Paper Reading Group:. Language-Based Information-Flow Security. A Paper Reading Group: Language-Based Information-Flow Security A. Sabelfeld, A. Myers Marcus Völp

Context `77 Dennings certification of programs for secure information flow attach labels to information indirect flows via PC-label `97 – now bunch of work in language-based approaches to information flow security type systems abstract interpretation `03 – Sabelfeld + Myers summary of past approaches + upcoming challenges `03 – Using Access Control for Secure Information Flow in a Java-like Language `05 – Statically Checking Confidentiality with Dynamic Labels (my CCS Submission + Shared Memory) `05 – (Ana Matos ...) On Declassification and the Non-Disclosure Policy `06 – Closing Internal Timing Channels by Transformation my PhD: apply language-based IF-security to microkernel run typing / labels on pseudo code to extract / check flow properties use derived flow-properties to check security of applications using the microkernel use derived flow-properties in refinements (check IF properties all the way down to the implementation)

Motivation Access Control restricts release of information but not its propagation Confinement: Restricts who may obtain the authority to access information Enforce X Policies X = Confidentiality if no information I may flow from A to B, I is confidential versus B X = Integrity if no information I may flow from A to B, B's computation is independent of I; B is integer versus A X = Availability if no information I may flow from A to B, B's availability does not depend on the information I. Information-flow policies are powerful mechanisms to express large class of security policies. Ensure that information is released only to authorized programs (access control) plus ensure that information is used accordingly (information flow control)

information is not relayed via a shared server Motivation (PhD) A C1 C2 B S2 Server Kernel make sure that: information is not relayed via a shared server information is not relayed via the kernel secret information is not leaked unintentionally to clients (e.g., the secret key of an encryption server)

Outlook Motivation Type Systems Abstract Interpretation Temporal breaches of security Wishlist until the Pizza arrives!!! My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches (Whiteboard) More on Type Systems

Language-Based Information Flow Security Noninterference (for programs): variation of confidential (high) input does not cause a variation of public (low) output l : low ; h : high low <~/~ high Formalisation: [[C]] : S -> S u {⊥} Partial Equivalence Relation =L : s =L s' <=> ∀ loc. label[l] : low => s[l] = s'[l] Noninterference (termination insensitive): ∀ s, s'. s =L s' ⋀ [[C]]s ≠ ⊥ ⋀ [[C]]s' ≠ ⊥ => [[C]]s =L [[C]]s' A simple (side-effect free) while language E := E1 ⊗ E2 | var | const C := skip | var := E | C1 ; C2 | if E then C1 else C2 | while E do C

A security type system Program is noninterference secure if it is typeable Notation: |- exp : t expression has security type t [pc] |- C program C is typeable in context [pc] [low] |- C C is allowed only in low context (if pc-label is low) Intuition: Typing rules for an expression E defines the set of locations to which E can be stored (the result of E combines information with security level ≤ t) Typing rules for statements C define that assignments in C adhere to the IF policy, i.e., high typed expressions are not assigned to low variables.

Security Type System Any expression can be typed high Type low only if no high variables in expression C3: prevent explicit + implicit flows, l:= exp assign only low expressions assign only if in low context => no implicit flows since C5, C6 set pc to high if conditional is high

Examples l := h; l := h ; l := 0 if h % 2 == 1 {l := 1;} if h % 2 == 1 { h := h + 4;}

Outlook Motivation Type Systems Abstract Interpretation Temporal breaches of security Wishlist until the Pizza arrives!!! My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches (Whiteboard) More on Type Systems

Abstract Interpretation Type Systems: Levels of variables do not change Temporal breaches of confidentiality are not typeable l := h ; l := 0 Abstract Interpretation: abstractly execute the program calculation uses security levels instead of values lab : Variable -> Level LabExpr : lab -> lres LabStat : lab, pc -> lab'

Abstract Interpretation LabExpr(c)(lab) = bottom LabExpr(v)(lab) = lab(v) LabExpr(e1 ⊗ e2)(lab) = max(LabExpr(e1), LabExpr(e2)) LabStat(v := e)(lab, pc) = lab With [(v) := max(LabExpr(e)(lab), pc)] LabStat(skip)(lab, pc) = lab LabStat(c1 ; c2)(lab, pc) = LabStat(c2)(LabStat(c1)(lab, pc),pc) LabStat(if e then c1 else c2)(lab, pc) = maxpointwise( LabStat(c1)(lab, max(pc, LabExpr(e)(lab))), LabStat(c2)(lab, max(pc, LabExpr(e)(lab))))

Abstract Interpretation P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L

Abstract Interpretation P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L Confidential? <=> Good? ⋀ Decreasing? Good? := s =lab s' => [[C]]s =LabStat(C)(lab, pc) [[C]]s' s =lab s' => LabExpr(E)(lab) = L => [[E]]s = [[E]]s'

Abstract Interpretation P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L P lenv l h X X Y X Z Z

Wishlist until the Pizza arrives!!! My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches / Flow Sensitive Type Systems (Whiteboard) More on Type Systems Language Features Methods Pointers Access Control Concurrency Threads Synchronization Timing Leaks Agat's Transformation Fork threads for high assignments: Asian '06 My ideas how to do it the right way! Downgrading (Ana's approach) + Decentralised Labels

Open Issues and Questions System Wide Security combine information flow + confinement system structure Certifying Compilation Abstraction Violation Attacks AES cache countermeasure needs temporal breaches of security Dynamic Policies Practical Issues Timing leak transformations: ~> complicated timing models ? make applications always execute their WCET ~> immediate benefit from WCET performance optimisations