Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paper Reading Group:. Language-Based Information-Flow Security. A

Published byRodger Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "Paper Reading Group:. Language-Based Information-Flow Security. A"— Presentation transcript:

1 Paper Reading Group:. Language-Based Information-Flow Security. A
Paper Reading Group: Language-Based Information-Flow Security A. Sabelfeld, A. Myers Marcus Völp

2 Context `77 Dennings certification of programs for secure information flow attach labels to information indirect flows via PC-label `97 – now bunch of work in language-based approaches to information flow security type systems abstract interpretation `03 – Sabelfeld + Myers summary of past approaches + upcoming challenges `03 – Using Access Control for Secure Information Flow in a Java-like Language `05 – Statically Checking Confidentiality with Dynamic Labels (my CCS Submission + Shared Memory) `05 – (Ana Matos ...) On Declassification and the Non-Disclosure Policy `06 – Closing Internal Timing Channels by Transformation my PhD: apply language-based IF-security to microkernel run typing / labels on pseudo code to extract / check flow properties use derived flow-properties to check security of applications using the microkernel use derived flow-properties in refinements (check IF properties all the way down to the implementation)

3 Motivation Access Control
restricts release of information but not its propagation Confinement: Restricts who may obtain the authority to access information Enforce X Policies X = Confidentiality if no information I may flow from A to B, I is confidential versus B X = Integrity if no information I may flow from A to B, B's computation is independent of I; B is integer versus A X = Availability if no information I may flow from A to B, B's availability does not depend on the information I. Information-flow policies are powerful mechanisms to express large class of security policies. Ensure that information is released only to authorized programs (access control) plus ensure that information is used accordingly (information flow control)

4 information is not relayed via a shared server
Motivation (PhD) A C1 C2 B S2 Server Kernel make sure that: information is not relayed via a shared server information is not relayed via the kernel secret information is not leaked unintentionally to clients (e.g., the secret key of an encryption server)

5 Outlook Motivation Type Systems Abstract Interpretation
Temporal breaches of security Wishlist until the Pizza arrives!!! My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches (Whiteboard) More on Type Systems

6 Language-Based Information Flow Security
Noninterference (for programs): variation of confidential (high) input does not cause a variation of public (low) output l : low ; h : high low <~/~ high Formalisation: [[C]] : S -> S u {⊥} Partial Equivalence Relation =L : s =L s' <=> ∀ loc. label[l] : low => s[l] = s'[l] Noninterference (termination insensitive): ∀ s, s'. s =L s' ⋀ [[C]]s ≠ ⊥ ⋀ [[C]]s' ≠ ⊥ => [[C]]s =L [[C]]s' A simple (side-effect free) while language E := E1 ⊗ E2 | var | const C := skip | var := E | C1 ; C2 | if E then C1 else C2 | while E do C

7 A security type system Program is noninterference secure if it is typeable Notation: |- exp : t expression has security type t [pc] |- C program C is typeable in context [pc] [low] |- C C is allowed only in low context (if pc-label is low) Intuition: Typing rules for an expression E defines the set of locations to which E can be stored (the result of E combines information with security level ≤ t) Typing rules for statements C define that assignments in C adhere to the IF policy, i.e., high typed expressions are not assigned to low variables.

8 Security Type System Any expression can be typed high
Type low only if no high variables in expression C3: prevent explicit + implicit flows, l:= exp assign only low expressions assign only if in low context => no implicit flows since C5, C6 set pc to high if conditional is high

9 Examples l := h; l := h ; l := 0 if h % 2 == 1 {l := 1;}
if h % 2 == 1 { h := h + 4;}

10 Outlook Motivation Type Systems Abstract Interpretation
Temporal breaches of security Wishlist until the Pizza arrives!!! My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches (Whiteboard) More on Type Systems

11 Abstract Interpretation
Type Systems: Levels of variables do not change Temporal breaches of confidentiality are not typeable l := h ; l := 0 Abstract Interpretation: abstractly execute the program calculation uses security levels instead of values lab : Variable -> Level LabExpr : lab -> lres LabStat : lab, pc -> lab'

12 Abstract Interpretation
LabExpr(c)(lab) = bottom LabExpr(v)(lab) = lab(v) LabExpr(e1 ⊗ e2)(lab) = max(LabExpr(e1), LabExpr(e2)) LabStat(v := e)(lab, pc) = lab With [(v) := max(LabExpr(e)(lab), pc)] LabStat(skip)(lab, pc) = lab LabStat(c1 ; c2)(lab, pc) = LabStat(c2)(LabStat(c1)(lab, pc),pc) LabStat(if e then c1 else c2)(lab, pc) = maxpointwise( LabStat(c1)(lab, max(pc, LabExpr(e)(lab))), LabStat(c2)(lab, max(pc, LabExpr(e)(lab))))

13 Abstract Interpretation
P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L

14 Abstract Interpretation
P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L Confidential? <=> Good? ⋀ Decreasing? Good? := s =lab s' => [[C]]s =LabStat(C)(lab, pc) [[C]]s' s =lab s' => LabExpr(E)(lab) = L => [[E]]s = [[E]]s'

15 Abstract Interpretation
P = l := h ; l := 0 h l := h l := 0 lenv l h lres L L L L H L H H H H L P lenv l h X X Y X Z Z

16 Wishlist until the Pizza arrives!!!
My Work on Abstract Interpretation Shared Memory (CCS Submission) Typing Temporal Breaches / Flow Sensitive Type Systems (Whiteboard) More on Type Systems Language Features Methods Pointers Access Control Concurrency Threads Synchronization Timing Leaks Agat's Transformation Fork threads for high assignments: Asian '06 My ideas how to do it the right way! Downgrading (Ana's approach) + Decentralised Labels

17 Open Issues and Questions
System Wide Security combine information flow + confinement system structure Certifying Compilation Abstraction Violation Attacks AES cache countermeasure needs temporal breaches of security Dynamic Policies Practical Issues Timing leak transformations: ~> complicated timing models ? make applications always execute their WCET ~> immediate benefit from WCET performance optimisations

Download ppt "Paper Reading Group:. Language-Based Information-Flow Security. A"

Similar presentations

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Verifiable Security Goals

Verifiable Security Goals
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Review of C++ Programming Part II Sheng-Fang Huang.

Review of C++ Programming Part II Sheng-Fang Huang.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

Similar presentations

Ads by Google