Secure Information Flow Analysis for a Distributed OO Language - PowerPoint PPT Presentation

Secure Information Flow Analysis for a Distributed OO Language Martin Pettai University of Tartu / Cybernetica AS October 8, 2011

Introduction • We analyze a language with objects, asynchronous method calls and futures • We use an information-flow type system to prevent insecure flows in the programs written in this language • Synchronization creates additional flows • We consider both direct and indirect flows and also flows through non-termination

The language • A simplified version of the concurrent object level of Core ABS • No synchronous method calls • No boolean guards • No interfaces

Syntax (1) Pr ::= Cl B program Cl ::= class C { T f M } class definition

Syntax (2) x | n | o | b | f local variable | task | object | cog | field name l [ , i ] → Cmd l ( T ))( x ) B M ::= ( m : ( l , T ) method definition B ::= { T x s ; x } method body v ::= x | this | this . f variable i ::= . . . | − 1 | 0 | 1 | . . . integer e ::= e p | e s expression e p ::= v | null | i | e p = e p pure expression e s ::= e p ! l m ( e p ) | e p . get l | new C | new cog C expression with side effects s ::= v := e | e | skip | suspend l | await l g statement | if ( e p ) s else s | while l ( e p ) s | s ; s g ::= v ? guard l ::= L | H security level ℓ ::= l | i security level or integer T ::= Int l | C l | Fut ℓ l ( T ) | Guard ℓ security type l

Operational semantics (1) • The run-time configurations consist of cogs ( b ), objects ( o ), and tasks ( n ). P ::= b [ n 1 , n 2 ] | o [ b , C , σ ] | n � b , o , σ, s � | P � P • Creating new tasks, objects, cogs: n ′ fresh x ); x ′ body ( m ) = s (¯ s task = grab l ; s [¯ a / ¯ x ]; release l ; x ′ (acall) o ′ [ b ′ , C , σ ′ ] � n � b , o , σ, R 1 [ o ′ ! l m (¯ a )]; s � � � o ′ [ b ′ , C , σ ′ ] � n � b , o , σ, R 1 [ n ′ ]; s � � n ′ � b ′ , o ′ , σ init , s task � o ′ fresh n � b , o , σ, R 1 [ new C ]; s � � n � b , o , σ, R 1 [ o ′ ]; s � � o ′ [ b , C , σ init ] (new) b ′ fresh o ′ fresh (newcog) n � b , o , σ, R 1 [ new cog C ]; s � � � n � b , o , σ, R 1 [ o ′ ]; s � � b ′ [ ⊥ , ⊥ ] � o ′ [ b ′ , C , σ init ]

Operational semantics (2) • Synchronization: n � b , o , σ, suspend l ; s � � n � b , o , σ, release l ; grab l ; s � (suspend) b [ ⊥ , ⊥ ] � n � b , o , σ, grab L ; s � � b [ n , n ] � n � b , o , σ, s � (grab L ) b [ n ′ , ⊥ ] � n � b , o , σ, grab H ; s � � b [ n ′ , n ] � n � b , o , σ, s � (grab H ) b [ n , n ] � n � b , o , σ, release L ; s � � b [ ⊥ , ⊥ ] � n � b , o , σ, s � (release L ) b [ n ′ , n ] � n � b , o , σ, release H ; s � � b [ n ′ , ⊥ ] � n � b , o , σ, s � (release H ) n � b , o , σ ′ , await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, x � � n � b , o , σ ′ , s � � n ′ � b ′ , o ′ , σ, x � (await 2 ) n � b , o , σ ′ , await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, s ′ ; x � � � n � b , o , σ ′ , suspend l ; await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, s ′ ; x �

Locks • Every cog has a high and a low lock • A task can execute only when it has the high lock • A task can change the low (publicly visible) part of the state only when it also has the low lock (this is checked statically by the type system)

