Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University

2 Protecting Confidential Data Programs manipulate valuable data –web-based , shopping, financial planning –B2B transactions, military information systems,... Important Features –Confidentiality is crucial –Distribution is unavoidable –Heterogeneous trust Challenges –Complex policies –Complex software –Correct use of access control & cryptography A C B "Alice trusts A & C" "Bob trusts B & C"

3 Tools for Security Automatic tools –Check the use of enforcement mechanisms –Increase confidence in security Language-based tools –Raise the level of abstraction –Consider information flow through entire system (program) Use the security policy to guide distribution

4 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

5 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Describes the computation and the principals' security policies.

6 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Verifies that the program obeys the security policies.

7 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Describes the trust relationships between principals and hosts.

8 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Partitions the data and computation among hosts, so that policies are obeyed.

9 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Performs dynamic access control checks and encrypts communication.

10 Security Assurance Goal: Resulting distributed program performs the same computation as the source and also satisfies the security policies. Guarantee: Principal P's security policy is violated only if a host that P trusts fails or is subverted. Example: A C B "Alice trusts A & C" "Bob trusts B & C" If B fails, Alice's policy is obeyed, Bob's policy may be violated.

11 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

12 Confidentiality Policies in Jif Confidentiality labels: int{Alice} a; "a is Alice's private int" Integrity labels: int{?Alice} a; "Alice must trust a" Combined labels: int{Alice, ?Alice} a; (Both constraints) int{Alice} a1, a2; int{Bob} b; // Insecure a1 = b; b = a1; // Secure a1 = a2;

13 Policy Operations in Jif Declassification: int{Alice} a; declassify(a to Bob); Endorse: int{?Bob} b; endorse(b by Alice); But (!) Alice must trust the integrity of decision to perform the policy operation. –Compiler guarantees the integrity "type-cast int{Alice} to int{Bob}"

14 Example: Oblivious Transfer int m 1 ; int m 2 ; AliceBob request(n) Alice has two integers: m 1 and m 2. Alice's Policy: "Bob gets to choose exactly one of m 1 and m 2." Bob's Policy: "Alice doesn't get to know which item I request." Classic Result: "Impossible to solve using 2 principals, with perfect security." answer(m n )

15 Oblivious Transfer (Java) int m1, m2; // Alice's data boolean accessed; int n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2; }

16 int{Alice} m1, m2; // Alice's data boolean accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2; } Adding Confidentiality Labels Verification Fails

17 int{Alice} m1, m2; // Alice's data boolean accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); } Using Declassification Verification Fails

18 Integrity Constraints int{Alice} m1, m2; // Alice's data boolean{?Alice} accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); } Verification Fails

19 Using Endorsement int{Alice} m1, m2; // Alice's data boolean{?Alice} accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (endorse(n by Alice) == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); }

20 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

21 Trust Configurations Labels describe the trust relationship between principals and the available hosts. Confidentiality: Host A:{Alice} "Alice trusts host A not to leak her confidential data." Integrity: Host A:{?Alice} "Alice trusts host A not to corrupt her high-integrity data." int{Alice} m 1 ; m 1 can be sent to A int{Bob} n; n cannot be sent to A

22 Two-Host Configuration AB {Alice, ?Alice}{Bob, ?Bob}

23 Splitter output: No Solution! AB {Alice, ?Alice}{Bob, ?Bob} Can't find a host for the expression: endorse(n by Alice) It requires a host that has Alice's integrity yet can hold Bob's private data.

24 Splitter Output AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; }

25 Splitter Output is Java AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Data and all of the code except 'choose()' are located at T.

26 Run-time Calls AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Resulting code links against the runtime.

27 Security Assurance AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Alice's policy is enforced.

28 Network Overhead AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Nothing located at host A!

29 Another Secure Solution AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T goto(B); int n'= get(n,B); if (n' == 1) set(ans, m1); else... int m1, m2; int choose() {... return n; } bool accessed;int n, ans; n = choose(); goto(T); goto(A); if (!accessed){ accessed=true; goto(T); }

30 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

31 Data Transfer Val getField(Host h, ObjID o, Field f) Val setField(Host h, ObjID o, Field f, Val v) void forward(Host h, Frame f, Var vr, Val v) Control Transfer void rgoto(Host h, Frame f, EntryPt e, Token t) void lgoto(Token t) void sync(Host h, Frame f, EntryPt e, Token t) Implementation –Performs access control checks –Encrypts network communication –Capability mechanism protects control transfers Core Runtime Protocol

32 Control Transfer Integrity {?Alice} (Trusted)(Less Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) Alice's privileged code

33 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) (Less Trusted)

34 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) 1. sync 2. rgoto 3. lgoto TTTT (Less Trusted)

35 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) TT (Less Trusted) TT

36 Capabilities Protocol Theorem: When trusted hosts follow the protocol, there is at most one valid capability available to less trusted hosts. Means that less trusted hosts have no choice about how privileges are restored to the computation.

37 Prototype: Jif/split Jif/split: 7400 loc Runtime: 1700 loc 4 small benchmarks: –< 300 lines of code each –2 hand implemented in Java using RMI Experimental results: (LAN setting) –Running time overhead vs. hand implemented: 20% to 120% –Message count overhead vs. hand implemented: -25% to 25% –Costs seem reasonable –Need to try bigger programs

38 Secure Program Partitioning Language-based Confidentiality Policies –Compiler splits a program among heterogeneously trusted hosts. –Guided by security policies –Resulting distributed program satisfies the policies Benefits: –End-to-end security –Decentralized –Automatic –Explicit Policies

39

40 Oblivious Transfer Impossibility "It is well known (and easy to see) that in a two-player scenario with noiseless communication, OT [Oblivious Transfer]... with information-theoretic security is not possible, even if only passive cheating is assumed, and players are allowed infinite computing power." – Damgård, Kilian, Slavail On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions, EUROCRYPTO '99

41 Access Control Checks Static constraints for read/write are compiled into access control checks Host A checks that {Alice}  {Alice,?Alice,Bob} –verifies signature of S –checks that S  {A, S} –if so, replies with m1 setField requires integrity checks t1 = getField(Alice, m1); {Alice, ?Alice, Bob} S {Alice, ?Alice} A int{Alice, ?Alice} m1; get(m1) K(S)

42 Partitioning Jif Programs Solve a constraint system to determine possible hosts Use dynamic programming & heuristics to find an efficient solution Rewrite program, inserting calls to runtime system –data forwarding and control transfers Outputs: A collection of Java code fragments with host assignments

43 Static Constraints Consider a field: int{Alice:;?:Alice} f; Host H : confidentiality label C integrity label I Constraints: {Alice:}  C I  {?:Alice} Read-channels: Uses(f)  C Generalize to program statements Constraints on declassify()