Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
VM: Chapter 5 Guiding Principles for Software Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Chapter 5 Network Security
Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Securing Class Initialization in Java-like Languages.
出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲 吳俊逸.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Trusted Operating Systems
Computer Security By Duncan Hall.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.
3/14/2016 8:37 PM Information Flow Epilog James Hook CS 591: Introduction to Computer Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Software Security II Karl Lieberherr.
Paper Reading Group:. Language-Based Information-Flow Security. A
Building Systems That Flexibly Control Downloaded Executable Content
Information Security CS 526
Information Security CS 526
Information Security CS 526
Operating System Concepts
Presentation transcript:

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Zdancewic - PLID'042 Protecting Confidential Data Protecting secret or private information in computer systems is a well known and long standing problem: –Modern OS’s use access controls to protect files –Common practice to encrypt data sent on Internet But these mechanisms are insufficient: –Access controls don’t prevent propagation of information –Can’t feasibly compute over encrypted data

Zdancewic - PLID'043 Information-flow Security Alternative idea: tag “secret” information and track how it is used by the system. –An old idea (studied in computer system context since the 70’s, probably earlier) Dynamic enforcement –Literally tag the data –Conservatively propagate the tags –Expensive and to deal with implicit flows (need to know information about untaken paths) Static enforcement –Virtually “tag” the data (using types or some other annotations) –Program analyses determine whether program leaks information (does know all potential paths)

Zdancewic - PLID'044 Prior Research Sabelfeld and Myers’ survey: “Language- based Information-flow Security” (2003) –More than 147 Papers related to information-flow security –Most concerned with definitions/refinements/ variations on “noninterference” Despite this attention, and its appeal, information-flow security is not used! Why?

Zdancewic - PLID'045 Non-problem #1 Giving better, more precise definitions of noninterference-like properties for more complicated programming models. –Security is always defined relative to some level of abstraction and there are always attacks that violate the abstraction. –Any application that would benefit from a more complex/refined security analysis would also benefit from a coarser analysis. –We don’t have any killer apps for existing information-flow technology.

Zdancewic - PLID'046 Non-problem #2 Implementing a “practical” system for enforcing information-flow policies. –There exist two quite sophisticated, full-featured programming languages that provide information-flow enforcement. Flow Caml –François Pottier and Vincent Simonet –OCaml dialect with information-flow labels, label polymorphism, type inference, etc. – Jif –Andrew Myers and his students –Variant of Java with information-flow labels, dynamic principals, type inference, etc. –

Zdancewic - PLID'047 Clarification This is not to say that there are no interesting research questions in basic information-flow theory and its implementation. –Examples: Concurrency and security-preserving compilation (among others) But: Theory and implementation aren’t the critical barriers to putting the technology into practice. So what are the challenges?

Zdancewic - PLID'048 Three (of many) Challenges* Integrating with existing/other security infrastructure We don’t want noninterference anyway Policy is hard * no answers… only questions

Zdancewic - PLID'049 Info-Flow Control Integration Problem: Combining info-flow controls with other kinds of security policies/mechanisms Other software: –Legacy code –Existing interfaces can’t be easily changed –Wrappers? (will likely be conservative or unsound) Other mechanisms –File systems access controls, OS protections, PKI, authentication mechanisms, cryptography, audit logs, … –Real programs need to do I/O

Zdancewic - PLID'0410 Info-Flow Control Integration (2) There has been some work in this direction: –Chothia, Duggan, Vitek: “Type-based Distributed Access Control” CSFW 2003 –Banerjee & Naumann: “Using Access Control for Secure Information Flow in a Java-like Language” CSFW 2003 –Tse & Zdancewic: “Run-time Principals in Information-flow Type Systems” IEEE S&P 2004 Example: Information-flow policy integrated with OS abstractions such as users and file permissions

Zdancewic - PLID'0411 Integration Example String{root:root} secret; void System.print(String{any:System.user} s); void printIfRoot(String{any:root} s) { if ActsFor(System.user, root) { System.print(s); } printIfRoot(secret); Dynamic check propagates information about test to static analysis.

Zdancewic - PLID'0412 We Don’t Want Noninterference Noninterference is an extremely restrictive policy –Most real systems are intended to leak some information –If the policy truly is noninterference, then least privileges argues for implementing separate systems (high and low) –Analyses are conservative, so even if the desired system is noninterfering, it does not necessarily pass the test So we need to escape the confines of noninterference

Zdancewic - PLID'0413 Downgrading Intransitive noninterference –Ensures that downward information flows pass through trusted components Built in primitives –Encryption may justify declassification, so build encryption in as a primitive –Volpano & Smith’s comparison operator from their work on “Relative Secrecy” (POPL 2000) –Not very general Add a “declassify” or “endorse” operator –How to constrain its use? –Jif’s model: authority (need permission of those who could be harmed) –Robust downgrading (Myers, Sabelfeld, Zdancewic) Hard to reason about downgrading (See Andrei’s talk…)

Zdancewic - PLID'0414 Policy is Hard Realistic policies are complex –Many principals or stakeholders –Conditions under which downgrading may occur –Spectrum between static policies and policies that depend on dynamic information Even for small programs, there are many reasonable choices for the info.-flow policy –People have difficulty managing the small set of access control bits most file systems provide –Software engineering issue is highly nontrivial –When something goes wrong, it is often difficult to determine the source of the problem –Difficult to formalize intuitive policies using annotations

Zdancewic - PLID'0415 Policy Engineering Some existing mechanisms can help: –Polymorphism –Inference Lack of experience with building real systems that enforce information-flow policies means we have no idea how to design real policies. Where are the killer apps for information flow?

Zdancewic - PLID'0416 Perl Taint Checking The Perl scripting language supports dynamic information-flow checking –Data is tagged as “tainted” or “untainted” –Propagates tags through basic operations –Has no support for preventing implicit flows (so it enforces “secrecy” as opposed to noninterference) –Provides a built in downgrading mechanism via pattern matching (but unsafe—not sufficient to protect against malicious code) –Has a built in policy: data from the network and user input is “tainted”; system calls require untainted data –Is widely deployed because it is believed to help prevent buffer overflow and format-string violation errors. –Not good for confidentiality?

Zdancewic - PLID'0417 Lessons from Perl Simplicity is key –Default behavior is reasonable –But how general can a “fixed” confidentiality analysis be? Unsoundness is OK –Only trying to improve security not guarantee it against all attackers We should look for other interesting policies between access control and information-flow

Zdancewic - PLID'0418 Challenge Information-flow security is seductive (and has been for > 30 yrs!) but has not been very useful in practice We need to demonstrate the utility of information-flow approaches –Interface to other system components –Noninterference is not the right policy –Figuring out the the right policies is hard Download Flow Caml or Jif and build something with them!