A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida.

Slides:

Advertisements

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Advertisements

Information Flow and Covert Channels November, 2006.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

UML Package Diagrams. package_name presentation view controller model.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Singleton vs utility class  at first glance, the singleton pattern does not seem to offer any advantages to using a utility class  i.e., a utility class.

Programming with Java. Problem Solving The purpose of writing a program is to solve a problem The general steps in problem solving are: –Understand the.

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Compiler Construction

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.

AspectJ2EE/Clasa Israel Institute of Technology The Computer Science department Itay Maman.

Exceptions Problems with error reporting so far –Either ignored exceptions or terminated program on first error. –Error handling and regular code mixed.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Abstraction: Polymorphism, pt. 1 Abstracting Objects.

C++ Functions. 2 Agenda What is a function? What is a function? Types of C++ functions: Types of C++ functions: Standard functions Standard functions.

UNIT-V The MVC architecture and Struts Framework.

Ranga Rodrigo. Class is central to object oriented programming.

Unit Testing & Defensive Programming. F-22 Raptor Fighter.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

CSM-Java Programming-I Spring,2005 Introduction to Objects and Classes Lesson - 1.

Avro Apache Course: Distributed class Student ID: AM Name: Azzaya Galbazar

Tip Calculator App Building an Android App with Java © by Pearson Education, Inc. All Rights Reserved.

Language-Based Information-Flow Security Richard Mancusi CSCI 297.

1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.

Polymorphism, Inheritance Pt. 1 COMP 401, Fall 2014 Lecture 7 9/9/2014.

Chapter 1: Introducing JAVA. 2 Introduction Why JAVA Applets and Server Side Programming Very rich GUI libraries Portability (machine independence) A.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Looping and Counting Lecture 3 Hartmut Kaiser

Type Abstraction SWE Spring October 05Kaushik, Ammann Substitution Principle “In any client code, if supertype object is substituted.

Objects & Classes Weiss ch. 3. So far: –Point (see java.awt.Point) –String –Arrays of various kinds –IPAddress (see java.net.InetAddress) The Java API.

Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.

Chapter 3 Collections. Objectives  Define the concepts and terminology related to collections  Explore the basic structures of the Java Collections.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

Introduction to Collections. Collections Collections provide a way of organizing related data in a model Different types of collections have different.

CSCI-383 Object-Oriented Programming & Design Lecture 25.

Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

ENEE150 – 0102 ANDREW GOFFIN Abstract Data Types.

Java Bytecode Verification Types Chris Male, David J. Pearce, Alex Potanin and Constantine Dymnikov Victoria University of Wellington, New.

Defensive Programming. Good programming practices that protect you from your own programming mistakes, as well as those of others – Assertions – Parameter.

And other languages…. must remember to check return value OR, must pass label/exception handler to every function Caller Function return status Caller.

CS 440 Database Management Systems Stored procedures & OR mapping 1.

SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.

Coming up Implementation vs. Interface The Truth about variables Comparing strings HashMaps.

XuanTung Hoang 1 Something to discuss Feedbacks on Midterm Exam Final exam and term project  Final exam requires solid knowledge/skills in Java  Be more.

INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.

A Simple Object Oriented Program public class Simple { public static void main (String [] args) { System.out.println(“howdy”); } System.out is an object.

AGENT SERVICES FRAMEWORK FOR HANDHELD DEVICES SUPERVISOR: DR MUHAMMAD ASLAM Domain: Artificial Intelligence(AI) Muhammad Ali (09-MS-CE-11),

Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)

Java Exceptions a quick review….

Paul Ammann & Jeff Offutt

More Sophisticated Behavior

Types for Programs and Proofs

Paper Reading Group:. Language-Based Information-Flow Security. A

Structural testing, Path Testing

UNO Static Analysis With a Simple Twist.

