Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Information Flow for Reactive Programming Paradigm Zhengqin Luo 2016-7-71SAFA workshop 2009.

Published byAntonia Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Information Flow for Reactive Programming Paradigm Zhengqin Luo 2016-7-71SAFA workshop 2009."— Presentation transcript:

1 Secure Information Flow for Reactive Programming Paradigm Zhengqin Luo Zhengqin.luo@sophia.inria.fr 2016-7-71SAFA workshop 2009

2 What is this talk about?  Secure information flow problem  Programs can access confidential information  Some of programs’ behaviors are publicly observation  Reactive Programming Paradigm  Deterministic concurrency, cooperative scheduling  Synchronized threads, signals, suspensions, preemptions  Controlling information flow for reactive programs  How information can be deliberately leaked?  How to prevent insecure flows?  Dynamic and static enforcement 2016-7-72SAFA workshop 2009

3 Secure information flow problem  Programs interact with confidential information  Non-interference property  Inputs/outputs are classified by secret and public  Differs in secret inputs SHOULD NOT result in different public output  A simplified lattice model: L (public), H (secret) P P Credit card No., price Other cookies Auction.com Steal-your-informaion.com P P Secret Public Secret Public 2016-7-73SAFA workshop 2009

4 Typical insecure programs  High-order imperative ML notion  u L is public; v H is confidential  Direct flow u L :=!v H  Indirect flow If !v H then u L :=0 else u L :=1  Indirect flow with thread creation If !v H then (thread (u L :=0)) else (thread (u L :=1))  Caution! Carefully check your programs! 2016-7-74SAFA workshop 2009

5 Reactive Programming Paradigm - Informal  Based on high-order imperative ML  An reactive machine contains  Environment ξ : a set of emitted signals  Thread pool :  Reactive construct  (emit s)  (when s do N) - suspension  (watch s do N) - preemption  Cooperative scheduling (deterministic)  For example: a round-robin one  Computations are divided by instants 2016-7-75SAFA workshop 2009

6 Reactive Programming Paradigm - Informal * * Suspension: t1’ is waiting for some signal s, which is not in ξ1, (when s do M) A cooperative round-robin scheduler All threads are suspended Instant transition: perform preemption t=(watch s do M) => t=(), if s is in ξ2 Instant 1 * Instant 2 Reset signal environment 2016-7-76SAFA workshop 2009

7 Insecure examples (1/2) – suspension  T1: If !h then (emit s) else (); when s do (l:=1)  T2: l:=2 ; emit s  h= true in the initial memory T1 || T2, Ø → when s do (l:=1) || l:=2 ; emit s, {s} → when s do () || l:=2 ; emit s, {s}(l:=1) → () || l:=2 ; emit s, {s} → () || emit s, {s}(l:=2) → () || (), {s} 2016-7-77SAFA workshop 2009

8 Insecure examples (1/2) – suspension  T1: If !h then (emit s) else (); when s do (l:=1)  T2: l:=2 ; emit s  h= false in the initial memory T1 || T2, Ø → when s do (l:=1) || l:=2 ; emit s, Ø → when s do (l:=1) || emit s, Ø (l:=2) → when s do (l:=1) || (), {s} → when s do () || (), {s} (l:=1) → () || (), {s} 2016-7-78SAFA workshop 2009

9 Insecure examples (1/2) – suspension  T1: If !h then (emit s) else (); when s do (l:=1)  T2: l:=2 ; emit s  T1 || T2 is not secure by non-interference  Key observation  Signals carry information  Testing signals gets information  Suspension may change the order of observable actions 2016-7-79SAFA workshop 2009

10 Insecure programs (2/2) – preemption  T1: (watch s do (when t do (l:=1)))  T2: l:=2; if !h then (emit s) else (); pause; emit t  h=false in the initial memory T1 || T2, Ø → T1 || T2, Ø → T1 || if !h then (emit s) else (); pause; emit t, Ø (l:=2) → (watch s do (when t do (l:=1))) || pause; emit t, Ø → (watch s do (when t do (l:=1))) || () ; emit t, Ø → (watch s do (when t do (l:=1))) || (), {t} → (watch s do (when t do ())) || (), {t} (l:=1) → () || (), {t} 2016-7-710SAFA workshop 2009

