information flow control for concurrent programs via
play

Information Flow Control for Concurrent Programs via Program Slicing - PowerPoint PPT Presentation

May 23, 2023 •339 likes •582 views

Information Flow Control for Concurrent Programs via Program Slicing Dennis Giffhorn Universitt Karlsruhe (TH), Germany Dennis Giffhorn (Universitt Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID08 1 / 19 Context

  1. Information Flow Control for Concurrent Programs via Program Slicing Dennis Giffhorn Universität Karlsruhe (TH), Germany Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 1 / 19

  2. Context Slicing-based program security, focusing on Java Program dependence analysis for full Java (Hammer/Snelting: An improved slicer for Java , PASTE’04) Slicing of concurrent programs (Krinke: Context-sensitive slicing of concurrent programs , ESEC/FSE’03) Connection between IFC and slicing (Snelting et al.: Efficient path conditions in dependence graphs for software safety analysis , TOSEM’06) Slicing-based IFC algorithm for sequential Java (Hammer/Krinke: Intransitive noninterference in dependence graphs , ISOLA’06) Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 2 / 19

  3. Information Flow Control Does a program leak confidential information? Data is classified with security levels high and low Scenario: Attacker wants to gain information about high input data and can observe parts of program behaviour ◮ Low-classified data at certain program points (e.g. input, output) ◮ The relative order of low-observable events ◮ Termination behaviour → low-observable behaviour Noninterference (idea): Two inputs that only differ on high input have to cause the same low-observable behaviour ⇒ Attacker cannot draw conclusions about high input Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 3 / 19

  4. Sequential Programs Sufficient to control explicit and implicit flow l1 = pin; if (pin > 12345) l2 = 1; print(l1+l2); Explicit flow from pin to l1 Implicit flow from pin to l2 Attacker can see the output ⇒ pin must not contain high data Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 4 / 19

  5. Sequential Programs Sufficient to control explicit and implicit flow l1 = pin; if (pin > 12345) l2 = 1; print(l1+l2); Explicit flow from pin to l1 Implicit flow from pin to l2 Attacker can see the output ⇒ pin must not contain high data Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 4 / 19

  6. Sequential Programs Sufficient to control explicit and implicit flow l1 = pin; if (pin > 12345) l2 = 1; print(l1+l2); Explicit flow from pin to l1 Implicit flow from pin to l2 Attacker can see the output ⇒ pin must not contain high data Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 4 / 19

  7. Probabilistic Channels Not sufficient for concurrent programs Problem: High data may influence interleaving h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || The larger the value of h , ◮ the larger the probability that l1 = 2 when printed ◮ the larger the probability that l1 is printed after l2 ⇒ probabilistic channels Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 5 / 19

  8. Probabilistic Noninterference A program input can cause a set of possible low-observable behaviours Each one has a certain probability (scheduler-dependent) Probabilistic noninterference (idea): Two inputs that only differ on high input have to cause the same possible low-observable behaviours with the same probabilities ⇒ Attacker cannot draw conclusions about high input Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 6 / 19

  9. Probabilistic Channels h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Necessary condition: A data conflict between two concurrent accesses to a shared variable, where at least one of which is a write An order conflict between two concurrent low-observable events Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 7 / 19

  10. Probabilistic Channels h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Necessary condition: A data conflict between two concurrent accesses to a shared variable, where at least one of which is a write An order conflict between two concurrent low-observable events Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 7 / 19

  11. Probabilistic Channels h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Necessary condition: A data conflict between two concurrent accesses to a shared variable, where at least one of which is a write An order conflict between two concurrent low-observable events Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 7 / 19

  12. Probabilistic Channels h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Necessary condition: A data conflict between two concurrent accesses to a shared variable, where at least one of which is a write An order conflict between two concurrent low-observable events Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 7 / 19

  13. Observational Determinism Low-observable behaviour does not depend on a conflict → no probabilistic channels Such a program is observational deterministic ◮ The same input produces always the same low-observable behaviour ◮ It is sufficient to check implicit and explicit flow Security for concurrent programs: Observational determinism + sane implicit and explicit flow Generalization of prob. NI: Only one possible low-observable behaviour with probability = 1 Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 8 / 19

  14. IFC for Concurrent Programs via Program Slicing A three-phase approach Annotate the program 1 Check observational determinism 2 Check explicit and implicit flow 3 ◮ Algorithm of Hammer/Krinke. ◮ Developed for full sequential Java Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 9 / 19

  15. Program Dependence Graph h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Statements are the nodes The definition of a variable defined at v reaches its use at w (not redefined inbetween) (Data Dependence). v controls the execution of w (termination-insensitive) (Control Dependence) v controls the execution of w (termination-sensitive) (Weak Control Dependence) Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 10 / 19