Security types • The types in the type system are the following: T ::= Int l | C l | Fut ℓ l ( T ) | Guard ℓ l | Exp l ( T ) | Cmd l | l [ , i ] | Cmd l ( T ) | ( l , T ) → Cmd l ( T ) l ::= L | H • The possible types of futures are Fut L L ( T ) (corresponding to a low task), Fut L H ( T ) (high-low task), and Fut H H ( T ) (high-high task) • Both low and high tasks can await for high-low tasks • Only low tasks can await for low tasks • Only high-high tasks can await for high-high tasks

Subtyping rules Guard i H ≤ Guard L l ≤ l L ≤ H H l 2 ≤ l 1 ℓ 3 ≤ ℓ 4 l 2 ≤ l 1 ℓ 3 ≤ ℓ 4 T 5 ≤ T 6 Guard ℓ 3 l 1 ≤ Guard ℓ 4 Fut ℓ 3 l 1 ( T 5 ) ≤ Fut ℓ 4 l 2 ( T 6 ) l 2 l 1 ≤ l 2 l 1 ≤ l 2 γ, l ⊢ e : T γ, l ⊢ e : Exp L ( T ) C l 1 ≤ C l 2 Int l 1 ≤ Int l 2 γ, l ⊢ s : Cmd l 1 γ, l ⊢ e : T 1 T 1 ≤ T 2 l 1 ≤ l 2 γ, l ⊢ s : Cmd l 2 γ, l ⊢ e : T 2 γ, l 1 ⊢ s : Cmd l l 1 ≥ l 2 γ, l 2 ⊢ s : Cmd l

Some type rules l → Cmd l 1 ( T 2 ) γ, l ⊢ e : C l 0 γ, l ⊢ e : T γ ( C . m ) = l 0 , T l 0 ≥ l T ≥ l l 1 = l (ACall 1 ) γ, l ⊢ e ! l m ( e ) : Fut l 1 l ( l ∨ l 1 ∨ T 2 ) γ, l ⊢ e : Guard l 1 l γ, l ⊢ await l ( e ) : Cmd l 1 (Await 1 ) γ, l ⊢ s : Cmd l γ, l ⊢ e : Int l (While) γ, l ⊢ while l ( e ) s : Cmd l

Low-equivalence γ, H ⊢ s ′ : Cmd H γ, l ⊢ s : Cmd H γ, H ⊢ s : Cmd H s ∼ γ s s ∼ γ s ′ γ, H ⊢ s ′ : Cmd H ( T ) γ, l ⊢ s : Cmd H ( T ) γ, H ⊢ s : Cmd H ( T ) s ∼ γ s s ∼ γ s ′ γ, H ⊢ s 1 : Cmd H γ, H ⊢ s 1 : Cmd H s 2 ∼ γ s ′ s 2 ∼ γ s ′ s 2 ∼ γ s ′ 2 2 2 s 1 ; s 2 ∼ γ s ′ s 2 ∼ γ s 1 ; s ′ s 1 ; s 2 ∼ γ s 1 ; s ′ 2 2 2 σ ∼ γ σ ′ ≡ dom ( σ ) = dom ( σ ′ ) ∧ ∀ v ∈ dom ( σ ) . level ( γ ( v )) = L ⇒ σ ( v ) = σ ′ ( v ) b [ n 1 , n 2 ] ∼ γ b [ n 1 , n ′ 2 ] σ ∼ γ σ ′ σ ∼ γ σ ′ s ∼ γ s ′ P 1 ∼ γ P ′ P 2 ∼ γ P ′ 1 2 P 1 � P 2 ∼ γ P ′ 1 � P ′ o [ b , C , σ ] ∼ γ o [ b , C , σ ′ ] n � b , o , σ, s � ∼ γ n � b , o , σ ′ , s ′ � 2 γ, H ⊢ s : Cmd l 1 ( T 2 ) γ, H ⊢ s : Cmd l 1 ( T 2 ) P ∼ γ P ′ P ∼ γ P ′ n � b , o , σ, s � � P ∼ γ P ′ P ∼ γ n � b , o , σ, s � � P ′

High and low steps and locks • A high step cannot change the low-equivalence class of a configuration, a low step may change it • Each cog has two locks for synchronization of its tasks • The high lock is needed to make a high step • Both locks are needed to make a low step • Suspending in high context releases only the high lock

