Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld.

Slides:

Advertisements

Similar presentations

8/11/2006PCC Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.

Advertisements

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Information Flow and Covert Channels November, 2006.

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Paris, 3 Dec 2007MPRI Course on Concurrency MPRI – Course on Concurrency Lecture 12 Probabilistic process calculi Catuscia Palamidessi LIX, Ecole Polytechnique.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

Verifiable Security Goals

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.

Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity for Critical Infrastructure Course Flow Diagrams May 2-3, 2013 Support.

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Course Overview Dennis Kafura.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Language-Based Information-Flow Security Richard Mancusi CSCI 297.

Language-based information flow Bruno Pontes Soares Rocha Security Group TU Eindhoven Department of Mathematics and Computer Science.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.

Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Securing Class Initialization in Java-like Languages.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

12/4/20151 Computer Security Security models – an overview.

12/13/20151 Computer Security Security Policies...

Trusted Operating Systems

Design Principles and Common Security Related Programming Problems

Secure Composition of Untrusted Code: Wrappers and Causality Types Kyle Taylor.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.

Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977.

Belief in Information Flow Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18 th IEEE Computer Security Foundations Workshop June.

3/14/2016 8:37 PM Information Flow Epilog James Hook CS 591: Introduction to Computer Security.

Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

SSD951: Secure Software Development Language-based Security

Verifiable Security Goals

Operating Systems Protection Alok Kumar Jagadev.

Paper Reading Group:. Language-Based Information-Flow Security. A

Information Security CS 526

Information Security CS 526

Chapter 29: Program Security

Shielding applications from an untrusted cloud with Haven

Information Security CS 526

Computer Security Security Policies

Presentation transcript:

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld Andrew C. Myers Presented by Shiyi Wei

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Literature review  Information flow security Static program analysis to enforce information-flow Confidentiality  Year: 2003  Jif (Java information flow) project  Active since 1997  More than 34 publications System, language, security – SOSP, POPL, CCS, Oakland  Other work based on Jif 2 About the paper

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Introduction  Background  Covert channels  Mandatory access control  Basics of language-based information flow  Research trends  Open challenges 3 Overview

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Protect data confidentiality  End-to-end security  Enforcement of confidentiality policies Information cannot flow to where policy is violated  Challenges Concurrency Covert channels  Applications Military, medical, financial information systems Web-based services: mail, shopping, social network 4 Introduction

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Standard security mechanisms  Discretionary access control Access files/objects based on privilege – Prevent processes not authorized by file owner from reading Place restrictions on the release of information, but not its propagation – Does not control how the data is used after reading from file To soundly enforce confidentiality – Grant access privilege only to processes that will not leak confidential data » A much stronger information-flow policy! » Access control cannot identify these processes 5 Introduction

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Standard security mechanisms  Encryption Secure an information channel – Only the communicating endpoints have access However, no assurance that once the data is decrypted  Antivirus software Offers limited protection against new attacks  Firewall Protects confidentiality by preventing communication Checking confidentiality violation lies outside its scope 6 Introduction

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Language-based approach  security-typed language Use of type systems for information flow – Augmented with annotations Specify policies on the use of the typed data Compile-time type checking – Add little or no run-time overhead E.g. Jif[1], SLam calculus[2], … 7 Introduction References [1] A.C.Myers and B. Liskov, “A decentralized model for information flow control,” in Proc. ACM Symp. on Operating System Principles, Oct. 1997, pp [2] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Integrity: a dual to confidentiality  “Confidentiality requires that information be prevented from flowing to inappropriate destinations”  “Integrity requires that information be prevented from flowing from inappropriate sources” 8 Introduction

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Implicit flows  Signal information through the control structure of a grogram  Termination channels  The termination/nontermination of a computation  Timing channels  Signal information through the time at which an action occurs rather than through the data E.g. total execution time of a program 9 Background: Covert Channels while secret=1 do skip

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Probabilistic channels  Signal information by changing the probability distribution of observable data  Resource exhaustion channels  Signal information by the possible exhaustion of a finite, shared resource  Power channels  Signal information in the power consumed by the computer 10 Background: Covert Channels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Mandatory access control  Label each data with a security level Run-time enforcement mechanism  Problem: implicit flow Process sensitivity label  Label creep Monotonically increase label Too restrictive 11 Background: Mandatory Access control h := h mod 2; l := 0; if h = 1 then l :=1 else skip h := h mod 2; l := 0; if h = 1 l := 1 skip

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Noninterference policy  “a variation of confidential(high) input does not cause a variation of public(low) output”  The attacker cannot observe any difference between two executions that differ only in their confidential input  Security-type system  A collection of typing rules  Let’s build one! 12 Basics of Language-Based Information Flow

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 13 Basics of Language-Based Information Flow Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 14 Basics of Language-Based Information Flow Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C (1) := (2) := (3) := (4) :=

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 15 Basics of Language-Based Information Flow C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C (1)if then else (2)if then else (3)if then else (4)if then else (5)if then else (6)if then else (7)if then else (8)if then else

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 16 Basics of Language-Based Information Flow Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 17 Research Trends static certification noninterference sound security analysis expressiveness concurrency covert channels security policies

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 18 Language Expressiveness static certification noninterference sound security analysis expressiveness concurrency covert channels security policies procedures functions exceptions objects

