Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Published byTracy Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009."— Presentation transcript:

1 Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009

2 Lecture Outline Information Flow Control (IFC)  Security definition  Non-interference [Goguen-Meseguer82]  Language-based enforcement  Type system [Volpano-Smith-Irvine96] based on prior work [Denning-Denning77]

3 IFC in Tax Preparation Software

4 Definition of Security  Non-interference (idea) Program HI LI HO LO HI’ HO’ No information flows from high inputs to low outputs Security levels: H: Classified L: Unclassified

5 Example if x = 1 then y:=1 else y:=0 NoLH YesHL LL HH NIyx

6 Specification and Enforcement  Approach  Use a typed programming language  Types represent security levels  H, L,…  Sub-typing captures partial order among security levels  L  H  Type system captures allowed information flows  Soundness theorem  Well-typed programs satisfy non-interference

7 Language Definition  Syntax  Type System  Operational Semantics  Soundness Theorem  Well typed programs satisfy non-interference

8 Syntax (I)

9 Syntax (II) We will focus on the special case where type  is either H or L and L  H

10 Type System (I)  Typing judgment

11 Type system (II)

12 Type System (III)

13 Example if x = 1 then y:=1 else y:=0 NoLH YesHL LL HH NIyx Will justify rows 1 & 2

14 Example with types Key rules used are (ASSIGN) and (IF)

15 Type System (IV)

16 Example if x = 1 then y:=1 else y:=0 NoLH YesHL LL HH NIyx Will justify rows 3 & 4

17 Example with types  Suppose x: L var and y: H var 1. Use (ASSIGN), (CMD-), (SUBTYPE) to infer (y:=1): L cmd and (y:=0): L cmd 2. Now use (IF) rule  x: H var and y: L var is not well-typed as expected L  H

18 Operational Semantics (I)   is memory: a function from locations to values   (l) is contents of location l  Judgments 1. Evaluating expression e in memory  yields value n 2. Evaluating command c in memory  yields memory  ’ Program executes by evaluating expressions and commands

19 Operational Semantics (II)

20 Operational Semantics (III)

21 Soundness Theorem

22 Recall Non-interference Program HI LI HO LO HI’ HO’ No information flows from high inputs to low outputs Security levels: H: Classified L: Unclassified

23 Practical Languages for IFC  Jif [Liskov-Myers et al.]  Java + information flow  http://www.cs.cornell.edu/jif/ http://www.cs.cornell.edu/jif/  Flow Caml [Pottier-Simonet]  Extends OCaml language with type system for tracing information flow  http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.2104 http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.2104

24 Web Security: A Domain for IFC Brendan Eich, Chief Technology Officer, Mozilla Corp. Improving JavaScript's Default Security Model with Information Flow, CSF 2009 Invited talk

25 Thanks Questions?

26 Formal definition System is deterministic finite state machine: takes input and transitions to next state producing output Trace tr is a sequence of inputs and outputs (high & low) Output L (S,tr,c): low output of system S when input c is applied to the state corresponding to trace tr purge HI (tr): returns a trace with all high inputs in tr removed

27 Programming Language Definition  Syntax and Static Semantics (or “well-formed programs”)  Syntax of types and terms  Type system  Semantics (or “meaning of programs”)  Operational or dynamic semantics (Defines how programs execute)  Type Safety  Well-typed programs do not get stuck, i.e., they either terminate or keep reducing following the operational semantics

28 Language Definition Examples  Syntax, Semantics (Static, Dynamic)  ML:  R. Milner, M. Tofte, R. Harper, and D. MacQueen, The Definition of Standard ML (Revised). MIT Press, 1997  Java:  J. Alves-Foss (Ed.), Formal Syntax and Semantics of Java. LNCS 1523, 1999

Download ppt "Language-based Security: Information Flow Control 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 10.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.

1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
The Application of Graph Criteria: Source Code  It is usually defined with the control flow graph (CFG)  Node coverage is used to execute every statement.

The Application of Graph Criteria: Source Code  It is usually defined with the control flow graph (CFG)  Node coverage is used to execute every statement.
A Type System for Well-Founded Recursion Derek Dreyer Carnegie Mellon University POPL 2004 Venice, Italy.

A Type System for Well-Founded Recursion Derek Dreyer Carnegie Mellon University POPL 2004 Venice, Italy.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Course Review Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Course Review Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Language-based Security Overview Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Language-based Security Overview Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Parametric Polymorphism COS 441 Princeton University Fall 2004.

Parametric Polymorphism COS 441 Princeton University Fall 2004.
Trust Management II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Dr. Muhammed Al-Mulhem 1ICS535-101 ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Operational Semantics ICS.

Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Operational Semantics ICS.

Similar presentations

Ads by Google