8/11/2006PCC 20061 Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.

Slides:



Advertisements
Similar presentations
Fakultät für informatik informatik 12 technische universität dortmund Optimizations - Compilation for Embedded Processors - Peter Marwedel TU Dortmund.
Advertisements

© 2013 IBM Corporation Implement high-level parallel API in JDK Richard Ning – Enterprise Developer 1 st June 2013.
Analysis of Computer Algorithms
Technische universität dortmund fakultät für informatik informatik 12 Specifications and Modeling Peter Marwedel TU Dortmund, Informatik
Chapter 16 Graphical User Interfaces
1 Exceptions: An OO Way for Handling Errors Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS) Laboratory Dept. of Computer Science and Software.
Copyright © 2002 Pearson Education, Inc. Slide 1.
Chapter 1 C++ Basics. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 1-2 Learning Objectives Introduction to C++ Origins, Object-Oriented.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.
Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Limitations of the relational model 1. 2 Overview application areas for which the relational model is inadequate - reasons drawbacks of relational DBMSs.
1 Processes and Threads Creation and Termination States Usage Implementations.
1 Interprocess Communication 1. Ways of passing information 2. Guarded critical activities (e.g. updating shared data) 3. Proper sequencing in case of.
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
McGill University School of Computer Science Ph.D. Candidate in the Modelling, Simulation and Design Lab MSDL09 De-/Re-constructing Model Transformation.
Re-examining Instruction Reuse in Pre-execution Approaches By Sonya R. Wolff Prof. Ronald D. Barnes June 5, 2011.
BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
Chapter 4: Informed Heuristic Search
Configuration management
Priority INHERITANCE PROTOCOLS
Multilevel Page Tables
1 Complete Information Flow Tracking from the Gates Up Tiwari, Wassel, Mazloom, Mysore, Chong, Sherwood, UCSB, ASPLOS 2009 Shimin Chen LBA Reading Group.
Learning Cache Models by Measurements Jan Reineke joint work with Andreas Abel Uppsala University December 20, 2012.
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
1 What is JavaScript? JavaScript was designed to add interactivity to HTML pages JavaScript is a scripting language A scripting language is a lightweight.
Information Flow and Covert Channels November, 2006.
Copyright  2003 Dan Gajski and Lukai Cai 1 Transaction Level Modeling: An Overview Daniel Gajski Lukai Cai Center for Embedded Computer Systems University.
Lecture plan Outline of DB design process Entity-relationship model
3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.
Processes Management.
Processes Management.
Executional Architecture
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.
Addition 1’s to 20.
25 seconds left…...
Week 1.
Chapter 9 Interactive Multimedia Authoring with Flash Introduction to Programming 1.
We will resume in: 25 Minutes.
1 Chapter 3:Operators and Expressions| SCP1103 Programming Technique C | Jumail, FSKSM, UTM, 2006 | Last Updated: July 2006 Slide 1 Operators and Expressions.
1  1998 Morgan Kaufmann Publishers Interfacing Processors and Peripherals.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.
14-1 © Prentice Hall, 2004 Chapter 14: OOSAD Implementation and Operation (Adapted) Object-Oriented Systems Analysis and Design Joey F. George, Dinesh.
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
From Model-based to Model-driven Design of User Interfaces.
The University of Adelaide, School of Computer Science
Anaïs GUIGNARD LURPA, ENS Cachan Validation of logic controllers from event observation in a closed-loop system Réunion VACSIM - 14 Octobre 2014.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Information Flow, Security and Programming Languages Steve Steve Zdancewic.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Protection and the Kernel: Mode, Space, and Context.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld.
Design Principles and Common Security Related Programming Problems
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control.
Concurrency.
Paper Reading Group:. Language-Based Information-Flow Security. A
Process Description and Control
CSE 153 Design of Operating Systems Winter 19
Presentation transcript:

8/11/2006PCC Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs

2 Information Flow GPS software on handset Compute maps and directions and display on the device Query for news and updates using the network Location information News & updates Question: is the location information kept private? To prevent: flows from high data to low data –High data: secret, confidential, sensitive –Low data: public, ok to disclose, insensitive Desired property: confidentiality –Attacker may observe low –Attacker may also observe timing –Attacker cannot learn high ? Maps & directions Other query

3 Information Flow Desirable for some applications –Distributed by untrusted parties (e.g., downloaded apps) –Access both sensitive information and public channels –Flow of information must be restricted for confidentiality –Examples: GPS, personal accounting, billing, concierge, document processor, task scheduler,... (think: spyware) Must prevent many forms of bad flows –query=location+1; send(query); –if (location==USA) then query=1 else query=0; –send(q1); if (location==USA) then C long ; send(q2); –Many other implicit flows and covert channels Conventional security means are insufficient –Access control, firewalls, encryption, runtime checks,... Language-based techniques are promising –E.g., security-type systems