11 Insecure programs (2/2) – preemption  T1: (watch s do (when t do (l:=1)))  T2: l:=2; if !h then (emit s) else (); pause; emit t  h=true in the initial memory T1 || T2, Ø → T1 || T2, Ø → T1 || if !h then (emit s) else (); pause; emit t, Ø (l:=2) → (watch s do (when t do (l:=1))) || pause; emit t, {s} → () || () ; emit t, Ø → () || (), {t} 2016-7-711SAFA workshop 2009

12 Insecure programs (2/2) – preemption  T1: (watch s do (when t do (l:=1)))  T2: l:=2; if !h then (emit s) else (); pause; emit  T1 || T2 is not secure by non-interference  Key observation  Preemption may change whether an observable actions is executed or not 2016-7-712SAFA workshop 2009

13 Our solution  Consider signal environment as part of the inputs/outputs (memory)  s= true s is emitted  Classify signals with security level  s L, s H, t L, t H …  Then some of the programs should be rejected  if !x H then (emit s L ) else (emit t L )  when s H do x L :=1;  watch s H do (…(x L :=1)...)  IS THAT ALL? 2016-7-713SAFA workshop 2009

14 Our solutions – more subtle case  Recall the insecure suspension example  T1: If !h then (emit s) else (); when s do (l:=1)  T2: l:=2 ; emit s  An slightly modified version  T1: If !h then (emit s) else (); when s do (); l:=1  T2: l:=2 ; emit s  Observation: suspension construct will not only possible to reorder its body, but also all the computation afterward.  We should also reject  (when s H do …);…;x L :=1; 2016-7-714SAFA workshop 2009

15 Secure Information flow as a safety property  Non-interference, bisimulation  Comparing two execution of programs, a non-stand property  Intuitive notion of secure information flow  “one should not put in a public location a value elaborated using confidential information”,[DD77]  A monitoring semantics  Keep track of the level of information gained along the computation  Run-time error: trying to assign to public location when the level recorded is more confidential  Secure information as a safety property [Bou08]  No such error occurs! 2016-7-715SAFA workshop 2009

16 A monitoring semantics  We extend the standard semantics with dynamic checks for insecure information flow  To keep track of information, each thread are extend by two variables (independent for each thread) t=(pc,cur,M) where  pc,cur ∈ {L,H}  pc stands for the level of information that will affect the functional and imperative behavior of the thread  cur stands for the level of information that will affect the reactive behavior of the thread 2016-7-716SAFA workshop 2009

17 How pc is manipulated - example  The same as in [Bou08]  Example:  (L,L, (if !x H then y H := 1 else ()); z L :=1)  → (L,L, (if !x H then y H := 1 else ()); (z L :=1) L )  → (H,L, (if tt then y H := 1 else ()); (z L :=1) L )  → (H,L, (y H := 1); (z L :=1) L )  → (H,L, (); (z L :=1) L )  → (L,L, z L :=1)  Similar cases for other constructs Security check happens here, if it is (y L :=1), the check will fail pc is forgotten pc is transmitted pc is increased 2016-7-717SAFA workshop 2009

18 How cur is manipulated  Testing a signal by when (the case by watch is similar)  (pc,cur,when s l do N) → (pc,pc\/cur\/l, when do N)  Why pc is added to cur?  Examples:  (L, L, if !x H then (when s L do N) else (when t L do N))  → (H, L, if tt then (when s L do N) else (when t L do N))  → (H, L, (when s L do N) )  → (H, H, (when do N) )  But cur is never forgotten!  Compare (when s do N) and (when s do ());N  They have essentially the same effect to reorder instructions in case of suspension. 2016-7-718SAFA workshop 2009

19 Is the monitoring secure enough?  Consider this example:  If u H then when s H do () else (); !x L () || x L := λ_.(); emit s L  where x L = λ_.(y L :=1), and y L :=0 initially  It is safe by the monitoring semantics  If u H then when s H do () else (); !x L () || x L := λ_.(); emit s L  Why is that?  Monitoring only learns information in one branch of conditional constructs. ①②③④⑤ ①②③④⑤ 2016-7-719SAFA workshop 2009

20 A type directed translation  An special programming construct (P M) for the target language  In the standard semantics  M->M’ => (P M) → (P M’)  (P V) → V  In the monitoring semantics  (pc,cur,(P V)) → (pc,pc\/cur, V) 2016-7-720SAFA workshop 2009

