Presentation is loading. Please wait.

Presentation is loading. Please wait.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Published byLeslie Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University."— Presentation transcript:

1 Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University

2 13 Feb 01Security policies as types — Andrew Myers 2 Projects Security policies as types –support for low-level languages –reacting to intrusion: untrusted hosts Composing fault-tolerance and security –Asynchronous, proactive secret sharing –COCA online certification authority Inlined reference monitors

3 13 Feb 01Security policies as types — Andrew Myers 3 Protecting data against programs Goal: confidentiality, integrity of information How to enforce as system-wide property? –There are almost no trusted programs Information flow policies: end-to-end principle applied to security “the system cannot allow information to flow from source A to destination B”

4 13 Feb 01Security policies as types — Andrew Myers 4 Security-typed languages Idea: encode security policies in type system –Programs not allowed to run unless type-correct Advantages: –Decidable enforcement –Low run-time overhead –Small TCB (?) –Compositional security Issues: –What security policies can be encoded as types? –Application to low-level code? –Distributed computation – who decides what to run?

5 13 Feb 01Security policies as types — Andrew Myers 5 Non-interference Information flow policies based on some form of non-interference “High” inputs cannot affect “low” observables Can be enforced by security type system H1L1 L2H2 H3L1 L2H4 LL

6 13 Feb 01Security policies as types — Andrew Myers 6 Issues Low-level code –Want to verify security in executable code –Useful for mobile code –Security type systems too restrictive TCB: host –Untrusted hosts –Intrusion –Dynamic coalitions Downgrading –Non-interference is too restrictive –What can be enforced if it is violated?

7 13 Feb 01Security policies as types — Andrew Myers 7 Security types A simple security type system: –Security type  =  H or  L where  an ordinary type –int H : a secret integer –int L : a public integer –More expressive labeling schemes exist Examples of use: int L x = e; // OK if e has type int L int H x = e; // OK if e has type int H or int L int H b; int L x = 0; if (b) { x = 1; } // not OK

8 13 Feb 01Security policies as types — Andrew Myers 8 Implicit flow in high-level lang. int H b; int L x = 0; if (b) { x = 1; /* not OK */ } Implicit flow: information carried through control structure Solution: introduce static approximation to implicit flow (pc) –Type of expression always acquires pc int H b; int L x = 0 L ; i f (b) { x = 1 H ; } pc updated by rules for type-checking control structures

9 13 Feb 01Security policies as types — Andrew Myers 9 Implicit flow in low-level lang. High-level control structures (if, while, switch, function calls, returns)  indirect, direct jumps Less ability to reason about implicit flow Simple rule: pc at target of jump always more secret than at jump instruction –captures possible implicit flow –too restrictive –doesn’t handle indirect jumps

10 13 Feb 01Security policies as types — Andrew Myers 10 Loss of precision int H b; /* pc = L */ int L x = 0 L ; /* pc = L */ if (b) { x = 1 H ; /* pc = H */} /* pc = L */ MOV x, 0; pc = L CMP b, 0; pc = L JZ skip; pc = H MOV x, 1; pc = H skip:; pc = H High-level: safe Low-level: apparently unsafe

11 13 Feb 01Security policies as types — Andrew Myers 11 A security-typed calculus First low-level typed language with support for dynamic control transfers, static information flow control [ESOP’01] Continuations in A-normal form: close to assembly code Linear continuations preserve precision of high-level source analysis First proof of language-based enforcement of non-interference (for any higher-order imperative language) e ::= let x = prim in e | let x = ref l  v in e | letlin y = lv in e | set v 1 := v 2 in e | if v then e 1 else e 2 | goto v 1 (v 2, lv) | lgoto lv 1 (v, lv 2 ) | halt  v

12 13 Feb 01Security policies as types — Andrew Myers 12 TCB: host Model so far: host/execution platform type- checks incoming code to enforce security properties On a system of many hosts? – no perimeter! Response to intrusion? Dynamic trust relationships?

13 13 Feb 01Security policies as types — Andrew Myers 13 Secure program partitioning Programs contain no explicit code locations or communication Automatically transformed (“split”) to run securely on current hosts Intrusion: re-split! Change in trust relationships: re-split! Implemented in Jif compiler [TR] source compiler intermediate code Host 1 splitter Host 2Host 3 code partition authenticated trust declarations

14 13 Feb 01Security policies as types — Andrew Myers 14 Downgrading/Declassification Information-flow security properties are too strong—real systems need to leak information Example: password-checking procedure leaks information about passwords even on failure Non-interference is all-or-nothing Robust vs. non-robust declassification: –Robust: declassification releases only the intended information –Non-robust: attackers can exploit declassification to release additional information A non-robust system: password checker if attacker can change passwords

15 13 Feb 01Security policies as types — Andrew Myers 15 Robust declassification Assumption 1: attacker can observe some aspects of system state  Assumption 2: attacker can cause changes to some aspects of system state  Observation: projection function  :  O System is robust with respect to attacker if attacker learns no more from attacked system than from simple observation       Non-interfering = ? = ? Robust A

16 13 Feb 01Security policies as types — Andrew Myers 16 Results Theorem: non-interfering systems are robust Theorem: all systems are robust against attackers whose power to modify (  A  ) is appropriately bounded –Integrity property derived automatically from confidentiality property First formal characterization of confidentiality+downgrading+active attacker; applicable to language-based enforcement

17 13 Feb 01Security policies as types — Andrew Myers 17 Policies Strong, information flow policies Simple access control policies Mutually distrusting but collaborating principals Dynamically changing trust relationships

18 13 Feb 01Security policies as types — Andrew Myers 18 Attacks Considered: –buggy or malicious downloaded code –storage channels, implicit flows –intrusion/integrity violation in multiple-host system –exploitation of downgrading channels Not considered: –denial of service –traffic analysis –timing, termination channels

19 13 Feb 01Security policies as types — Andrew Myers 19 Conclusions Information flow policies enforce system- wide security Progress: –Provably correct type-based enforcement for low- level code –Support for untrusted hosts, dynamically changing trust relationships—secure program partitioning –New theory of robust declassification

Download ppt "Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb. 2000 Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.

Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Verifiable Security Goals

Verifiable Security Goals
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Similar presentations

Ads by Google