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Procedures  Polymorphism[3] The type of commands or expressions may be generic  Functions  Slam calculus[4] A functional language 19 Language Expressiveness References [3] D. Volpano and G. Simth, “A type-based approach to program security,” in Proc. TAPSOFT’ 97. Apr. 1997, vol of LNCS, pp [4] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Exceptions  Nonlocal transfer of control; implicit flow  Path labels[5] Fine-grained tracking of implicit flows caused by exceptions  Objects  Java-like imperative object-oriented language[6]  JFlow[5] 20 Language Expressiveness References [5] A. C. Myers, “JFlow: Practical mostly-static information flow control,” in Proc. ACM Symp. on Principles of Programming Languages, Jan , pp [6] A. Banerjee and D. A. Naumann, “Secure information flow and pointer confinement in a Java-like language,” in Proc. IEEE Computer security Foundations Workshop, June 2002, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 21 Concurrency static certification noninterference sound security analysis expressiveness concurrency covert channels security policies nondeterminism threads distribution

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Nondeterminism  Possibilistic security condition[7] High inputs may not affect set of possible low inputs  Dependence analysis between variables[8] 22 Concurrency References [7] J. McLean, “A general theory of composition for a class of “possibilistic” security properties,” IEEE Transactions on Software Engineering, vol. 22, no. 1, pp , Jan [8] J. –P. Banatre, C. Bryce, and D. Le Metayer, “An approach to information security in distributed systems,” in Proc. European Symp. on Research in Computer Security. 1994, vol. 875 of LNCS, pp , Springer-Verlag.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Thread concurrency  High part has to be protected at all times  Noninterference for a multithreaded language[9] No while loop may have a high guard No high conditional may contain a while loop in branch  Encode of a timing leak into a direct leak 23 Concurrency (thread1) h := 0; l := h; (thread2) h := h’ (if h = 1 then C long else skip); l :=1 || l := 0 References [9] G. Simth and D. Volpano, “Secure information flow in a multi-threaded imperative language,” in Proc. ACM Symp. on POPL, Jan. 1998, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Distribution  The ability to exchange messages These communications may be observed by attackers  Mutual distrust  Components can fail Attempt to compromise the behavior of others  Secure program partitioning[10] Sequential, security-typed program -> fine-grained communicating subgrams 24 Concurrency References [10] S. Zdancewic, L. Zheng, N. Nystrom, and A.C. Myers, “Untrusted hosts and confidentiality: Secure program partitioning,” in Proc. ACM Symp. on Operating System Principles, Oct. 2001, pp. 1-14

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 25 Covert Channels static certification noninterference sound security analysis expressiveness concurrency covert channels security policies termination timing probability

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Termination channels  Termination-sensitive noninterference[11] Disallows high loops and requires high conditionals have no loops in the branches  Binding-time analysis[12] Divides program terms into – Static: known at partial-evaluation time – Dynamic: to be supplied later No static term depends on a dynamic variable 26 Covert Channels while h = 1 do skip References [11] D. Vlpano and G. Smith, “Eliminating covert flows with minimum typings,” Proc. IEEE Computer Security Foundations Workshop, pp , June 1997 [12] M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, “A core calculus of dependency,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1999, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Timing channels  Timing-sensitive noninterference[13] High conditionals have no loops in the branches and wrapping each high conditional in a protect statement whose execution is atomic  Program transformation[14] Cross-copy of the slices of the branches of a high if to equalize the execution time of the branches 27 Covert Channels if h = 1 then C long else skip References [13] D. Volpano and G. Smith, “Probabilistic noninterference in a concurrent language,” J. Computer Security, vol. 7, no. 2-3, pp , Nov [14] J. Agat, “Transforming out timing leaks,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 2000, pp

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Probabilistic channels  Probabilistic noninterference Two behaviors are indistinguishable by the attacker iff the distribution of low output is the same  Example [] p : probabilistic choice operator – Selects the left-hand side command with the probability p – Selects the right-hand side with the probability 1-p Varying PIN does not change set of possible outcomes – Secure for possibilistic condition 28 Covert Channels l := PIN [] 9/10 l := rand(9999)

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 29 Security Policies static certification noninterference sound security analysis expressiveness concurrency covert channels security policies declassification admissibility relative security quantitative security

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Noninterference rejects downgrading  Decentralized model[1]  Selective declassification  Admissibility[15]  Explicitly states what dependencies between data are allowed in the program  Quantitative security[16]  Allow for a limited bandwidth of information leaks 30 Security Policies References [15] M. Dam and P. Giambiagi, “Confidentiality for mobile code: The case of a simple payment protocol,” in Proc. IEEE Computer Security Foundations Workshop, July 2000 [16] D. Clark, S. Hunt, and P. Malacaria, “Quantitative analysis of the leakage of confidential data,” in QAPL 2011.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  System-Wide Security  Computer systems are only as secure as their weakest point  Integration of language-based information flow and system-wide information-flow control  Certifying Compilation  Secure information flow of low-level languages Useful information about program structure is lost 31 Open Challenges

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Abstraction-violating attacks  The model of the attacker is an abstraction Removes possibly important details about real attacker  E.g. cache attack When h = 1, execution time is likely to be shorter  Dynamic Policies  Information-flow policies are not known statically  E.g. Jif compiler Type label 32 Open Challenges (if h =1 then h’ := h 1 else h’ := h 2 ); h’ := h 1

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Practical issues  Improve the precision of type systems Do not reject too many secure programs  Experience is needed  Variations of static analysis for security  Control- and data-flow analysis More accurate than many type systems  E.g. 33 Open Challenges (if h = 1 then l := 1 else l:= 0); l := 0