21 A type directed translation  How does the translation work?  Suppose we have (if !h then M else N)  and M will suspend while N will not  The translation is  (if !h then M else (P N))  The subtle example again  Remember (pc,cur,(P V)) → (pc,pc\/cur, V)  If u H then when s H do () else (P ()); !x L () || x L := λ_.(); emit s L ①②③④⑤ ①②③ 2016-7-721SAFA workshop 2009

22 A particular reactive programming  High-order imperative language with reactive construct  An reactive machine is M =[μ,ξ,t,T]  μ is the store, ξ is the signal environment  t=(i,M) is the current running thread  T is the thread pool  M,N ::= V | (if M then N else N’) | (MN) | (M;N) | (ref M) | (!M) | (M:=N) | (thread M) | (sig) | (emit M) | | (when M do N) | (watch M do N)  V ::= λxM | s l | u l | tt | ff | () 2016-7-722SAFA workshop 2009

23 Security enforced by dynamic monitoring  Definition: Progress-insensitive security [SR09]  A symmetric relation R on reactive machines  M 1 =[μ 1,ξ 1,t 1,T 1 ] R M 2 =[μ 2,ξ 2,t 2,T 2 ] , iff  1) μ 1 = L μ 2, ξ 1 = L ξ 2  2) if M 1 → M’ 1, either there exists M 2 → * M’ 2,such that M’ 1 R M’ 2  or for all M’ 2 =[μ’ 2,ξ’ 2,t’ 2,T’ 2 ] such that M 2 → * M’ 2, μ’ 2 = L μ’ 2, ξ’ 1 = L ξ’ 2  Definition: Safe programs  Does not run into security error in monitoring semantics  Our results (informal)  Theorem: For every programs M that its translation M’ is safe, then for every μ 1 = L μ 2, ξ 1 = L ξ 2, we have [μ 1,ξ 1,(0,M’), Ø] R [μ 2,ξ 2, (0,M’), Ø] 2016-7-723SAFA workshop 2009

24 A type and effect system for safety  We also designed a type and effect system for a sound analysis of safety property  A fairly standard one extend the one for high-order language  Our results  Lemma: If a program is typable then its translation is safe  Lemma: The semantics of typable program is almost identical to its translation in the monitoring semantics  Theorem: Typable programs itself satisfy progress- insensitive security. 2016-7-724SAFA workshop 2009

25 Conclusion  Controlling information flow in reactive programs  Dynamically checking information – A monitoring semantics  Does not imply any security property  A simple type-directed translation  If translated program is safe, then it satisfy progress- insensitive security  A type safety result  Type-checked program => no need for monitoring 2016-7-725SAFA workshop 2009

26  Thank you!  Q & A 2016-7-726SAFA workshop 2009

Download ppt "Secure Information Flow for Reactive Programming Paradigm Zhengqin Luo 2016-7-71SAFA workshop 2009."

Similar presentations

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
ALGORITHMS - PART 2 CONDITIONAL BRANCH CONTROL STRUCTURE

ALGORITHMS - PART 2 CONDITIONAL BRANCH CONTROL STRUCTURE
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.

Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.
© S. Ramesh / Kavi Arya / Krithi Ramamritham IT-606 Embedded Systems (Software) S. Ramesh Kavi Arya Krithi Ramamritham KReSIT/ IIT Bombay.

© S. Ramesh / Kavi Arya / Krithi Ramamritham IT-606 Embedded Systems (Software) S. Ramesh Kavi Arya Krithi Ramamritham KReSIT/ IIT Bombay.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.
27 th Oct 2003 Checking Secure Interactions of Smart Card Applets: extended version P. Bieber, J. Cazin, P. Girard, J. –L. Lanet, V. Wiels, and G. Zanon.

27 th Oct 2003 Checking Secure Interactions of Smart Card Applets: extended version P. Bieber, J. Cazin, P. Girard, J. –L. Lanet, V. Wiels, and G. Zanon.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.

Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
Software modeling for embedded systems: static and dynamic behavior.

Software modeling for embedded systems: static and dynamic behavior.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Concurrency CS 510: Programming Languages David Walker.

Concurrency CS 510: Programming Languages David Walker.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
Pseudocode.

Pseudocode.
Pseudocode.

Pseudocode.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Similar presentations

Ads by Google