Language-Based Information-Flow Security

1/16

Introduction Volpano, Rice Conclusion

Language-Based Information-Flow Security

Akram El-Korashy1

1Max Planck Institute for Informatics

December 14, 2015IMPRS Research Seminar.

Based on Sabelfeld and Myers’ 2003 survey, and others.

2/16


Information-Flow motivational example

Assumption about programming language

Security-augmented types 1

Assume we have a programming language that is augmentedwith “levels” for variable types that distinguish publicvariables from secret variables, where public and secret hereare in the real-world sense, not the programming encapsulationsense.

Goal is to enforce e.g., confidentialityWe want the programming language’s type system to rejectprecisely the programs that leak secrets.

1The idea was first introduced by Volpano et. al.’s “A Sound Type Systemfor Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in1995.

3/16



Quiz

Does this program/process leak the secret?

Data: “s” //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do

initialize y := 0, mask := 11111111b;while y < x do

if is_prime(y) and is_prime(x - y) thenreset mask;

endupdate y := y + 1

endoutput bitwise_and(mask, s);update x := x + 2

end

3/16



Quiz - with security types

Does this program/process leak the secret?

Data: s //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do





end

4/16


What is the use of augmented types?

Why Types?

Robin Milner’s sloganWell-typed programs cannot “go wrong”.

Figure: c©www.britannica.com - c©Computer Laboratory, University of Cambridge.

Build type semantics that incorporate security goals into the definition of typesafety. Informally, e.g., insecure programs shouldn’t be allowed to compilesuccessfully!

5/16


Type system, operational semantics, how to detect a flow?

What are the rules that Volpano’s type system would enforce?

The hope is.. whatever rules we have, we can make a veryprecise judgement on programs being secure or insecure.//This program is secure. It never leaks any secret information.Data: s //secret, xResult: Compute magical countinitialize c1, c2, i := 0, 0, 0;update s := s × x;while i < s do

if s - (4 × i) = 1 or s - (4 × i) = 3 thenc1 := 1;

endif s - (2 × i) = 0 then

c2 := 1;endupdate i :=i + 1

endoutput c1 + c2;

6/16



Rules prohibit two kinds of flow

Explicit FlowImplicit Flow

6/16



Rules prohibit two kinds of flow

Explicit Flow

public_var := secret_value

Implicit Flow

if secret_expression then public_var := some_value...

while secret_expression do public_var := some_value...

7/16



More formally.. Typing rules for expressions..

Figure: Typing rules for secure information flow [Volpano1996]

8/16



and typing rules for commands..

Figure: Typing rules for secure information flow [Volpano1996]

9/16



Provably sound

On the footprints of Milner..All well-typed programs satisfy noninterference.

9/16



Provably sound

On the footprints of Milner..All well-typed programs satisfy noninterference.

A program p guarantees noninterference meansFor all pairs of variable states s1, s2,IF s1 and s2 agree on public variables (but may differ on secretones),THEN the states resulting from executing p on s1 and on s2must also agree on public variables.

10/16



Complete?

CompletenessAll programs that satisfy noninterference are well-typed.

10/16



Complete?

CompletenessAll programs that satisfy noninterference are well-typed.

This program is judged as unsafe, although it is indeedsecure(if s = 1 then x := 1 else x := 0); x := 0

10/16



Complete?

Completeness

All programs that satisfy noninterference are well-typed.

This program is judged as unsafe, although it is indeedsecure(if s = 1 then x := 1 else x := 0); x := 0

Rice’s TheoremEvery non-trivial property of a computable partial function isundecidable.

11/16



Computability theory refresher 1

Does program P halt on input I within 100 steps?Can we write a general program that decides this propertyabout pairs (P, I)?

11/16





Yes, we can! This is not the halting problem.

11/16





Yes, we can! This is not the halting problem.

P is a program, i.e., a string. It is not a function.A property of a computable function is only something that isgeneral to every program computing this function.

12/16




Property of a partial function vs. property of a programcomputing it.We can write 3 different programs that compute the Fibonaccifunction. The fact that one computes fib(n) in O(log n), O(n) orO(2n) is irrelevant to the "properties of the Fibonacci function".

12/16




Property of a partial function vs. property of a programcomputing it.We can write 3 different programs that compute the Fibonaccifunction. The fact that one computes fib(n) in O(log n), O(n) orO(2n) is irrelevant to the "properties of the Fibonacci function".It’s a property of the program, not the mathematical functionthat the program intends to represent!

12/16




Why then isn’t non-interference exempted from Rice’srestriction?It is a property on the memories, so it is program specific, right?

12/16





Yes and no!

12/16





Yes and no!

No, because we consider all public variables to be relevantoutput, so they all contribute to the value of the function that theprogram computes!

13/16



Moral is, we cannot be precise enough

If not because of undecidability, then at least because of yetopen-problems..

13/16



Moral is, we cannot be precise enough

If not because of undecidability, then at least because of yetopen-problems..

Answer to the Quiz: Goldbach’s conjecture

Data: s //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do





end

14/16


Remarks

Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.

Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]

14/16


Remarks

Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].

Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]

14/16


Remarks

Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.

Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]

14/16


Remarks

Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]

15/16


Remarks

Personalized Differential Privacy is one area in whichsemantics of the query language can be used to guaranteeinteresting properties.

Jif is an implementation of a security-typed programminglanguage.

15/16


Remarks

Personalized Differential Privacy is one area in whichsemantics of the query language can be used to guaranteeinteresting properties.Jif is an implementation of a security-typed programminglanguage.

16/16


Questions?

Thank you!

Language-Based Information-Flow Security

Technology

Transcript of Language-Based Information-Flow Security