Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006."— Presentation transcript:

1 Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006

2 2 Information flow Strong end-to-end security guarantees Noninterference [Goguen and Meseguer 1982] Enforceable with type systems [Volpano, Smith, and Irvine 1996] and many others But programs declassify information Breaks noninterference! Need semantic security conditions that hold in presence of declassification

3 3 Robustness Intuition: An attacker should not be able to control the release of information Zdancewic and Myers [CSFW 2001] Defined semantic security condition An “active” attacker should not learn more information than a “passive” attacker. Myers, Sabelfeld, and Zdancewic [CSFW 2004] Language-based setting Data to declassify and decision to declassify should not be influenced by attacker Type system for enforcement Track integrity High-integrity = not influenced by attacker

4 4 May be many attackers Different attackers have different powers How to ensure a system is robust against an unknown attacker? Different users trust different things Issues with robustness Alice Bob Charlie Damien

5 5 Decentralized robustness Define robustness against all attackers Generalization of robustness Not specialized for a particular attacker Uses decentralized label model [Myers and Liskov 2000] to characterize the power of different attackers Enforce robustness against all attackers Complicated by unbounded, unknown attackers Sound type system Implemented in Jif 3.0 Decentralized robustness = robustness + DLM

6 6 WAWA RARA Attackers Language-based setting An attacker A may view certain memory locations knows program text inject code at certain program points (and thus modify memory) Power of attacker is characterized by security labels R A and W A R A is upper bound on info A can read W A is lower bound on info A can write Defn: Program c has robustness w.r.t. attacks by A with power R A and W A if A ’s attacks cannot influence information released to A. most restrictive least restrictive security lattice ℒ

7 7 Example // Charlie can read pub, can’t read salary[i], totalSalary, avgSalary // pub ⊑ R Charlie avgSalary ⋢ R Charlie … // Charlie can modify employeeCount // W Charlie ⊑ employeeCount totalSalary = i = 0; while (i < employeeCount) { totalSalary += salary[i]; i += 1; } avgSalary := totalSalary / i; pub := declassify(avgSalary, (Alice or Bob) to (Alice or Bob or Charlie)); employeeCount := 1; AliceBob Charlie from to

8 8 Decentralized label model Allows mutually distrusting principals to independently specify security policies [Myers and Liskov 2000] This work: full lattice and integrity policies Security labels built from reader policies and writer policies Reader policies o → r Owner o allows r (and implicitly o ) to read information Any principal that trusts o adheres to policy (i.e., allows at most o and r to read) Any principal not trusting o gives policy no credence Confidentiality policies Close reader policies under conjunction and disjunction

9 9 Integrity policies Writer policies o ← w Owner o allows w (and implicitly o ) to have influenced (written) information Any principal that trusts o adheres to policy (i.e., allows at most o and w to have written) Any principal not trusting o gives policy no credence Integrity policies Close writer policies under conjunction and disjunction

10 10 Semantics of policies Confidentiality readers(p, c) is set of principals that principal p allows to read based on confidentiality policy c c is no more restrictive than d (written c ⊑ C d ) if for all p, readers(p, c) ⊇ readers(p, d) ⊑ C forms a lattice: meet is disjunction, join is conjunction Integrity writers(p, c) is set of principals that principal p has allowed to write based on integrity policy c c is no more restrictive than d (written c ⊑ I d ) if for all p, writers(p, c) ⊆ writers(p, d) ⊑ I forms a lattice: meet is conjunction, join is disjunction Dual to confidentiality

11 11 Labels A label 〈 c, d 〉 is a pair of a confidentiality policy c and an integrity policy d 〈 c, d 〉 ⊑ 〈 c ′, d ′ 〉 if and only if c ⊑ C c ′ and d ⊑ I d ′ Labels are expressive and concise language for confidentiality and integrity policies

12 12 Attacker power in the DLM For arbitrary principals p and q, need to describe what p believes is the power of q Define label R p → q as least upper bound of labels that p believes q can read. ℓ ⊑ R p → q if and only if q ∈ readers(p, ℓ ) Define label W p ← q as greatest lower bound of labels that p believes q can write. W p ← q ⊑ ℓ if and only if q ∈ writers(p, ℓ ) Rp→qRp→q Wp←qWp←q

13 13 Robustness against all attackers Defn: Command c has robustness against all attackers if: for all principals p and q, c has robustness with respect to attacks by q with power R p → q and W p ← q

14 14 Enforcement Enforcing robustness [Myers, Sabelfeld, Zdancewic 2004] “If declassification gives attacker A info, then A can’t influence data to declassify, or decision to declassify.” Enforcing robustness against all attackers “For all p and q, if p believes declassification gives q info, then p believes q can’t influenced data to declassify, or decision to declassify.” More formally:  For all principals p and q,  if ℓ from ⋢ R p → q and ℓ to ⊑ R p → q then  W p ← q ⋢ pc and W p ← q ⋢ ℓ from Can’t use MSZ type system for all possible attackers Would require different type system for each p and q !

15 15 A sound unusable typing rule Γ, pc ⊢ v := declassify( e, ℓ from to ℓ to ) Γ, pc ⊢ e : ℓ from ℓ to ⊔ pc ⊑ Γ( v ) ∀ p, q. if ℓ from ⋢ R p → q and ℓ to ⊑ R p → q then W p ← q ⋢ ℓ from ∀ p, q. if ℓ from ⋢ R p → q and ℓ to ⊑ R p → q then W p ← q ⋢ pc For all principals p and q, if ℓ from ⋢ R p → q and ℓ to ⊑ R p → q then W p ← q ⋢ pc and W p ← q ⋢ ℓ from ⇒

16 16 Sound typing rule Γ, pc ⊢ v := declassify( e, ℓ from to ℓ to ) Γ, pc ⊢ e : ℓ from ℓ to ⊔ pc ⊑ Γ( v ) ℓ from ⊑ ℓ to ⊔ writersToReaders ( pc ) ℓ from ⊑ ℓ to ⊔ writersToReaders ( ℓ from ) ⇒ For all principals p, readers(p, ℓ from ) ⊇ readers(p, ℓ to ) ∩ writers(p, pc) and readers(p, ℓ from ) ⊇ readers(p, ℓ to ) ∩ writers(p, ℓ from ) ⇒ For all principals p and q, if ℓ from ⋢ R p → q and ℓ to ⊑ R p → q then W p ← q ⋢ pc and W p ← q ⋢ ℓ from Conservatively converts writers of a label into readers. Used to compare integrity against confidentiality. ∀ ℓ. ∀ p. writers(p, ℓ ) ⊆ readers(p, writersToReaders( ℓ ))

17 17 Conclusion Decentralized robustness = robustness + DLM Defined robustness against all attackers Semantic security condition Generalizes robustness to arbitrary attackers Decentralized label model expresses attackers’ powers Sound type system Implemented in Jif 3.0 Available at http://www.cs.cornell.edu/jif Paper also considers downgrading integrity Qualified robustness [Myers, Sabelfeld, and Zdancewic 2004] is generalized to qualified robustness against all attackers Damien

Download ppt "Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.

Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.
Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University IEEE Symposium on Computer Security Foundations June 23, 2008 TexPoint fonts.

Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University IEEE Symposium on Computer Security Foundations June 23, 2008 TexPoint fonts.
Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.

Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.

JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.
Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.

Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Verifiable Security Goals

Verifiable Security Goals
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Similar presentations

Ads by Google