information flow control by program analysis
play

Information Flow Control by Program Analysis Markus Mller-Olm - PowerPoint PPT Presentation

Jul 11, 2023 •106 likes •313 views

Information Flow Control by Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017 Context Work in progress from a joint project with Gregor Snelting

  1. Information Flow Control by Program Analysis Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017

  2. Context Work in progress from a joint project with Gregor Snelting (KIT) Information flow control for mobile components based on precise analysis of parallel programs Part of priority programme 1496 Reliably Secure Software Systems (RS 3 ) funded by DFG (German Research Foundation) Special thanks to Benedikt Nordhoff Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 2

  3. What This Talk is About Theme: How can program analysis technology be used for information flow analysis? Program analysis: data-flow analysis, abstract interpretation, invariant generation, software model checking, ... Information flow analysis: see next slide Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 3

  4. Information Flow: Example Free Email-App Start of App Ad-Server Contacts and Display Emails Reference scenarios of SPP RS 3 : l Certifying app store for Android l E-Voting systems l Software security for mobile devices Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 4

  5. Non-Interference For simplicity: transformational terminating programs only Semantic setup: Var = Low ⨃ High Variables: S = { s | s : Var → Val } States: � p � : S → S Program semantics: Low-equivalence of states: s ~ L s ‘ : ⟺ s | Low = s ‘| Low Program p is called non-interferent f.a. s , s ‘ ÎS : iff s ~ L s ‘ ⟹ � p � ( s ) ~ L � p � ( s ‘) Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 6

  6. Possibilistic Non-Interference Semantics of non-deterministic programs: � p � : S → 2 S Refinement: p ⊑ p ‘ "s : � p � ( s ) ⊆ � p ‘ � ( s ) : ⟺ Program p is called non-interferent f.a. s , s ‘ ÎS : iff s ~ L s ‘ ⟹ "rÎ � p � ( s ) : $r ‘ Î � p � ( s ‘) : r ~ L r ‘ Refinement Paradox: Non-interference is not preserved by refinement. Example: l := ? is non-interferent, its refinement l := h is not Reason: Non-interference is a „hyper-property“ Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 7

  7. A Fundamental Problem l Abstraction is inherent to program analysis l However, as just observed (Refinement Paradox): Non-interference does not transfer from abstractions l Consequence: Program analysis cannot be applied directly to non-interference Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 8

  8. Program Dependence Graphs (PDGs) l A structure known from program slicing l Nodes correspond to statements and conditions; we add artificial nodes for initial and final value of program variables l Edges capture data dependences and control dependences l PDGs can be applied for non-interference analysis Analysis principle: If there is no path in PDG from high input to low output then the program is non-interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 9

  9. Direct and Indirect Flows Direct flows: h:= 99 h? l := h l :=h captured by data dependence edges in PDG Indirect flows: if h>0 if h>0 then l := 0 else l := 1 l := 1 l := 0 captured by control dependence edges in PDG Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 10

  10. Example 1 h? l:=h l:=h if l > 0 if l > 0 true false l :=1 l :=1 l :=0 l :=0 . l! There is a path from h? to l!. Hence: Program may be interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 11

  11. Example 2 h? l:=h l:=h l:=10 l:=10 if l > 0 if l > 0 true false l :=1 l :=0 l :=1 l :=0 . l! There is no path from h? to l!. Hence: Program is non-interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 12

  12. [Snelting] Path Conditions Goal: Improve precision of PDG-based dependence analysis Idea: For each path in the PDG indicating critical flow, read off a necessary condition for flow from the guards. If all these conditinos are unsatisfiable, there is no flow. Caveat: Requires SSA-form of programs Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 13

  13. Path conditions improve precision of PDGs h? if flag true false if flag x :=7 x:= h x:=7 x:= h if (! flag) false true . l := x if (! flag) . . l := x PDG alone: false alarm + path conditions: OK l! flag ∧ ! flag Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 14

  14. Further Improvements by Data Analysis Desirable h? if b true false if b x :=h y:= h goLeft :=true goLeft :=false x:=h y:= h if (goLeft) false true l := x l := y if (goLeft) . l := x. l := y PDG + path conditions: false alarm + invariant: OK l! For left path: b ∧ goLeft ∧ goLeft = ! b For right path: ! b ∧ ! goLeft ∧ goLeft = ! b 15

