Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels...
Transcript of Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels...
![Page 1: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/1.jpg)
Addressing Covert Channels in a
Concurrent Information Flow Control
Language
Deian StefanJoint work with: Alejandro Russo, Pablo Buiras, Amit Levy, John Mitchell, and David Mazières
![Page 2: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/2.jpg)
Information Flow Control
• Well-established approach to enforcing security
! Guarantees: preservation of confidentiality
• Suitable for executing untrusted code
! Policies specify where data can flow
E.g., “Alice’s contacts may flow to her friends.”
! Do not need to analyze code
E.g., “No execution of system call Y if executed X.”
![Page 3: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/3.jpg)
Information Flow Control
• Limitations of IFC enforcement techniques:
! Static: inflexible when considering inherently
dynamic systems (e.g., web apps and OSes)
! Dynamic: violations " leaks through monitor
• Adoption setbacks:
! Lack of advanced features, including concurrency
! Covert channels
E.g., timing and cache attacks are practical!
Limitations & Motivation
![Page 4: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/4.jpg)
Goal: develop an IFC-secure language
! Support concurrency constructs
! Address termination & timing covert channels
! Retain flexible programming interface
Approach: Extend existing Haskell IFC library!
! Associates a label with every piece of data:
means for carrying policies associated with data
! Dynamically tracks and controls propagation
of information within custom monad (LIO)
![Page 5: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/5.jpg)
![Page 6: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/6.jpg)
![Page 7: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/7.jpg)
![Page 8: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/8.jpg)
![Page 9: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/9.jpg)
![Page 10: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/10.jpg)
![Page 11: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/11.jpg)
LIO Security Guarantees
• Termination-insensitive non-interference
! Informally: If a program terminates, then
confidentiality of data is preserved
! Standard & provided by Jif, FlowCaml, etc.
• Why only termination-insensitive?
! toLabeled susceptible to termination attacks!
![Page 12: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/12.jpg)
![Page 13: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/13.jpg)
Adding Fire
• Recall first goal: Support concurrency constructs
• Suppose we add simple fork primitive...
![Page 14: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/14.jpg)
![Page 15: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/15.jpg)
![Page 16: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/16.jpg)
![Page 17: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/17.jpg)
Fighting fire with fire
Solution: Threads
• Decoupling toLabeled computations
! Spawn new thread to execute sub-computation
! Immediately return a labeled “handle” to thread
• Concurrent LIO:
! lFork: used to spawn new labeled thread.
! lWait: forces evaluation of thread, but first raises
current label to be at least as restrictive as the thread
label.
![Page 18: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/18.jpg)
![Page 19: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/19.jpg)
![Page 20: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/20.jpg)
![Page 21: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/21.jpg)
![Page 22: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/22.jpg)
Scalability
• Performance impact of forking new threads
! Minimal: Haskell’s threads are light-weight!
![Page 23: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/23.jpg)
Guarantees & Limitations
• Formalized concurrent LIO as call-by-name !-
calculus
! Added support for communication primitives
! Proved termination-sensitive non-interference
• Do not address covert channels outside API
! Cache timing attacks
! Leaks through memory exhaustion
![Page 24: Addressing Covert Channels in a Concurrent Information Flow … · 2015. 1. 21. · Covert channels E.g., timing and cache attacks are practical! Limitations & Motivation. Goal: develop](https://reader034.fdocuments.us/reader034/viewer/2022051822/5febead01b45bb2d5938ec38/html5/thumbnails/24.jpg)
Thank you!
$ cabal install lio