JFlow: Practical Mostly-Static Information Flow Control

Similar documents
Practical Mostly-Static Information Flow Control. Andrew Myers MIT Lab for Computer Science

Labels and Information Flow

Decentralised Label Model / Jif (part 2)

DD2460 Software Safety and Security: Part III Exercises session 2: Type + Jif

A Decentralized Model for Information Flow Control

Language-Based Information- Flow Security

Data-flow control using Jif in a health care system

CS558 Programming Languages

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

3.Constructors and Destructors. Develop cpp program to implement constructor and destructor.

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

Institute for Software-Integrated Systems. Technical Report

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

A Decentralized Model for Information Flow Control

CSE 431S Type Checking. Washington University Spring 2013

JPred-P 2. Josh Choi, Michael Welch {joshchoi,

From Languages to Systems: Understanding Practical Application Development in Security-typed Languages

Effective Blame for Information-Flow Violations

CH. 2 OBJECT-ORIENTED PROGRAMMING

Contents. Figures. Tables. Examples. Foreword. Preface. 1 Basics of Java Programming 1. xix. xxi. xxiii. xxvii. xxix

Programming with Explicit Security Policies. Andrew Myers Cornell University

Subtypes and Subclasses

The design of a programming language for provably correct programs: success and failure

Argument Passing All primitive data types (int etc.) are passed by value and all reference types (arrays, strings, objects) are used through refs.

COS 320. Compiling Techniques

Assignment 4: Semantics

Introduction to Programming Using Java (98-388)

Secure Programming Lecture 15: Information Leakage

Contents. I. Classes, Superclasses, and Subclasses. Topic 04 - Inheritance

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Exercise 3 Subtyping and Behavioral Subtyping October 13, 2017

IA014: Advanced Functional Programming

Index. Index. More information. block statements 66 y 107 Boolean 107 break 55, 68 built-in types 107

Agenda. Objects and classes Encapsulation and information hiding Documentation Packages

Chapter 11 Inheritance and Polymorphism. Motivations. Suppose you will define classes to model circles,

Improving Usability of Information Flow Security in Java

Java Primer 1: Types, Classes and Operators

CSCI-GA Scripting Languages

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Java 8 Programming for OO Experienced Developers

15CS45 : OBJECT ORIENTED CONCEPTS

OOPs Concepts. 1. Data Hiding 2. Encapsulation 3. Abstraction 4. Is-A Relationship 5. Method Signature 6. Polymorphism 7. Constructors 8.

A Practical Optional Type System for Clojure. Ambrose Bonnaire-Sergeant

Inheritance and Polymorphism

CS321 Languages and Compiler Design I Winter 2012 Lecture 13

Software Development & Education Center. Java Platform, Standard Edition 7 (JSE 7)

Programming in Scala Second Edition

Graphical Interface and Application (I3305) Semester: 1 Academic Year: 2017/2018 Dr Antoun Yaacoub

COSE212: Programming Languages. Lecture 3 Functional Programming in OCaml

CS558 Programming Languages

Semantic Analysis. How to Ensure Type-Safety. What Are Types? Static vs. Dynamic Typing. Type Checking. Last time: CS412/CS413

The reader is referred to the Objective Caml reference manual for a more detailed description of these features.

Simple Component Writer's Guide

Designing Robust Classes

Types. What is a type?

Shared Subtypes. Subtyping Recursive Parameterized Algebraic Data Types

Typed Racket: Racket with Static Types

Java: introduction to object-oriented features

Java Object Oriented Design. CSC207 Fall 2014

Chapter 5 Object-Oriented Programming

CS/B.TECH/CSE(New)/SEM-5/CS-504D/ OBJECT ORIENTED PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70 GROUP A. (Multiple Choice Type Question)

Topic 9: Type Checking

Topic 9: Type Checking

Lenient Array Operations for Practical Secure Information Flow

Parametric Polymorphism for Java: A Reflective Approach

Data Types. Every program uses data, either explicitly or implicitly to arrive at a result.

A Type System for Regular Expressions

Rules and syntax for inheritance. The boring stuff

Pace University. Fundamental Concepts of CS121 1

What is Inheritance?

Day 4. COMP1006/1406 Summer M. Jason Hinek Carleton University

The Contract Pattern. Design by contract

Inheritance. Inheritance allows the following two changes in derived class: 1. add new members; 2. override existing (in base class) methods.

