Language-Based Information- Flow Security

Transcription

1 Language-Based Information- Flow Security Andrei Sabelfeld Andrew C. Myers Presented by Shiyi Wei

2 About the paper Literature review Information flow security Static program analysis to enforce information-flow Confidentiality Year: 2003 Jif (Java information flow) project Active since 1997 More than 34 publications System, language, security SOSP, POPL, CCS, Oakland Other work based on Jif 2

3 Overview Introduction Background Covert channels Mandatory access control Basics of language-based information flow Research trends Open challenges 3

4 Introduction Protect data confidentiality End-to-end security Enforcement of confidentiality policies Information cannot flow to where policy is violated Challenges Concurrency Covert channels Applications Military, medical, financial information systems Web-based services: mail, shopping, social network 4

5 Introduction Standard security mechanisms Discretionary access control Access files/objects based on privilege Prevent processes not authorized by file owner from reading Place restrictions on the release of information, but not its propagation Does not control how the data is used after reading from file To soundly enforce confidentiality Grant access privilege only to processes that will not leak confidential data» A much stronger information-flow policy!» Access control cannot identify these processes 5

6 Introduction Standard security mechanisms Encryption Secure an information channel Only the communicating endpoints have access However, no assurance that once the data is decrypted Antivirus software Offers limited protection against new attacks Firewall Protects confidentiality by preventing communication Checking confidentiality violation lies outside its scope 6

7 Introduction Language-based approach security-typed language Use of type systems for information flow Augmented with annotations Specify policies on the use of the typed data Compile-time type checking Add little or no run-time overhead E.g. Jif[1], SLam calculus[2], References [1] A.C.Myers and B. Liskov, A decentralized model for information flow control, in Proc. ACM Symp. on Operating System Principles, Oct. 1997, pp [2] N. Heintze and J. G. Riecke, The Slam calculus: programming with secrecy and integrity, in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp

8 Introduction Integrity: a dual to confidentiality Confidentiality requires that information be prevented from flowing to inappropriate destinations Integrity requires that information be prevented from flowing from inappropriate sources 8

9 Background: Covert Channels Implicit flows Signal information through the control structure of a grogram Termination channels The termination/nontermination of a computation while secret=1 do skip Timing channels Signal information through the time at which an action occurs rather than through the data E.g. total execution time of a program 9

10 Background: Covert Channels Probabilistic channels Signal information by changing the probability distribution of observable data Resource exhaustion channels Signal information by the possible exhaustion of a finite, shared resource Power channels Signal information in the power consumed by the computer 10

11 Background: Mandatory Access control Mandatory access control Label each data with a security level Run-time enforcement mechanism Problem: implicit flow Process sensitivity label Label creep Monotonically increase label Too restrictive h := h mod 2; l := 0; if h = 1 then l :=1 else skip l := 1 h := h mod 2; l := 0; if h = 1 skip 11

12 Basics of Language-Based Information Flow Noninterference policy a variation of confidential(high) input does not cause a variation of public(low) output The attacker cannot observe any difference between two executions that differ only in their confidential input Security-type system A collection of typing rules Let s build one! 12

13 Basics of Language-Based Information Flow Language syntax: C ::= skip var := exp C1;C2 if exp then C1 else C2 while exp do C 13

14 Basics of Language-Based Information Flow Language syntax: C ::= skip var := exp C1;C2 if exp then C1 else C2 while exp do C (1) := (2) := (3) := (4) := 14

15 Basics of Language-Based Information Flow C ::= skip var := exp C1;C2 if exp then C1 else C2 while exp do C (1) if then else (2) if then else (3) if then else (4) if then else (5) if then else (6) if then else (7) if then else (8) if then else 15

16 Basics of Language-Based Information Flow Language syntax: C ::= skip var := exp C1;C2 if exp then C1 else C2 while exp do C 16

17 Research Trends static certification noninterference sound security analysis expressiveness concurrency covert channels security policies 17

18 Language Expressiveness static certification noninterference procedures sound security analysis functions exceptions objects expressiveness concurrency covert channels security policies 18

19 Language Expressiveness Procedures Polymorphism[3] The type of commands or expressions may be generic Functions Slam calculus[4] A functional language References [3] D. Volpano and G. Simth, A type-based approach to program security, in Proc. TAPSOFT 97. Apr. 1997, vol of LNCS, pp [4] N. Heintze and J. G. Riecke, The Slam calculus: programming with secrecy and integrity, in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp

20 Language Expressiveness Exceptions Nonlocal transfer of control; implicit flow Path labels[5] Objects Fine-grained tracking of implicit flows caused by exceptions Java-like imperative object-oriented language[6] JFlow[5] References [5] A. C. Myers, JFlow: Practical mostly-static information flow control, in Proc. ACM Symp. on Principles of Programming Languages, Jan , pp [6] A. Banerjee and D. A. Naumann, Secure information flow and pointer confinement in a Java-like language, in Proc. IEEE Computer security Foundations Workshop, June 2002, pp

