Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS 2019
Language c ::= skip | x:=exp | c;c | if exp then c else c | while exp do c 2
Explicit flows high (secret) l:=h insecure low (public) l:=h; l:=0 secure h:=l; l:=h secure 3
Implicit flows implicit flow h:=…; high (secret) from h to l l:=false; if h then l:=true low (public) else skip; out(l) Problem: insecure even when nothing is assigned to l inside the if! 4
Confidentiality • Noninterference [Goguen & Meseguer]: as high input varied, low-level outputs unchanged h 1 h 2 h 1 ’ h 2 ’ l l l’ l’ 5
Confidentiality for sequential programs: noninterference • How do we formalize noninterference in terms of program semantics? m: Vars → Vals command <c,m> ⇓ m’ final memory initial memory 6
Low equivalence • Indistinguishability by attackers m= L m’ ⟺ m| L =m’| L low projection 7
Noninterference • As high input varied, low-level behavior unchanged c is secure if ∀ m 1 ,m 2 . m 1 = L m 2 & <c, m 1 > ⇓ m’ 1 m’ 1 = L m ’ 2 ⟹ & <c, m 2 > ⇓ m’ 2 8
Security type system • Prevents explicit flows: may not use high variables l:=… • Prevents implicit flows; no public side effects when branching on secrets: if e then while e do may not may not assign to low assign to low … … 9
Security structure secret Γ :Vars → {low,high} high:{h,…} • Order: low ⊑ high • Security lattice public – high ⊔ low = high low:{l,…} 10
Security type system: expressions exp : high ∀ x ∈ Vars(exp). Γ (x)=low exp : low 11
Security-type system: commands 1 Atomic commands exp: ℓ ℓ ⊔ pc ⊑ Γ (x) pc ⊢ skip pc ⊢ x:=exp context 12
Security-type system: commands 2 pc ⊢ c 1 pc ⊢ c 2 pc ⊢ c 1 ; c 2 exp: ℓ ℓ ⊔ pc ⊢ c 1 ℓ ⊔ pc ⊢ c 2 implicit flows: pc ⊢ if exp then c 1 else c 2 branches of a high if must exp: ℓ ℓ ⊔ pc ⊢ c be typable in pc ⊢ while exp do c a high context 13
A security-type system: Examples low ⊢ h:=l+4; l:=l-5 pc ⊢ if h then h:=h+7 else skip low ⊢ while l<34 do l:=l+1 pc ⊢ while h<4 do l:=l+1 14
Type Inference: Example 5 : low 3 : low l=0: low [low] ⊢ l:=5 [low] ⊢ l:=3 [low] ⊢ if l=0 then l:=5 else l:=3 [low] ⊢ h:=h+1 [low] ⊢ h:=h+1; if l=0 then l:=5 else l:=3 15
What does the type system guarantee? Soundness theorem: pc ⊢ c ⟹ c is secure 16
Proof • Confinement – high ⊢ c & <c,m> ⇓ m’ ⟹ m = L m’ • Security – pc ⊢ c ⟹ c is secure • Induction on the structure of c 17
Confidentiality: Examples l:=h insecure (direct) untypable l:=h; l:=0 secure untypable h:=l; l:=h secure untypable if h=0 then l:=0 insecure (implicit untypable flow) else l:=1 while h=0 do skip secure (up to typable termination) if h=0 then secure (up to typable sleep(1000) timing) 18
Covert channels: Termination • Covert channels are mechanisms not intended for information transfer Is while h>0 do h:=h+1 secure? • So far, our definition has been termination- insensitive 19
Termination-sensitive noninterference c is secure if ∀ m 1 ,m 2 . m 1 = L m 2 & <c, m 1 > ⇓ m’ 1 ⟹ <c, m 2 > ⇓ m’ 2 & m’ 1 = L m ’ 2 20
Covert channels: Timing (if h then sleep(1000)); l:=1 || sleep(500); l:=0 • Timing-sensitive noninterference 21
Example: M k mod n s = 1; No information flow to low variables, for (i=0; i<w; i++){ but entire key can if (k[i]) be revealed by C = (s*M) mod n; measuring timing else C = s; [Kocher � 96] s = C*C; } 22
Transforming out timing leaks Branching on high causes leaks k[i] C = (s*M) mod n C = s 23
Transforming out timing leaks Cross-copy low slices k[i] C = (s*M) mod n C /= (s*M) mod n C /= s C = s Non-assignment 24
Covert channels: Probabilistic • Possibilistically but not probabilistically secure program: l:=PIN | 9/10 l:=rand(9999) • Probabilistic noninterference 25
Information flow challenge • Attack the system to learn the secret • Type systems to break 1. No restriction 2. Explicit flows 3. Implicit flows 4. Termination 5. Declassification 6. Exceptions 7. Let 8. Procedures http://ifc-challenge.appspot.com/ 9. References 10. Arrays • First to complete: send me an email J 26
References • Language-based information-flow security [Sabelfeld & Myers, IEEE JSAC, 2003] 27
Recommend
More recommend