4 Language-Based Information Flow 10+ years, 100+ papers [Sabelfeld&Myers03Survey] –High-level language features (procedures, functions, continuations, states, exceptions, objects,...) –Practical implementations (JFlow, Jif,...) –Concurrency and distribution (nondeterminism, threads, -calculus, program partitioning,...) –Security policies (lattice, declassification, admissibility, relative sec, quantitative sec...) –Covert channels and abstract violation attacks (termination, timing, probabilistic, resource exhaustion, power, cache,...) Little work at the level of assembly code –Core language features studied [Adriana et al 05-06] [Yu & Islam 05-06] –Covert channels largely untouched –Difficult: lack of abstraction, extreme flexibility –Useful: higher assurance, source code may not be available

5 Today: Covert Channels on Timing Our previous work TAL C –Key features of RISC code –Type system compatible with TAL –Certifying compilation –Handles several implicit flows, but not covert channels on timing Extend TAL C for external timing behaviors –Termination channels –Timing channels Extend TAL C for internal timing behaviors (in concurrent settings) –Possibilistic channels –Probabilistic channels

6 Explicit and Implicit Flows Main idea of source-level solutions –Give security types to program constructs Explicit assignment –Example: query=location; –Annotate data with security types –Type mismatch not allowed Program structure –Example: if (location<>0) then query=1 else query=0; –Identify sensitive regions based on program structures –No change to public item in sensitive regions Memory aliasing Code pointers... …… if f() while Conditional While-loop Indirect call

7 Programs are less structured if (location<>0) then query=1 else query=0; some more code; Registers reused at difference security levels Assembly code is very flexible (hard to regulate: aliasing, code pointers,...) Security types should come from compilation Should not change the computation model Difficulties for Assembly Code % r loc stores address of location % r qry stores address of query l if :ld r, r loc (0);% read location bnz r, l then ;% go to l then if location 0 st r qry (0), 0;% the else: query=0 jmp l more l then :st r qry (0), 1;% the then: query=1 jmp l more l more :...% some more code Other difficulties:

8 % r loc stores address of location % r qry stores address of query l if :ld r, r loc (0);% read location bnz r, l then ;% go to l then if location 0 st r qry (0), 0;% the else: query=0 jmp l more l then :st r qry (0), 1;% the then: query=1 jmp l more l more :...% some more code Recovering Missing Abstractions Programs are less structured if (location<>0) then query=1 else query=0; some more code;

9 raise H l more % enter new context l if :ld r, r loc (0);% read location bnz r, l then ;% go to l then if location 0 st r qry (0), 0;% the else: query=0 lower l more % exit context l then :st r qry (0), 1;% the then: query=1 lower l more % exit context l more :...% some more code Embed Structures in Annotations Programs are less structured if (location<>0) then query=1 else query=0; some more code; Annotations are checked Check upon raise : (a) New level old level; (b) Current context will resume Check upon lower : valid exit point as specified in context Trick: to recover missing abstractions using annotations –Type system enforces structure and discipline –Verified program trivially erases to normal assembly code [Yu&Islam06ESOP]

10 Termination Channels Nonterminating high loops –while (location<>0) do skip; Nonterminating loops in high conditionals –if (location<>0) then {while true do skip}; Main idea of source-level solutions [Volpano&Smith97CSFW] –Give minimum typings to potentially nonterminating constructs –while loops must have type low (i.e., only appear in low regions) –Effectively, high regions always terminate –Similarly for abnormal termination (e.g., uncaught exceptions) if while Conditional While-loop

11 raise H l more % enter new context l if : ld r, r b (0);% read b bnz r, l then ;% go to l then if b 0 st r c (0), 0;% the else: c=0 lower l more % exit context l then : st r c (0), 1;% the then: c=1 lower l more % exit context l more :...% some more code Enforcing Termination if (b<>0) then c=1 else c=0; Give high regions descreasing counters –An upper bound of execution steps before exiting a region

12 raise H l more % enter new context l while : ld r, r b (0);% read b bnz r, l done ;% go to l done if b 0 st r c (0), 1;% the do: c jmp l while % loop l done : lower l more % exit context l more :...% some more code Enforcing Termination while (b==0) do c=1; Give high regions descreasing counters –An upper bound of execution steps before exiting a region –Or in case of potential nontermination (e.g., loops)