The Sun s Java Certification and its Possible Role in the Joint Teaching Material

Chapter 5 Names, Binding, Type Checking and Scopes

Overriding המחלקה למדעי המחשב עזאם מרעי אוניברסיטת בן-גוריון

Verifying information flow control in Java bytecodes. Nicholas A. Mathewson

GADTs meet Subtyping

Std 12 Lesson-10 Exception Handling in Java ( 1

CS558 Programming Languages

Lecture Overview. [Scott, chapter 7] [Sebesta, chapter 6]

( &% class MyClass { }

Language-Based Enforcement of Privacy Policies

Fast Track to Core Java 8 Programming for OO Developers (TT2101-J8) Day(s): 3. Course Code: GK1965. Overview

Marcin Luckner Warsaw University of Technology Faculty of Mathematics and Information Science

Synchronization SPL/2010 SPL/20 1

Chapter 10 Inheritance and Polymorphism. Dr. Hikmat Jaber

CS Internet programming Unit- I Part - A 1 Define Java. 2. What is a Class? 3. What is an Object? 4. What is an Instance?

Object Oriented Issues in VDM++

CS 152: Data Structures with Java Hello World with the IntelliJ IDE

JVM ByteCode Interpreter

Why Types Matter. Zheng Gao CREST, UCL

Programming Kotlin. Familiarize yourself with all of Kotlin s features with this in-depth guide. Stephen Samuel Stefan Bocutiu BIRMINGHAM - MUMBAI

FRAC: Language Reference Manual

Java Review: Objects

Cpt S 122 Data Structures. Course Review Midterm Exam # 2

Principles of Programming Languages

Introducing Wybe a language for everyone

DOWNLOAD PDF CORE JAVA APTITUDE QUESTIONS AND ANSWERS

Transcription:

JFlow: Practical Mostly-Static Information Flow Control A.Myers and B.Liskov. A Decentralized Model for Information Flow Control (SOSP 1997). Andrew C. Myers and Barbara Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4): 410 442, October 2000. Motivation Privacy protection is increasingly critical Static information-flow checking is a good solution Compromise between security and performance Several languages exist on paper that allow static information-flow checking, but None are practical; too limited and/or restrictive Goal of JFlow: support static information-flow checking and be practical 1

Background Builds on existing work: Java Lattice model of information flow [Bell, Denning] Subtype/parametric polymorphism Dependent types [Cardelli] Decentralized label model [Myers] Novel work solving practical problems: Mutable objects Declassification Dynamic granting/revoking of authority Label polymorphism Automatic label inference Exceptions Design Source-to-source compiler for Java.jif.jif.jif JFlow.jif.jif.java Statically-checked constructs are simply removed For the most part, translation involves removal of the static annotations in the JFlow program (after checking them, of course). There is little code space, data space, or run time overhead Non-statically-checked constructs (labels, principals, actsfor, switch label) are converted to runtime checks 2

Labels Labels are type annotations that allow label checking Label checking = statically determining that the label of every expression is at least as restrictive as the label of any value it might produce JFLow s labeling scheme comes from decentralized label model explored by Myers and Liskov Label = set of 0 or more Policies Policy = 1 owner and 0 or more readers L = { o 1 : r 1, r 2 ; o 2 : r 2, r 3 } owner readers owner readers policy label policy Labels L = { o 1 : r 1, r 2 ; o 2 : r 2, r 3 } o 1 allows r 1 and r 2 to read; and o 2 allows r 2 and r 3 to read { } is the fully permissive label No principal has expressed a security interest Owner automatically included as reader L = { o 1 : } o 1 allows only his/herself to read Owners and readers are drawn from the set of principals 3

Labels Data may only be read by a principal if all of the policies in its label list that principal as a reader The effective policy of a label is the intersection of all its policies Labels form lattices Let A B be join/lub of A and B Let A B be A can be relabeled as B For each policy in A, there is a policy at least as restrictive in B Let be shorthand for A B and B A Labels Example lattice where only principals are Alice and Bob { Alice : ; Bob : } { Alice : } { Alice : ; Bob : Alice } { Bob : } { Alice : Bob ; Bob : } { } { Alice : Bob ; Bob : Alice } 4

Labels A principal may choose to relax (add readers to) a policy that it owns; this is declassification Safe because other policies are not affected Some principals are allowed to act for other principles There is a principal hierarchy that can be updated dynamically Not a key detail Labeled Types Every variable is statically bound to a static label A label is denoted by a label expression, which is a set of component expressions However, a component expression may take other forms; e.g., it may be a variable name: int { Alice : } x; int { x } y; int { Bob : ; y } z; Policy of x means copy variable x s policies here Effective readers for x, y, z are Alice, Alice, Nobody 5

Labeled Types The programmer may omit labels, in which case JFlow will either infer the label or assign a default If omitted, the label of a local variable is inferred automatically based on its uses. In other contexts where a label is omitted, a context-dependent default label is generated. For example, for default label of an instance variable is the public label { }. Other cases of default label assignment will be noted later Implicit Flows All guarded expressions labels are forced to be at least as restrictive as the guard s label Type system uses variable pc to hold the join-ofall-guard-labels at all points int { public } x; // pc = {} boolean { secret } b; // pc = {} x = 0; // pc = {} if (b) { // pc = {} x = 1; // pc = { secret } } This example will fail label checking: secret public 6