  16. Program Dependence Graph h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || thread_1 thread_2 print(l1) h = pin(); while(h>=0) l1 = 2; l1 = 1; print(l2) h--; control dependence weak control dependence data dependence Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 11 / 19

  17. Program Annotation h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Phase 1: Annotate program Annotation mechanism similar to Hammer/Krinke Sources of information are annotated with a providing level Observable statements are annotated with a requiring level ◮ h = readPIN() gets providing level high ◮ both print-statements get requiring level low Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 12 / 19

  18. Conflict Dependence h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || Augment the PDG with conflict dependences representing a data conflict or an order conflict Data conflicts: Directed from the write-access to the other one Order conflicts: Between two concurrent low-observable events, bidirected Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 13 / 19

  19. Conflict Dependence h = readPIN(); || l1 := 1; while (h != 0) || print(l2); h�-; || l1 := 2; || print(l1); || thread_1 thread_2 print(l1) while(h>=0) l1 = 1; h = pin(); l1 = 2; print(l2) h--; control dependence weak control dependence data dependence conflict dependence Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 14 / 19

  20. Check Observational Determinism Phase 2: Check observational determinism Compute a slice for the low-class. statements If the slice contains a conflict dependence, the program is not obs. det. → reject program thread_1 thread_2 while(h>=0) print(l1) l1 = 1; h = pin(); l1 = 2; print(l2) h--; control dependence weak control dependence data dependence conflict dependence Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 15 / 19

  21. Check Implicit and Explicit Flow Phase 3: Check implicit and explicit flow Basic idea: Compute a slice for the low-class. statements If it contains a statement with a provided level of high, reject the program thread_1 thread_2 while(h>=0) print(l1) l1 = 1; h = pin(); l1 = 2; print(l2) h--; control dependence weak control dependence data dependence conflict dependence Dennis Giffhorn (Universität Karlsruhe (TH)) IFC for Concurrent Programs via Slicing PLID’08 16 / 19

Recommend

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Overview/Questions How do we control the flow of execution within our programs? How can

Overview/Questions How do we control the flow of execution within our programs? How can

CS101 Lecture 24: Python: Decision Making Aaron Stevens 25 March 2009 1 Overview/Questions How do we control the flow of execution within our programs? How can a programs input alter the instructions that get executed? How

226 views • 12 slides
HW/SW Codesign Analysis of Control & Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control & Data Flow I ECE 522 Control and Data Edges C programs

HW/SW Codesign Analysis of Control & Data Flow I ECE 522 Control and Data Edges C programs (and pseudo-code) are often used as prototypes because they represent high-level descriptions of system behavior However, C is sequential and cannot

572 views • 15 slides
Statements and Control Flow The programs we have seen so far do exactly the same list of

Statements and Control Flow The programs we have seen so far do exactly the same list of

Statements and Control Flow The programs we have seen so far do exactly the same list of instructions every time What if we want to do different things for different inputs? Do some action only if a specified condition is met We

921 views • 52 slides
Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science

Practical Mostly-Static Information Flow Control Andrew Myers MIT Lab for Computer Science Privacy Old problem (secrecy, confidentiality) : prevent programs from leaking data Untrusted, downloaded code: more important Standard

891 views • 23 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
if Statement Programs often contain statements that may or may Flow of Control: Branching not

if Statement Programs often contain statements that may or may Flow of Control: Branching not

if Statement Programs often contain statements that may or may Flow of Control: Branching not be executed depending on conditions. An if statement checks whether a condition is true (Savitch, Chapter 3) before deciding whether to execute

344 views • 7 slides
Continuation and Exceptions Control Flow In Sequential Languages cs3723 1 Imperative

Continuation and Exceptions Control Flow In Sequential Languages cs3723 1 Imperative

Continuation and Exceptions Control Flow In Sequential Languages cs3723 1 Imperative Programming Control Flow of Programs Structured control flow Sequence of statements { a:= b; b := c; } Conditional if (a < b) then c

176 views • 15 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT 2017 Allan Blanchard, Fr ed eric Loulergue, Nikolai Kosmatov April 29 th , 2017 From Concurrent Programs to Simulating Sequential Programs

488 views • 37 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18,

751 views • 54 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Transactions Concurrent execution of user programs is essential for good DBMS performance.

Transactions Concurrent execution of user programs is essential for good DBMS performance.

Transaction Management and Concurrency Control Chapter 16, 17 Instructor: Vladimir Zadorozhny vladimir@sis.pitt.edu Information Science Program School of Information Sciences, University of Pittsburgh 1 Database Management Systems, R.

147 views • 12 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

2.25k views • 131 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides

More recommend