Download presentation
Presentation is loading. Please wait.
Published byPrudence Stevens Modified over 9 years ago
1
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers Presented by Shiyi Wei
2
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 2 JFlow Java language certain features omitted + Information flow annotations decentralized label model JFlow source JFlow source.java JFlow compiler JFlow compiler Static checking of flow annotations Jflow.lang.Label Jflow.lang.Principal Labeled types, classes, etc.
3
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Motivation Background Decentralized label model Language description Extended language Examples Limitations JFlow compiler Static type and label checking 3 Overview
4
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Privacy data protection Statically check information flows within programs that might manipulate the data Fine-grained tracking of security classes Without the run-time overhead Previous work Not practical Too limited/restrictive JFlow: a usable programming model 4 Motivation
5
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Information leakage Explicit flow Implicit flow 5 Motivation boolean secret; … int pub = 0; if(secret) pub = 1; int secret; … int pub = secret;
6
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Decentralized label model Form L = {o 1 : r 1, r 2 ; o 2 : r 2, r 3 } Assignment x/L2 := v/L1 Can be assigned iff – L2 is at least as restrictive as L1 Joining of labels Least upper bound Declassification Strict information flow control is too restrictive 6 Background Reference: http://courses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Decentralized-Information-Flow.pdf
7
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 7 Background Information leakage Explicit flow Implicit flow 7 boolean secret; //secret: L1 … int pub = 0; //pub: L2 if(secret) pub = 1; //1: ? int secret; //secret: L1 … int pub = secret; //pub: L2
8
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Labeled types Implicit flows Run-time labels Authority and declassification Run-time principals Classes Methods 8 Language Description
9
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Labeled type An ordinary Java type A label Written as: t{l} Examples int{p:} x; //principal p owns and p can read x int{x} y; //y is as restricted as x is int z; //the label is inferred automatically or by default Type checking vs. label checking 9 Labeled Types
10
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Implicit flows Channels created by the control flow structure Program-counter label (pc) With every statement and expression Information learned from the statement or expression evaluated 10 Implicit Flows int{public} x; //pc = {} boolean{secret} b; //pc = {} … int x= 0; //pc = {} if(b) { //pc = {} x = 1; //pc = {b} } The label of x({public}) is not at least as restrictive as the label of 1({secret})
11
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science New primitive type: label When the label cannot be determined statically E.g. static float{*lb} compute(int x{*lb}, label lb) *lb: the label contained in the variable lb Variables of type label are final switch label statement The statement executed is the first whose associated label is at least as restrictive as the expression label 11 Run-time Labels
12
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science switch label example Transfer an integer from the x to the y 12 Run-time Labels label{L} lb; int{*lb} x; int{p:} y; switch label(x) { case (int{y} z) y = z; else throw new UnsafeTransfer(); }
13
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Authority: The capability to act for some principals Controls the ability to declassify data actsFor(p1, p2) S Execute S if p1 can act for p2; otherwise skipped declassify(e, L) Relabel the result of e with the label L Relax policies owned by principals in the authority 13 Authority and Declassification
14
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science New primitive type: principal A policy may use final variable of type principal to name an owner or reader “Run-time principals are needed in order to model systems that are heterogeneous with respect to the principals in the system, without resorting to declassification” 14 Run-time Principals class Account { final principal customer; String{customer:} name; float{customer:} balance; }
15
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Parameterized classes Important for building reusable data structures E.g. Java Vector class is parameterized on label L 15 Classes
16
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science {secret} {public} => Vector[{secret}] ≤ Vector[{public}] ? Covariant label When the above relation is sound No method argument or mutable instance variable may be labeled using the parameter Class implicit label parameter: {this} A covariant parameter 16 Classes
17
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science authority clause Name principals external to the program, or principal parameters E.g. class passwordFile authority(root) { … } 17 Classes
18
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science JFlow method delaration The return value, the arguments, and the exceptions may each be individually labeled Arguments are always implicitly final 18 Methods
19
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science JFlow method declaration begin-label Restriction on pc at the point of invocation of method end-label The final pc; information can be learned by observing whether the method terminates normally 19 Methods
20
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Examples 20 Methods static int{x;y} add(int x, int y) {return x + y; } boolean compare_str(String name, String pwd):{name; pwd} throws(Null PointerException) {… } boolean store{L}(int{} x) throws(NotFound) {… }
21
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science JFlow method declaration 21 Methods
22
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 22 Example: passwordFile pc = {user; password; root} return label: {user; password} declassification: remove root
23
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 23 Example: Protected Caller must have sufficient label to get the data
24
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Threads Single-threaded programs Timing channels Gain information by timing code with system clock HashCode JFlow class must implement its own hashCode Finalizers Run in a separate thread from the main program 24 Limitations
25
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Resource exhaustion OutOfMemoryError Wall-clock timing channels Unchecked exceptions Backward compatibility Not backward compatible with Java 25 Limitations
26
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Label-checking rules Throwing and catching exceptions Run-time label checking Checking method calls 26 Static Checking
27
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 27 Label-checking Rules X: path labels n: normal termination nv: normal value A: enviroment T: a type L: a label A literal expression always terminates normally and that its value is labeled with the current pc An empty statement always terminates normally, with the same pc as at its start The value of a variable is labeled with both the label of the variable an the current pc Assignment to a variable Two statements S1 and S2 performed in sequence
28
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 28 Translation Most annotations are erased Type labels -> Java type Class parameters Built-in types are translated label -> jflow.lang.Label principal -> jflow.lang.Principal Two constructs translate to intersting code actsFor switch label
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.