Insecure information flows • Within one task, there can be direct flows, indirect flows, and flows through non-termination • Security of these flows is easily enforced by the type system γ, l ⊢ s 1 : Cmd l 1 γ, l ∨ l 1 ⊢ s 2 : Cmd l 2 (Seq 1 ) γ, l ⊢ s 1 ; s 2 : Cmd l 1 ∨ l 2 γ, l ⊢ s 1 : Cmd l 1 γ, l ∨ l 1 ⊢ s 2 : Cmd l 2 ( T ) (Seq 2 ) γ, l ⊢ s 1 ; s 2 : Cmd l 1 ∨ l 2 ( T ) • Synchronization between tasks introduces additional flows

Flows through synchronization (1) • An example • A high task n 1 in cog b 1 makes a high while loop (e.g. while h do skip ) whose termination depends on secret data • A low task n 2 in cog b 1 is about to make a low side effect (e.g. call a method in cog b 2 that does l := 0 ) • The low side effect can be blocked by a non-terminating high loop • To prevent this, while and await loops suspend after each iteration (while) n � b , o , σ, while l ( e ) s 1 ; s 2 � � � n � b , o , σ, if ( e ) ( s 1 ; suspend l ; while l ( e ) s 1 ) else skip ; s 2 � (await 1 ) n � b , o , σ ′ , await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, x � � � n � b , o , σ ′ , s � � n ′ � b ′ , o ′ , σ, x � (await 2 ) n � b , o , σ ′ , await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, s ′ ; x � � � n � b , o , σ ′ , suspend l ; await l ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, s ′ ; x �

Flows through synchronization (2) • For a high-low task n 4 , non-termination must not be allowed, as it can leak secret information to any low task awaiting for n 4 • It is not enough to disallow loops, infinite recursion must also be prevented γ, l , i ⊢ e : Guard i 1 i 1 < i l (Await 2 ) γ, l , i ⊢ await l ( e ) : Cmd L

Flows through synchronization (3) • An example • Low task n 1 in cog b 1 is in high context and awaits for a high-low task n 2 in cog b 2 • The high lock of b 2 is held by a low task n 3 in cog b 2 • Here it may depend on the high variables in n 1 whether low steps must be made in n 3 before the next low step in n 1 or not • The following rule removes this dependency the next step of s 1 is low and the task n ′ is high-low (await 3 ) n � b , o , σ ′ , await H ( n ′ ?); s � � n ′ � b ′ , o ′ , σ, grab H ; s ′ ; x � � � n 1 � b ′ , o 1 , σ 1 , s 1 � � b ′ [ n 1 , n 1 ] � n � b , o , σ ′ , suspend H ; await H ( n ′ ?); s � � � n ′ � b ′ , o ′ , σ, s ′ ; x � � n 1 � b ′ , o 1 , σ 1 , grab H ; s 1 � � b ′ [ n 1 , n ′ ]

Non-interference • We have proved concurrent non-interference Definition (Non-interference) A program Cl { T x s ; x 0 } is non-interferent if for any three states σ 0 , σ • 0 and σ 1 satisfying σ 0 ∼ x : T σ 1 , ∗ � n 0 � b 0 , null , σ • b 0 [ n 0 , n 0 ] � n 0 � b 0 , null , σ 0 , s ; release L ; x 0 � 0 , x 0 �� . . . implies that there exists a state σ • 1 with σ • 1 ( x 0 ) = σ • 0 ( x 0 ) and ∗ � n 0 � b 0 , null , σ • b 0 [ n 0 , n 0 ] � n 0 � b 0 , null , σ 1 , s ; release L ; x 0 � 1 , x 0 �� . . . . Theorem (Subject reduction) If P 1 and P 2 are well typed under γ and P 1 ∼ γ P 2 then if P 1 � P ′ 1 2 such that P 2 � ∗ P ′ then there exists P ′ 2 and P ′ 1 ∼ γ P ′ 2 .