Paul Ammann & Jeff Offutt

Paul Ammann & Jeff Offutt

Combining Compile-Time and Run-Time Components

Outline System architecture Current work Experiments Next Steps

Presentation transcript:

A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida

Problem Expressing Information Flow Security Specifications Android applications Applications in general Libraries

Why Information Flow? Formal UCF ACLs and Firewalls prevent or allow access to data, but they do not control what happens after an access Heartbleed, a defect in OpenSSL, could have been found by Information Flow analysis

Background: Information Flow Problem Formal UCF send(company, address_book); company = address_book; boolean b = false; if (address_book.get(“president”).num().equals(“(202) ”) { b = true; }

Background: Lattice Model of Information Flow (Denning, 1976) Formal UCF Each variable given a security label (e.g., Public, User, Private, …) Statically check all statements x = e; permitted only if label(e)  label(x) Invariant: only permitted information flows allowed User Private Public

Integrity Interpretation Where can the variable’s value come from? What can affect it? More Influences

Confidentiality Interpretation Where can a variable’s value be sent? What can learn from it?  {FILE}{NET}{UI} {NET, UI}{FILE, UI}{FILE, NET} {FILE, NET, UI} More Confidential

The Decentralized Label Model (Myers & Liskov, 1998) Formal UCF Each variable has two sets of labels Sinks: where information can flow Sources: where information can be obtained from Rules: x = e Safe to REMOVE sinks from x Safe to ADD sources to x

Example Formal UCF UI}) int e; x = e; // legal?

Key Properties of Decentralized Label Model Formal UCF Label creation and propagation is not centralized. New labels can be created dynamically. But checking is mostly static

Drawbacks of the Decentralized Model Formal UCF Set-based labels can be cumbersome to write in programs. Programmers must reason about 2 directions at once: Confidentiality Integrity APIs must be specified once and for all

API Example package android.content.res; class AssetFileDescriptor FileInputStream createInputStream() throws IOException; }

Client LITERAL}) InputStream is; is = encryptedVideoAsset.createInputStream();

Is the Power of the Distributed Label Model needed? Formal UCF Many programs are not distributed Even distributed programs can be logically centralized

The Bipartite Graph Model of Information Flow Formal UCF Approach/Idea

Model Idea Formal UCF UI FILE NET Encrypted Video Viewer Private User Public Channels Security Labels Edge Map LC E

UI FILE NET Encrypted Video Viewer Example: Encrypted Video Viewer Formal UCF

Approach: Model Formal UCF Static security labels, L Global channels, C API specified by channels and usage: Arguments (I) Results (O) Edge mapping, E : {I,O} x C  L

Model Idea Formal UCF UI FILE NET Encrypted Video Viewer Private User Public Channels Security Labels Edge Map LC E

Example Security Lattice Security.xml file Formal UCF …

Example Channel Mapping Channels.xml file Formal UCF

Simple Example (Voting Booth) Formal UCF public void el(SECRET) User Vote v){.. // ok because TOPSECRET > SECRET String encryptedId = encryptVoterId(u.getUserId()); // ok because TOPSECRET logVote(encryptedId, v); //... } // in the program, but described wit public void vote){ //... } // in an API String String voterId){ //... }

More Detailed Example Distributed Label Approach Formal UCF

More Detailed Example Bipartite Graph Model Formal UCF

Using the Model Formal UCF User writes: Security.xml Channels.xml User supplies program annotation for APIs (“poor man’s” polymorphism) Runs checking tool over program

Advantages of the Model Formal UCF Can mix Channels and Labels in program: Channels in API Labels in client code Compact types: channels or labels, not two sets Can handle confidentiality and integrity separately or together. Users can define arbitrarily complex lattices

Suitability for annotations specify information flow generically Can customize security.xml (levels) and channels.xml (mapping) to fit the security concerns of the application.

Preliminary Experimental Work A few systems using these ideas: CheckLT – Lattice-based taint checking for Java FS4A – Flowspecs for Android (an extension to OpenJML) Full implementation of the Bipartite Graph Model Incorporates Conditional Release aspects

Conclusions User-defined lattice to describe security levels Fixed set of channels (centralized) Mapping from channels to levels allows customization