Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers...

Steve Zdancewic ESOP01 1

Secure Information Flow and CPS

Steve Zdancewic Joint work with Andrew Myers

Cornell University


Valuable Data On-line

• Internet and Connectivity– banks/brokerage firms– e-mail services– applets, plugins, etc.– …

• Creates problem of protection


Protect It!

• Confidentiality– Data doesn't escape– Does my accounting software

transmit my private information?

• Integrity– Trustworthiness of data– Does my accounting software use

“bad” information to compute taxes?


Information Flow

• Policies on information• End-to-End

– Once data is released to a program, must ensure that policy is obeyed.

• Need static analysis


Security-Typed Languages

• Statically enforce security policies in an extended type system– Smith & Volpano [SVI96, SV98,...]

– Heintze & Riecke [HR98, ABHR99]

– Myers [ML97,My99,...]

– Sabelfeld & Sands [SS99, SS00]

– Pottier & Conchon [PC00,...]


Noninterference

"Low-security behavior of the program is not affected by any

high-security data."Goguen & Messeguer 1982

H1 L1

L2H2

H3 L1

L2H4

L


Our Goal

• Study information flow in rich language– Higher-order functions– State

• Noninterference proof


Continuation Passing Style

• Useful representation of low-level code – verify output of the compiler.

• Main complication: explicit control and interaction with effects


Outline

• Motivating Example• Problem with Naïve CPS translation• Ordered Linear Continuations• Wrap up


Security Types

• A lattice L of labels– order L H– join L H = H

• Types have labels: intH or boolL


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;

pc:L


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;

pc:H

pc:L


if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

Example

pc:L

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

pc:L

pc:H

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

pc:L

pc:L

pc:H

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3; // z:intL

pc:L

pc:H

pc:H

pc:L


PC Label

• Side-effects are bounded by PC label.

x := e

x:s ref e:r(p r) spc:p


What about functions?

• Effects inside a function must also be bounded by PC label.

f(e)

f:r

p rpc:p

e:


Naive CPS

let k = (). z := 3;

if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }


Naive CPS

let k = (). z := 3;


pc:H


Naive CPS

let k = (). z := 3; //z:intH


pc:H

pc:H


Linear Continuations

let k = (). z := 3; //z:intH


k is used linearly!


Main Idea

• Use linear continuations to express the control-flow properties of the source language via types

• But...not quite enough


Order of Evaluation

• Order the continuations are invoked is also important!

• Can observe the order via side effects

• So...ordered linear continuations


What Are They?

• Linear continuations: First-class postdominators of control flow graph

• Ordered linear continuations: Encode the control stack


Target CPS Language

• Includes regular continuations and ordered linear continuations

• Careful manipulation of context:

| kn,…,k1 [pc] e

Ordered list encodes stack


Noninterference

If x:H |[L] e : intL

v1,v2 : H (M,e{v1/x}) * (M1,n1)

(M,e{v2/x}) * (M2,n2)

Then M1 L M2 and n1 = n2


Results

• Formalize ordered linear continuations in the type system

• Prove that the CPS language enjoys noninterference– Proof hinges on ordering property– First proof for such a rich language

• Expressive enough as a target


Other Connections

• Linearity of control also plays a role in security typed versions of -calculus. [Honda et. al.]

• Linear control is interesting in its own right

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers...

Documents

Transcript of Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers...