :=

(4) :=





C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C

(1) if then else

(2) if then else

(3) if then else

(4) if then else

(5) if then else

(6) if then else

(7) if then else

(8) if then else









Research Trends

static certification noninterference

sound security analysis

expressiveness concurrency covert channels

security policies




Language Expressiveness



expressiveness concurrency covert

channels security policies

procedures

functions

exceptions

objects




Procedures Polymorphism[3]

• The type of commands or expressions may be generic

Functions Slam calculus[4]

• A functional language

19


References [3] D. Volpano and G. Simth, “A type-based approach to program security,” in Proc. TAPSOFT’ 97. Apr. 1997, vol. 1214 of LNCS, pp. 607-621 [4] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 365-377




Exceptions Nonlocal transfer of control; implicit flow Path labels[5]

• Fine-grained tracking of implicit flows caused by exceptions

Objects Java-like imperative object-oriented language[6] JFlow[5]

20


References [5] A. C. Myers, “JFlow: Practical mostly-static information flow control,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 19999, pp. 228-241 [6] A. Banerjee and D. A. Naumann, “Secure information flow and pointer confinement in a Java-like language,” in Proc. IEEE Computer security Foundations Workshop, June 2002, pp. 253-267




Concurrency



expressiveness concurrency

covert channels

security policies

non-determinism

threads

distribution




Nondeterminism Possibilistic security condition[7]

• High inputs may not affect set of possible low inputs

Dependence analysis between variables[8]

22

Concurrency

References [7] J. McLean, “A general theory of composition for a class of “possibilistic” security properties,” IEEE Transactions on Software Engineering, vol. 22, no. 1, pp. 53-67, Jan. 1996 [8] J. –P. Banatre, C. Bryce, and D. Le Metayer, “An approach to information security in distributed systems,” in Proc. European Symp. on Research in Computer Security. 1994, vol. 875 of LNCS, pp. 55-73, Springer-Verlag.




Thread concurrency High part has to be protected at all times

Noninterference for a multithreaded language[9] • No while loop may have a high guard • No high conditional may contain a while loop in branch

Encode of a timing leak into a direct leak

23

Concurrency

(thread1) h := 0; l := h; (thread2) h := h’

(if h = 1 then Clong else skip); l :=1 || l := 0

References [9] G. Simth and D. Volpano, “Secure information flow in a multi-threaded imperative language,” in Proc. ACM Symp. on POPL, Jan. 1998, pp. 355-364




Distribution The ability to exchange messages

• These communications may be observed by attackers

Mutual distrust Components can fail

• Attempt to compromise the behavior of others

Secure program partitioning[10] • Sequential, security-typed program -> fine-grained

communicating subgrams

24

Concurrency

References [10] S. Zdancewic, L. Zheng, N. Nystrom, and A.C. Myers, “Untrusted hosts and confidentiality: Secure program partitioning,” in Proc. ACM Symp. on Operating System Principles, Oct. 2001, pp. 1-14




25

Covert Channels




security policies

termination

timing

probability




Termination channels Termination-sensitive noninterference[11]

• Disallows high loops and requires high conditionals have no loops in the branches

Binding-time analysis[12] • Divides program terms into

– Static: known at partial-evaluation time – Dynamic: to be supplied later

• No static term depends on a dynamic variable

26

Covert Channels

while h = 1 do skip

References [11] D. Vlpano and G. Smith, “Eliminating covert flows with minimum typings,” Proc. IEEE Computer Security Foundations Workshop, pp. 156-168, June 1997 [12] M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, “A core calculus of dependency,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1999, pp. 147-160




Timing channels Timing-sensitive noninterference[13]

• High conditionals have no loops in the branches and wrapping each high conditional in a protect statement whose execution is atomic

Program transformation[14] • Cross-copy of the slices of the branches of a high if to

equalize the execution time of the branches

27

Covert Channels

if h = 1 then Clong else skip

References [13] D. Volpano and G. Smith, “Probabilistic noninterference in a concurrent language,” J. Computer Security, vol. 7, no. 2-3, pp. 231-253, Nov. 1999 [14] J. Agat, “Transforming out timing leaks,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 2000, pp. 200-214




Probabilistic channels Probabilistic noninterference

• Two behaviors are indistinguishable by the attacker iff the distribution of low output is the same

Example • []p: probabilistic choice operator

– Selects the left-hand side command with the probability p – Selects the right-hand side with the probability 1-p

• Varying PIN does not change set of possible outcomes – Secure for possibilistic condition

28

Covert Channels

l := PIN []9/10 l := rand(9999)




Security Policies




security policies

declassification

admissibility

relative security

quantitative security




Noninterference rejects downgrading Decentralized model[1] Selective declassification

Admissibility[15] Explicitly states what dependencies between data

are allowed in the program

Quantitative security[16] Allow for a limited bandwidth of information leaks

30

Security Policies

References [15] M. Dam and P. Giambiagi, “Confidentiality for mobile code: The case of a simple payment protocol,” in Proc. IEEE Computer Security Foundations Workshop, July 2000 [16] D. Clark, S. Hunt, and P. Malacaria, “Quantitative analysis of the leakage of confidential data,” in QAPL 2011.




System-Wide Security Computer systems are only as secure as their

weakest point Integration of language-based information flow

and system-wide information-flow control

Certifying Compilation Secure information flow of low-level languages

• Useful information about program structure is lost

31

Open Challenges




Abstraction-violating attacks The model of the attacker is an abstraction

• Removes possibly important details about real attacker E.g. cache attack

• When h = 1, execution time is likely to be shorter

Dynamic Policies Information-flow policies are not known statically E.g. Jif compiler

• Type label 32

Open Challenges

(if h =1 then h’ := h1 else h’ := h2); h’ := h1




Practical issues Improve the precision of type systems

• Do not reject too many secure programs

Experience is needed

Variations of static analysis for security Control- and data-flow analysis

• More accurate than many type systems

E.g.

33

Open Challenges

(if h = 1 then l := 1 else l:= 0); l := 0

Date post:	28-Nov-2018
Category:	Documents
Upload:	dokien
View:	218 times
Download:	0 times

Language-Based Information- Flow...

Documents