Types for Security Protocols* - Language-Based Security group
Language-Based Information-Flow Security
-
Upload
akram-el-korashy -
Category
Technology
-
view
341 -
download
2
Transcript of Language-Based Information-Flow Security
1/16
Introduction Volpano, Rice Conclusion
Language-Based Information-Flow Security
Akram El-Korashy1
1Max Planck Institute for Informatics
December 14, 2015IMPRS Research Seminar.
Based on Sabelfeld and Myers’ 2003 survey, and others.
2/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmentedwith “levels” for variable types that distinguish publicvariables from secret variables, where public and secret hereare in the real-world sense, not the programming encapsulationsense.
Goal is to enforce e.g., confidentialityWe want the programming language’s type system to rejectprecisely the programs that leak secrets.
1The idea was first introduced by Volpano et. al.’s “A Sound Type Systemfor Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in1995.
2/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmentedwith “levels” for variable types that distinguish publicvariables from secret variables, where public and secret hereare in the real-world sense, not the programming encapsulationsense.
Goal is to enforce e.g., confidentialityWe want the programming language’s type system to rejectprecisely the programs that leak secrets.
1The idea was first introduced by Volpano et. al.’s “A Sound Type Systemfor Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in1995.
3/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Quiz
Does this program/process leak the secret?
Data: “s” //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do
initialize y := 0, mask := 11111111b;while y < x do
if is_prime(y) and is_prime(x - y) thenreset mask;
endupdate y := y + 1
endoutput bitwise_and(mask, s);update x := x + 2
end
3/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Quiz - with security types
Does this program/process leak the secret?
Data: s //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do
initialize y := 0, mask := 11111111b;while y < x do
if is_prime(y) and is_prime(x - y) thenreset mask;
endupdate y := y + 1
endoutput bitwise_and(mask, s);update x := x + 2
end
4/16
Introduction Volpano, Rice Conclusion
What is the use of augmented types?
Why Types?
Robin Milner’s sloganWell-typed programs cannot “go wrong”.
Figure: c©www.britannica.com - c©Computer Laboratory, University of Cambridge.
Build type semantics that incorporate security goals into the definition of typesafety. Informally, e.g., insecure programs shouldn’t be allowed to compilesuccessfully!
4/16
Introduction Volpano, Rice Conclusion
What is the use of augmented types?
Why Types?
Robin Milner’s sloganWell-typed programs cannot “go wrong”.
Figure: c©www.britannica.com - c©Computer Laboratory, University of Cambridge.
Build type semantics that incorporate security goals into the definition of typesafety. Informally, e.g., insecure programs shouldn’t be allowed to compilesuccessfully!
5/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
What are the rules that Volpano’s type system would enforce?
The hope is.. whatever rules we have, we can make a veryprecise judgement on programs being secure or insecure.//This program is secure. It never leaks any secret information.Data: s //secret, xResult: Compute magical countinitialize c1, c2, i := 0, 0, 0;update s := s × x;while i < s do
if s - (4 × i) = 1 or s - (4 × i) = 3 thenc1 := 1;
endif s - (2 × i) = 0 then
c2 := 1;endupdate i :=i + 1
endoutput c1 + c2;
6/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Rules prohibit two kinds of flow
Explicit FlowImplicit Flow
6/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Rules prohibit two kinds of flow
Explicit Flow
public_var := secret_value
Implicit Flow
if secret_expression then public_var := some_value...
while secret_expression do public_var := some_value...
7/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
More formally.. Typing rules for expressions..
Figure: Typing rules for secure information flow [Volpano1996]
8/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
and typing rules for commands..
Figure: Typing rules for secure information flow [Volpano1996]
9/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Provably sound
On the footprints of Milner..All well-typed programs satisfy noninterference.
9/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Provably sound
On the footprints of Milner..All well-typed programs satisfy noninterference.
A program p guarantees noninterference meansFor all pairs of variable states s1, s2,IF s1 and s2 agree on public variables (but may differ on secretones),THEN the states resulting from executing p on s1 and on s2must also agree on public variables.
10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
CompletenessAll programs that satisfy noninterference are well-typed.
10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
CompletenessAll programs that satisfy noninterference are well-typed.
This program is judged as unsafe, although it is indeedsecure(if s = 1 then x := 1 else x := 0); x := 0
10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
Completeness
All programs that satisfy noninterference are well-typed.
This program is judged as unsafe, although it is indeedsecure(if s = 1 then x := 1 else x := 0); x := 0
Rice’s TheoremEvery non-trivial property of a computable partial function isundecidable.
11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?Can we write a general program that decides this propertyabout pairs (P, I)?
11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?Can we write a general program that decides this propertyabout pairs (P, I)?
Yes, we can! This is not the halting problem.
11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?Can we write a general program that decides this propertyabout pairs (P, I)?
Yes, we can! This is not the halting problem.
P is a program, i.e., a string. It is not a function.A property of a computable function is only something that isgeneral to every program computing this function.
12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Property of a partial function vs. property of a programcomputing it.We can write 3 different programs that compute the Fibonaccifunction. The fact that one computes fib(n) in O(log n), O(n) orO(2n) is irrelevant to the "properties of the Fibonacci function".
12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Property of a partial function vs. property of a programcomputing it.We can write 3 different programs that compute the Fibonaccifunction. The fact that one computes fib(n) in O(log n), O(n) orO(2n) is irrelevant to the "properties of the Fibonacci function".It’s a property of the program, not the mathematical functionthat the program intends to represent!
12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’srestriction?It is a property on the memories, so it is program specific, right?
12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’srestriction?It is a property on the memories, so it is program specific, right?
Yes and no!
12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’srestriction?It is a property on the memories, so it is program specific, right?
Yes and no!
No, because we consider all public variables to be relevantoutput, so they all contribute to the value of the function that theprogram computes!
13/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yetopen-problems..
13/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yetopen-problems..
Answer to the Quiz: Goldbach’s conjecture
Data: s //secretResult: Run forever and output infinite tokensinitialize x := 4;while true do
initialize y := 0, mask := 11111111b;while y < x do
if is_prime(y) and is_prime(x - y) thenreset mask;
endupdate y := y + 1
endoutput bitwise_and(mask, s);update x := x + 2
end
14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.
Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]
14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].
Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]
14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.
Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]
14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerfulmethodology that can be used for soundness analysis.Other type systems that trace global flows can give moreprecise control-flow analysis [Clark et. al].Integrity of “sensitive” variables is a security goalachievable by information-flow analysis in a way dual toconfidentiality.Robust Declassification is a framework offeringrelaxation to non-interference.The intuition is “although the system may release information, anattacker should have no control over what information is released”[Myers et. al]
15/16
Introduction Volpano, Rice Conclusion
Remarks
Personalized Differential Privacy is one area in whichsemantics of the query language can be used to guaranteeinteresting properties.
Jif is an implementation of a security-typed programminglanguage.
15/16
Introduction Volpano, Rice Conclusion
Remarks
Personalized Differential Privacy is one area in whichsemantics of the query language can be used to guaranteeinteresting properties.Jif is an implementation of a security-typed programminglanguage.
16/16
Introduction Volpano, Rice Conclusion
Questions?
Thank you!