Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Published byRosanna Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu"— Presentation transcript:

1 Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu ashishk@cs.purdue.edu

2 Ashish Kundu CS590F Purdue 02/12/07 Outline Security requirements Information flow – background Language-based information flow Open challenges Discussion Conclusion

3 Ashish Kundu CS590F Purdue 02/12/07 Information flow? h l h l data flow confidential h l open

4 Ashish Kundu CS590F Purdue 02/12/07 Information flow? h l h l data flow confidential h l open leak?

5 Ashish Kundu CS590F Purdue 02/12/07 Information flow? data flow h l confidential open but trusted l’ open but non-trusted

6 Ashish Kundu CS590F Purdue 02/12/07 Information flow? data flow h l confidential open but trusted l’ open but non-trusted encrypted: h  l e.g. password sharing

7 Ashish Kundu CS590F Purdue 02/12/07 Information flow? data flow h l confidential open but trusted No leak l’ open but non-trusted may flow? leak

8 Ashish Kundu CS590F Purdue 02/12/07 Explicit Information Flow data flow h l confidential open but trusted No leak l’ open but non-trusted may flow? leak h l confidential open leak

9 Ashish Kundu CS590F Purdue 02/12/07 Property-I of IFlow Confidentiality: A rigorous requirement –can confidentiality guarantee of a system be proven?

10 Ashish Kundu CS590F Purdue 02/12/07 Implicit Information Flow if h=1 l=1l=0 control flow true

11 Ashish Kundu CS590F Purdue 02/12/07 Implicit Information Flow if h=1 l=1l=0 control flow true l => h Leak: implicit

12 Ashish Kundu CS590F Purdue 02/12/07 Implicit Information Flow if h=1 l=1l=0 control flow true Leak: implicit

13 Ashish Kundu CS590F Purdue 02/12/07 Property-I of IFlow Confidentiality: A rigorous requirement –can confidentiality guarantee of a system be proven? –can explicit and implicit flows be controlled? Relationship with data and control dependency ???

14 Ashish Kundu CS590F Purdue 02/12/07 Covert channels Implicit flows –covert Termination channel –termination-sensitive confidentiality Timing channels –subsumes termination channel Probabilistic channel –PDF of output data Resource exhaustion channel –memory or disk space: high value for malloc() Power channels –related: recent work about the age of running system – thus attack vulnerability

15 Ashish Kundu CS590F Purdue 02/12/07 Properties of IFlow No propagation of high confidential data to low confidential container Rigor: On all paths - no leak –makes it easy for static-time solutions

16 Ashish Kundu CS590F Purdue 02/12/07 Mechanisms Access control –controls release of information, not propogation –no control on “how data is used” Language-based techniques –Runtime: JVM – applets, sandbox –Bytecode verifier no control on propagation Type systems

17 Ashish Kundu CS590F Purdue 02/12/07 Type systems Compositional reasoning –incremental construction: from a correct system to a larger and correct system –structural induction (will return to this later) –objective: correct computation –modified objective: correct confidentiality- preserving computation

18 Ashish Kundu CS590F Purdue 02/12/07 Type systems Compositional reasoning –incremental construction: from a correct system to a larger and correct system –structural induction (will return to this later) Objective: correct computation –modified objective: correct confidentiality- preserving computation

19 Ashish Kundu CS590F Purdue 02/12/07 Explicit Information Flow h l confidential open leak high low high higher X

20 Ashish Kundu CS590F Purdue 02/12/07 Explicit Information Flow high higher partial order lattice model of confidentiality good for static analysis Label creep MAC

21 Ashish Kundu CS590F Purdue 02/12/07 Static Information Flow Control Program analysis: Denning and Denning Theorem provers Type checking

22 Ashish Kundu CS590F Purdue 02/12/07 Type checking Security type systems –oridinary type: int, char –label: static labeling on its confidentiality semantics Static type checking detects leaks –conservative: so false positive structural induction –cannot completely control covert channels semantics – values  Undecidability

23 Ashish Kundu CS590F Purdue 02/12/07 Type checking Security type systems –oridinary type: int, char –label: static labeling on its confidentiality semantics Static type checking detects leaks –conservative: so false positive structural induction –cannot completely control covert channels semantics – values  Undecidability