21 Concurrency static certification noninterference nondeterminism sound security analysis threads distribution expressiveness concurrency covert channels security policies 21

22 Concurrency Nondeterminism Possibilistic security condition[7] High inputs may not affect set of possible low inputs Dependence analysis between variables[8] References [7] J. McLean, A general theory of composition for a class of possibilistic security properties, IEEE Transactions on Software Engineering, vol. 22, no. 1, pp , Jan [8] J. P. Banatre, C. Bryce, and D. Le Metayer, An approach to information security in distributed systems, in Proc. European Symp. on Research in Computer Security. 1994, vol. 875 of LNCS, pp , Springer-Verlag. 22

23 Concurrency Thread concurrency High part has to be protected at all times (thread1) h := 0; l := h; (thread2) h := h Noninterference for a multithreaded language[9] No while loop may have a high guard No high conditional may contain a while loop in branch Encode of a timing leak into a direct leak (if h = 1 then C long else skip); l :=1 l := 0 References [9] G. Simth and D. Volpano, Secure information flow in a multi-threaded imperative language, in Proc. ACM Symp. on POPL, Jan. 1998, pp

24 Concurrency Distribution The ability to exchange messages These communications may be observed by attackers Mutual distrust Components can fail Attempt to compromise the behavior of others Secure program partitioning[10] Sequential, security-typed program -> fine-grained communicating subgrams References [10] S. Zdancewic, L. Zheng, N. Nystrom, and A.C. Myers, Untrusted hosts and confidentiality: Secure program partitioning, in Proc. ACM Symp. on Operating System Principles, Oct. 2001, pp

25 Covert Channels static certification noninterference termination sound security analysis timing probability expressiveness concurrency covert channels security policies 25

26 Covert Channels Termination channels Termination-sensitive noninterference[11] Disallows high loops and requires high conditionals have no loops in the branches Binding-time analysis[12] Divides program terms into while h = 1 do skip Static: known at partial-evaluation time Dynamic: to be supplied later No static term depends on a dynamic variable References [11] D. Vlpano and G. Smith, Eliminating covert flows with minimum typings, Proc. IEEE Computer Security Foundations Workshop, pp , June 1997 [12] M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, A core calculus of dependency, in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1999, pp

27 Timing channels Click to edit Master title style Covert Channels Timing-sensitive noninterference[13] High conditionals have no loops in the branches and wrapping each high conditional in a protect statement whose execution is atomic Program transformation[14] if h = 1 then C long else skip Cross-copy of the slices of the branches of a high if to equalize the execution time of the branches References [13] D. Volpano and G. Smith, Probabilistic noninterference in a concurrent language, J. Computer Security, vol. 7, no. 2-3, pp , Nov [14] J. Agat, Transforming out timing leaks, in Proc. ACM Symp. on Principles of Programming Languages, Jan. 2000, pp

28 Covert Channels Probabilistic channels Probabilistic noninterference Two behaviors are indistinguishable by the attacker iff the distribution of low output is the same Example [] p : probabilistic choice operator Selects the left-hand side command with the probability p Selects the right-hand side with the probability 1-p Varying PIN does not change set of possible outcomes Secure for possibilistic condition l := PIN [] 9/10 l := rand(9999) 28

29 Security Policies static certification noninterference sound security analysis declassification admissibility relative security quantitative security expressiveness concurrency covert channels security policies 29

30 Security Policies Noninterference rejects downgrading Decentralized model[1] Selective declassification Admissibility[15] Explicitly states what dependencies between data are allowed in the program Quantitative security[16] Allow for a limited bandwidth of information leaks References [15] M. Dam and P. Giambiagi, Confidentiality for mobile code: The case of a simple payment protocol, in Proc. IEEE Computer Security Foundations Workshop, July 2000 [16] D. Clark, S. Hunt, and P. Malacaria, Quantitative analysis of the leakage of confidential data, in QAPL

31 Open Challenges System-Wide Security Computer systems are only as secure as their weakest point Integration of language-based information flow and system-wide information-flow control Certifying Compilation Secure information flow of low-level languages Useful information about program structure is lost 31

32 Open Challenges Abstraction-violating attacks The model of the attacker is an abstraction Removes possibly important details about real attacker E.g. cache attack When h = 1, execution time is likely to be shorter (if h =1 then h := h 1 else h := h 2 ); h := h 1 Dynamic Policies Information-flow policies are not known statically E.g. Jif compiler Type label 32

33 Open Challenges Practical issues Improve the precision of type systems Do not reject too many secure programs Experience is needed Variations of static analysis for security Control- and data-flow analysis E.g. More accurate than many type systems (if h = 1 then l := 1 else l:= 0); l := 0 33