  15. The Show Stopper l :=true h? x :=false if h if h x :=false false true l :=true . . x:= true x:= true if (!x) false true . l := false if (!x) . . l := false PDG + path conditions + invariant: unsound l! h ∧ !x ∧ x = h Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 16

  16. A Glimpse on Data Flow Slicing l Guiding intuition: flow happens along PDG paths only l Add new type of dependencies (data control dependencies) to avoid soundness problem l Define a notion of critical executions based on data-, control-, and data- control-dependencies l Set of critical executions is regular for a given program l Prove: if program has no critical execution, then program is non- interferent (Isabelle!) l Check absence of critical executions using data analyses (e.g. using CPAChecker [Beyer et al.]) l Note: Approach allows to check non-interference by safety analysis! Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 17

  17. A Glimpse on Data Flow Slicing: Example ... DD(h) ¬ b b x :=h y:= h y:= h x :=h l:= x l:= y goLeft :=true goLeft :=false DD(h), DD(y) DD(x), DD(h) ... ... l := y l := x DD(h) DD(h) ¬ goLeft goLeft DD(l) DD(l) ... ... DD(y) DD(x) l := y l := x Program Critical executions automaton Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 18

  18. A Glimpse on Data Flow Slicing: Example ⊤ ¬ b b ⊤ ⊤ y:= h x :=h goLeft :=true goLeft :=false true false ¬ goLeft ¬ goLeft goLeft goLeft ⊥ ⊥ false true l := y l := x l := y l := x ⊥ false ⊥ true Product of program and automaton Constant propagation on product proves absence of critical information flow Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 19

  19. Discussion Approach for non-interference analysis by classic program analysis Alternative approaches: l Self-composition l Hyper-logics Further work in our project: l Use DPNs to help PDG-based non-interference analysis of parallel programs based on LSOD l Use DPNs to help type-based non-interference analysis of parallel programs Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 22

Recommend

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single

1.3k views • 53 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Terminology: Program Representation e o ogy: og a ep ese tat o Control Flow Graph: Control Flow Graph: Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of

591 views • 17 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Terminology: Program Representation Control Flow Graph: P3 / 2006 Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis succ(n) = set

377 views • 12 slides
Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Example How many registers do we need a := 0 1 for the program on the right? L1: b := a + 1 2

408 views • 12 slides
Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow analysis Loops Identifying loops using dominators Reducibility Using loop identification to identify induction

270 views • 15 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information

From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information

Introduction Information Flow Qualitative IF Quantitative IF Conclusion From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information Flow Mounir Assaf Software Security Lab, CEA LIST, Saclay CIDre,

1.28k views • 95 slides
x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence...

x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence...

x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence... ...Except when we change the flow of control. Two main ways of doing this: Jump instructions (this lecture) Call instructions

517 views • 29 slides
Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI

Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI

5/1/19 Motivation Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI 5271 Guest Lecture An output has some data of an input. Seonmo (Sean) Kim If the input contains some sensitive data,

86 views • 5 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical

Dataflow analysis Theory and Applications cs6463 1 Control-flow graph Graphical representation of runtime control-flow paths Nodes of graph: basic blocks (straight-line computations) Edges of graph: flows of control Useful for

679 views • 39 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

1 Control-Flow Profiles Code Motion Using Control Flow Profiles Commonly gather two types of

Profile-Guided Optimizations Motivation for Profiling Recall Limitations of static analysis Instruction scheduling Compilers can analyze possible paths but must behave conservatively List scheduling Frequency information

339 views • 5 slides
Program Analysis for Quantified Information Flow The 5th CREST Open Workshop Chunyan Mu joint

Program Analysis for Quantified Information Flow The 5th CREST Open Workshop Chunyan Mu joint

Program Analysis for Quantified Information Flow The 5th CREST Open Workshop Chunyan Mu joint work with David Clark CREST, Kings College London March 31, 2010 1 / 50 The Problem Information Theory and Measures Related work Automating

743 views • 51 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

379 views • 24 slides
Big Picture: Control Flow Ordering in Program Execution Ordering/Flow Mechanisms: ! Sequencing

Big Picture: Control Flow Ordering in Program Execution Ordering/Flow Mechanisms: ! Sequencing

Big Picture: Control Flow Ordering in Program Execution Ordering/Flow Mechanisms: ! Sequencing (statements executed (evaluated) in a specified order) CSCI: 4500/6500 Programming Imperative language - very important Functional - doesn

459 views • 14 slides

More recommend