13 Enforcing Termination Give high regions descreasing counters –An upper bound of execution steps before exiting a region –Or in case of potential nontermination (e.g., loops) The type system –Extends regions of TAL C with counters (timing annotations) –Checks that counters are decreasing –In high regions, checks that branches have finite counters Certifying compilation –Sufficient for the source-level solution [Volpano&Smith97CSFW] –Loop: always compiled conservatively with –Conditional: finite timing iff both branches yield finite timing

14 Timing Channels Extend the machine model with –Execution time: t –Output actions: output(n) –Sequence of observable events: s::=(t | n) * –P * P producing s Unbalanced high conditionals –if (location<>0) then {time consuming operation} else skip; output(n); Idea of solution –To make previous timing annotations more accurate –Effectively, branches in high regions have same execution time –In addition, to disallow low output actions in high regions t long n t skip n

15 raise H l more % enter new context l if :ld r, r b (0);% read b bnz r, l then ;% go to l then if b 0 st r c (0), 0;% the else: c=0 lower l more % exit context l then : st r c (0), 1;% the then: c=1 lower l more % exit context l more :...% some more code Enforcing Timing if (b<>0) then c=1 else c=0; In high regions, branches must have matching timing –The observable execution time before exiting a region –Assumption: primitive operations execute in constant time

16 Enforcing Timing In high regions, branches must have matching timing –The observable execution time before exiting a region –Assumption: primitive operations execute in constant time The type system –Extends regions of TAL C with exact counters (execution time) –Checks that counters match instructions –In high regions, checks that branches have matching timings –Disallows low output actions in high regions

17 Certifying Compilation Agats source-level type system [Agat00POPL] –For a high conditional, two branches shall have the sameexternally observable behavior –Example: if (h<>0) then (l=1) else (l=1); –Based on undecidable -bisimulation Padding transformation for practical use of the system –Example: if (h<>0) then (h =1) else skip; if (h<>0) then (h =1) else (skipAsn h 1); –Does not accept low updates in high regions Our timing-based system –Accepts transformed programs –Can be extended following -bisimulation

18 Multi-Threading From external timing to internal timing –Threads interaction as a channel of information flow Initially: t=0; Thread 0: if h then t=1 else t=2; Thread 1: while t<>1 do skip; l = false; t=2; Thread 2: while t<>2 do skip; l = true; t=1;

19 Possibilistic Channels Observable program behaviors –Set of possible execution results Main idea of source-level solutions [Smith&Volpano98POPL] –Loops must have low guards –Loops cannot occur in high branches –Essentially, loops must have type low –The same as for closing termination channels! Adaptation at the assembly level –Use the same technique of counter in high regions –Type checking carried out in thread-modular way

20 More Multi-Threading From possible output to probable output –Probability distribution of possible execution results Thread 0: if h then C long else skip; l = true; Thread 1: if h then skip else C long ; l = false; Under most schedulers, it is likely that l==h –Potential context switches in branches

21 Closing Probabilistic Channels Balance potential context switches in branches –Advance time by 1 at a potential context switch –Use same analysis for closing timing channels raise H l more % enter new context l if :ld r, r b (0);% read b bnz r, l then ;% go to l then if b 0 st r c (0), 0;% the else: c=0 lower l more % exit context l then : st r c (0), 1;% the then: c=1 lower l more % exit context l more :...% some more code if (b<>0) then c=1 else c=0;

22 Certifying Compilation Source-level type system (1) [Sabelfeld&Sands00CSFW] –Related to Agats transformation for closing timing channels –Use padding to equalize internal timing of branches –Example: if (h<>0) then {(h =1); (h =2)}; if (h<>0) then {(h =1); (h =2)} else {skip; skip}; –Same number of atomic commands in branches Source-level type system (2) [Volpano&Smith98CSFW] –To protect high branches so that they execute atomically Our timing-based system –Supports programs from both systems –Must take care when implementing atomic commands, etc

23 Future Work Termination channels –Terminating loops –Well-founded recursion Timing channels – -bisimulation (e.g., if (h<>0) then (l=1) else (l=1); ) Possibilistic and probabilistic channels –Thread synchronization (e.g., semaphore [Sabelfeld01PSI]) Others –Advanced policies –Practical issues

24 Conclusion Information-flow security –Desirable for many applications –Language-based techniques are promising Existing work –Much on high-level languages –Little on assembly code This work: covert channels in assembly code –Inspired by work for high-level languages –Annotations for termination/timing of branches –Termination, timing, possibilistic, probabilistic

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.