24 Ashish Kundu CS590F Purdue 02/12/07 Explicit Information Flow high low high higher X { high } { low } X

25 Ashish Kundu CS590F Purdue 02/12/07 Non-interference high low high higher X { high } { low } X non-interference no explicit or implicit path from any high to any low

26 Ashish Kundu CS590F Purdue 02/12/07 Non-interference high low high higher X { high } { low } X non-interference no explicit or implicit path from any high to any low No dependency: data or control

27 Ashish Kundu CS590F Purdue 02/12/07 Semantics-based security variation of high input does NOT lead to (observable) variation on low output

28 Ashish Kundu CS590F Purdue 02/12/07 Semantics-based security Two inputs are equivalent if they agree on low output values

29 Ashish Kundu CS590F Purdue 02/12/07 Semantics-based security Two inputs are equivalent if they agree on low output values

30 Ashish Kundu CS590F Purdue 02/12/07 Semantics-based security Two inputs are equivalent if they agree on low output values

31 Ashish Kundu CS590F Purdue 02/12/07 Semantics-based security l: = h if (h=3) then l:=5 else skip

32 Ashish Kundu CS590F Purdue 02/12/07 Security Type System

33 Ashish Kundu CS590F Purdue 02/12/07 Security Type System Restrictive, because it has to be secure in an incremental and compositional manner

34 Ashish Kundu CS590F Purdue 02/12/07 Directions Expressiveness Concurrency Covert channels Refining security policies

35 Ashish Kundu CS590F Purdue 02/12/07 Directions

36 Ashish Kundu CS590F Purdue 02/12/07 Expressiveness Functions –SLam: First-class functions [Heintze et al] non-interference –First-class continuations [Zdancewic et al] non-interference Exceptions –explicit and implicit flows –path labeling by Myers JFlow by Myers: Java – Jif compiler

37 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Nondeterminism

38 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Nondeterminism: possibilistic security condition –set of high inputs may not affect set of low outputs –dependencies between variables

39 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Nondeterminism: possibilistic security condition –equational security property

40 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Nondeterminism: possibilistic security condition –partial equivalence relations PER: symmetric and transitive over a subset of inputs

41 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Thread concurrency –non-atomicity Non-interference requirements: –no “high” guard in a while loop –no if with “high” guard having a while loop in its branch termination leak timing leak

42 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Thread concurrency –non-atomicity Non-interference requirements: –no “high” guard in a while loop –no if with “high” guard having a while loop in its branch termination leak timing leak

43 Ashish Kundu CS590F Purdue 02/12/07 Concurrency Thread concurrency –non-atomicity Scheduler-independent security –uniform scheduler [Sabelfield and Sands] Type systems: rule out synchronization on “high” data. –Sabelfield

44 Ashish Kundu CS590F Purdue 02/12/07 Distributed programs non-trusted parties parties’ concurrency property failures Secure program partitioning: high and low

45 Ashish Kundu CS590F Purdue 02/12/07 Discussion Illustrated Security type system : simple yet powerful –expressive –precise –easily extensible to a lattice model of access control Organization of the survey addresses –all langauge-level factors clearly and precisely –illustrates important issues and challenges with simple examples –considers both formal approaches and informal aproaches in the light of the hard-ness undecidability of the geneal nature of the problem

46 Ashish Kundu CS590F Purdue 02/12/07 Critique Presentation very compact: lacking –useful illustration and explanation of the concepts and approaches –relation between various approaches need to be established How to make the approaches such as security type systems part of pragmatic languages Needed to address program certification more detailed in a compositional framework

47 Ashish Kundu CS590F Purdue 02/12/07 Some Ideas Slicing towards proving non-interference Use of SSA in checking policy-violations

48 Ashish Kundu CS590F Purdue 02/12/07 Some Ideas Error Handling: an error violation of integrity policy –dual of confidentiality: :: Exceptions resulting in termination –illegal flow of information? –self-healing systems

Download ppt "Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
8/11/2006PCC 20061 Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.

8/11/2006PCC Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.

Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Verifiable Security Goals

Verifiable Security Goals
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Similar presentations

Ads by Google