Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida.

Published byCandice Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida."— Presentation transcript:

1 A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida

2 Problem Expressing Information Flow Security Specifications Android applications Applications in general Libraries

3 Why Information Flow? Formal Methods @ UCF ACLs and Firewalls prevent or allow access to data, but they do not control what happens after an access Heartbleed, a defect in OpenSSL, could have been found by Information Flow analysis

4 Background: Information Flow Problem Formal Methods @ UCF send(company, address_book); company = address_book; boolean b = false; if (address_book.get(“president”).num().equals(“(202) 456-1111”) { b = true; }

5 Background: Lattice Model of Information Flow (Denning, 1976) Formal Methods @ UCF Each variable given a security label (e.g., Public, User, Private, …) Statically check all statements x = e; permitted only if label(e)  label(x) Invariant: only permitted information flows allowed User Private Public

6 Integrity Interpretation Where can the variable’s value come from? What can affect it? More Influences

7 Confidentiality Interpretation Where can a variable’s value be sent? What can learn from it?  {FILE}{NET}{UI} {NET, UI}{FILE, UI}{FILE, NET} {FILE, NET, UI} More Confidential

8 The Decentralized Label Model (Myers & Liskov, 1998) Formal Methods @ UCF Each variable has two sets of labels Sinks: where information can flow Sources: where information can be obtained from Rules: x = e Safe to REMOVE sinks from x Safe to ADD sources to x

9 Example Formal Methods @ UCF @Sink({FILE}) @Source({NET}) int x; @Sink({FILE,UI}) @Source({NET, UI}) int e; x = e; // legal?

10 Key Properties of Decentralized Label Model Formal Methods @ UCF Label creation and propagation is not centralized. New labels can be created dynamically. But checking is mostly static

11 Drawbacks of the Decentralized Model Formal Methods @ UCF Set-based labels can be cumbersome to write in programs. Programmers must reason about 2 directions at once: Confidentiality Integrity APIs must be specified once and for all

12 API Example package android.content.res; class AssetFileDescriptor { @Source({FILESYSTEM}) FileInputStream createInputStream() throws IOException; }

13 Client Example @Source({FILESYSTEM, LITERAL}) InputStream is; is = encryptedVideoAsset.createInputStream();

14 Is the Power of the Distributed Label Model needed? Formal Methods @ UCF Many programs are not distributed Even distributed programs can be logically centralized

15 The Bipartite Graph Model of Information Flow Formal Methods @ UCF Approach/Idea

16 Model Idea Formal Methods @ UCF UI FILE NET Encrypted Video Viewer Private User Public Channels Security Labels Edge Map LC E

17 UI FILE NET Encrypted Video Viewer Example: Encrypted Video Viewer Formal Methods @ UCF

18 Approach: Model Formal Methods @ UCF Static security labels, L Global channels, C API specified by channels and usage: Arguments (I) Results (O) Edge mapping, E : {I,O} x C  L

19 Model Idea Formal Methods @ UCF UI FILE NET Encrypted Video Viewer Private User Public Channels Security Labels Edge Map LC E

20 Example Security Lattice Security.xml file Formal Methods @ UCF …

21 Example Channel Mapping Channels.xml file Formal Methods @ UCF

22 Simple Example (Voting Booth) Formal Methods @ UCF public void castVote(@Lev el(SECRET) User u, @Level(TOPSECRET) Vote v){.. // ok because TOPSECRET > SECRET String encryptedId = encryptVoterId(u.getUserId()); // ok because TOPSECRET logVote(encryptedId, v); //... } // in the program, but described wit h @Channels. public void logVote(@Channel(FILESYSTEM) id, @Channel(FILESYSTEM) vote){ //... } // in an API public @Channel(CRYPT) String encryptVoterId(@Channel(CRYPT) String voterId){ //... }

23 More Detailed Example Distributed Label Approach Formal Methods @ UCF

24 More Detailed Example Bipartite Graph Model Formal Methods @ UCF

25 Using the Model Formal Methods @ UCF User writes: Security.xml Channels.xml User supplies program annotation via @Level and @Channel for APIs (“poor man’s” polymorphism) Runs checking tool over program

26 Advantages of the Model Formal Methods @ UCF Can mix Channels and Labels in program: Channels in API Labels in client code Compact types: channels or labels, not two sets Can handle confidentiality and integrity separately or together. Users can define arbitrarily complex lattices

27 Suitability for APIs @Channel annotations specify information flow generically Can customize security.xml (levels) and channels.xml (mapping) to fit the security concerns of the application.

28 Preliminary Experimental Work A few systems using these ideas: CheckLT – Lattice-based taint checking for Java http://checklt.github.io FS4A – Flowspecs for Android (an extension to OpenJML) Full implementation of the Bipartite Graph Model Incorporates Conditional Release aspects

29 Conclusions User-defined lattice to describe security levels Fixed set of channels (centralized) Mapping from channels to levels allows customization

Download ppt "A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
UML Package Diagrams. package_name presentation view controller model.

UML Package Diagrams. package_name presentation view controller model.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Yoshi

Yoshi
Singleton vs utility class  at first glance, the singleton pattern does not seem to offer any advantages to using a utility class  i.e., a utility class.

Singleton vs utility class  at first glance, the singleton pattern does not seem to offer any advantages to using a utility class  i.e., a utility class.
Programming with Java. Problem Solving The purpose of writing a program is to solve a problem The general steps in problem solving are: –Understand the.

Programming with Java. Problem Solving The purpose of writing a program is to solve a problem The general steps in problem solving are: –Understand the.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Compiler Construction

Compiler Construction
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
ISBN 0-321-19362-8 Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.

ISBN Lecture 01 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Lecture 01 Topics Motivation Programming.
AspectJ2EE/Clasa Israel Institute of Technology The Computer Science department Itay Maman.

AspectJ2EE/Clasa Israel Institute of Technology The Computer Science department Itay Maman.
Exceptions Problems with error reporting so far –Either ignored exceptions or terminated program on first error. –Error handling and regular code mixed.

Exceptions Problems with error reporting so far –Either ignored exceptions or terminated program on first error. –Error handling and regular code mixed.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Abstraction: Polymorphism, pt. 1 Abstracting Objects.

Abstraction: Polymorphism, pt. 1 Abstracting Objects.

Similar presentations

Ads by Google