Runtime Labels New primitive type label Needed when a label is relevant but is not known a priori Only thing you can do with a label is switch on it: label { L } lb; int { *lb } x; int { p: } y; switch label(x) { case ( int { y } z ) y = z; else throw new UnsafeTransfer(); } Example is an attempt to transfer value of x to y The statement executed is the first whose associated label is at least as restrictive as the expression label. Runtime Labels labels also allow methods with dependent type signatures: static float {*lb} compute(int x {*lb}, label lb) labels may be used in label expressions only if they are immutable (final) after initialization (method args are implicitly final) 7

Runtime Principals New primitive type principal Needed if a principal is relevant but not known a priori Run-time principals are needed in order to model systems that are heterogeneous with respect to the principals in the system, without resorting to declassification. Authority and Declassification A principal may declassify (weaken) policies that he or she owns but where s the principal? At a given point, the program is operating on behalf of some set of principals (called the static authority) Static authority at a given point depends on annotations made by the programmer on the class and method levels Only purpose of static authority is to statically determine whether declassifications are legal Declassification syntax: declassify(e, L): relabels expression e with L 8

Classes Classes may be parameterized (generic with respect to some labels and/or principals) To ensure that these types have a well-defined meaning only immutable (final) variables may be used as parameters Classes If { secret } { public }, does it follow that Vector[{secret}] Vector[{public}]? No! Programmer may allow this in cases where it is sound by declaring label parameter covariant label covariant imposes additional constraints: no method argument or mutable instance variable may be labeled using the parameter 9

Classes A class always has one implicit label parameter: the label {this}, representing the label on an object of the class In the case of {this}, L1 L2 should imply that C{L1} acts as a subtype of C{L2}, so {this} must be a covariant label Classes A class may have some authority granted to its objects by adding an authority clause to the class header class passwordfile authority(root) { } If the authority clause names external principals, the process that installs the class into the system must have the authority of the named principals If the authority clause names principals that are parameters of the class, the code that creates an object of the class must have the authority of the actual principal parameters used in the call to the constructor. 10

Methods The return value, arguments, and exceptions may each be individually labeled Arguments are always implicitly final There is also an optional begin-label and endlabel If begin-label is specified then pc must be at least as restrictive as begin-label at time of call If end-label is specified then no termination of the method may leak more information than end-label specifies (end-label is at least as sensitive as the leaked information) Methods When labels are omitted from parameters, those parameters use implicit label polymorphism The argument labels become implicit parameters to the function Without label polymorphism, libraries are intractable (need one method for every possible labeling of the parameters) 11

Methods If begin-label is omitted, it too becomes an implicit parameter to the function Because the pc within the method contains an implicit parameter, this method is prevented from causing real side effects If a return-value label is omitted, it defaults to the join of all argument labels and the end-label Methods static int {x;y} add(int x, int y) { return x + y; } Return value label boolean compare_str(string name, String pwd) : {name; pwd} throws(nullpointerexception) { } End-label Explicit label parameter? boolean store{l} (int{} x) throws(notfound) { } Parameter label 12

Password Example Establish static authority root: policy added to label of match via pc Runtime exceptions in JFlow must be explicitly caught Declassify (removes root: policy) Protected Example The default label for a return value is the end-label, joined with the labels of all the arguments.??? 13

Typed Label Checking Complete set of rules for type and label checking are given in the journal paper The checking subsystem generates a system of constraints that are solved by a fast constraint solver Theoretical argument for why it s fast The observed behavior of the JFlow compiler is that constraint solving is a negligible part of run time. Translation The vast majority of annotations are simply removed Uses of the new primitive label and authority types are translated to jflow.lang.label and jflow.lang.principal Only two constructs translate to interesting code: the actsfor and switch label statement, which dynamically test principals and labels, respectively. Dynamic tests translate to optimized method calls on Label and Principal classes Memoize for speed 14

Mission Accomplished? The goal was to build a practical system; is it practical? Not backward-compatible with Java since existing Java libraries are not flowchecked and do not provide flow annotations. However, in many cases, a Java library can be wrapped in a JFlow library that provides reasonable annotations. No static fields No Threads No unchecked exceptions Mission Accomplished? Only large projects in JFlow/Jif I found were Civitas and JPMail JPMail: an experiment in security programming Software engineering: Developing an application in Jif was complex and time-consuming. Just the edit/compile/repair cycle was tedious because of the surprisingly large number of possible information leaks in typical programs. Jif prevents all possible leaks, forcing very particular programming styles.. There are also opportunities for other refactorings to aid the programmer in labeling and re-labeling data. These developments are still in progress. We concluded that Jif holds great promise for building provably secure, distributed applications, but more development is needed before this goal may be realized. http://siis.cse.psu.edu/jpmail/ 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback