Security Types Preserving Compilation Tamara Rezk (Joint work with - PowerPoint PPT Presentation

Security Types Preserving Compilation Tamara Rezk (Joint work with Gilles Barthe and Amitabh Basu) E VEREST T EAM INRIA S OPHIA A NTIPOLIS http://www-sop.inria.fr/everest/ CASSIS - March 2004 Security Types Preserving Compilation – p.1/18

Motivation Mobile code + Security properties of the compiled code + Untrusted compiler (on the server side) + Efficiency (on the client side) Without trusting the compiler, we want to know whether the compiled code is secure, w.r.t non-interference or not. Compute a type for the compiled code on the client side is possible: but this is not efficient! CASSIS - March 2004 Security Types Preserving Compilation – p.2/18

What do we want? 1. On the server side: compute a type for the source code that assures security properties of the source code(security source type). 2. Send the compiled code + type for the source code 3. On the client side: transform the source type into a security target type that assures security properties of the target code. CASSIS - March 2004 Security Types Preserving Compilation – p.3/18

What do we do? We use the type system for non-interference for a while-language given by Volpano & Smith. We define a type system for low-level code and prove soundness . Given a compiler, we prove that a type for source-code ALWAYS can be transformed into a type for target-code. CASSIS - March 2004 Security Types Preserving Compilation – p.4/18

Outline of the Talk Non-Interference: An Overview JVM-like Language Indistinguishability Type System Compilation Source Language Preservation of Security Types Conclusion & Further Work CASSIS - March 2004 Security Types Preserving Compilation – p.5/18

Non Interference High Information Low Information CASSIS - March 2004 Security Types Preserving Compilation – p.6/18

✆ ☎ � ✄ ✂ ✁ ✝ � ✆ ☎ � ✄ ✂ ✁ � ✝ Non Interference Executing a program on initial states that are indistinguishables will not result in observable differences for the attacker. More formally: CASSIS - March 2004 Security Types Preserving Compilation – p.7/18

✏ ☞ ✡ ✆ ✔ ✕ ✡ ✖ ☞ ✒ ✕ ✓ ✡ ✗ ✍ ☛ ☛ ✡ ☎ ✓ ✏ ☎✚ ☎ ✂ ✟✠ ✁ ✡ ☞ ✍ ✎ ✏ ✄☎ ✁ ✏ ✡ ✑ � ✒ JVM-like Language primitive value/operation ✆✞✝ load value of on stack ☛✌☞ store top of stack in conditional jump unconditional jump procedure call return ✒✙✘ CASSIS - March 2004 Security Types Preserving Compilation – p.8/18

� ✁ ✄ � ✂ � ✁ ☎ ✂ ✄ ✁ ✂ � ✁ � � ☎ Memory Model A state of an execution is a tuple , is a procedure name and a program point is a mapping from variables to values is an stack of values CASSIS - March 2004 Security Types Preserving Compilation – p.9/18

✄ ✏ ✏ ✂ ✄ ✝ ✡ ✠ ✁ ✟ � ✞ ✝ ✆ ☎ ✏ ✄ ✂ ✄ ✁ � ✄ ✞ Memory Indistinguishability Value indistinguishability wrt a security level The relation is extended pointwise to maps: is defined as Stack indistinguishability CASSIS - March 2004 Security Types Preserving Compilation – p.10/18

Operand Stack Indistinguishability Defined relative to two operand stacks of security levels CASSIS - March 2004 Security Types Preserving Compilation – p.11/18

✂ ✑ ☎ ✑ ☎ ✁ ☎ ✑ ✂ ☎ ✑ � ☎ ✏ ✁ ☎ ☎ ✏ ✏ ✂ ✁ ☎ ✑ ✂ ☎ ✏ ✂ ✁ ☎ ✑ ✂ ✁ ✏ ☎ ✆ ✎ ✡ ☎ ✝ ✡ ✠ ☎ ✆ ✄ ✂ ✂ � ✁ � ☎ ☛ � ☎ ✑ ✗ ✁ ✍ ✆ ✝ ✌ ✄ Abstract Semantics ✄☞☛ ✝✟✞ ✝✟✞ is a partial function. records for each program point a security level determines typing constraints for and determines constraints for the successors of instruction . CASSIS - March 2004 Security Types Preserving Compilation – p.12/18

☛ ✓ ✌ ✄ ✎ ✖ ✆ ✟ ✚ ✛ ✎ ✄ ✎ ✜ ✕✖ ✞ ✍ ✢ ✌ ✄ ✎ ✖ ✆ ✟ ✜ ✖ ✆ ✄ ✣ ✙ ✖ ✕✖ ✟ � ✁ ✂ ✄ ✞ ✟ ✠ ✡ ☛ ✆ ✔ ✆ ✠ ✑ ✓ ✁ � ✒ ✡ ✂ ✏ ✍ ✍ Control Dependence Regions The type system is parameterized by control dependence regions . ☞✝✎ �✘✗ ☎✝✆ ☞✝✌ �✘✗ CASSIS - March 2004 Security Types Preserving Compilation – p.13/18

✆ � ✞✠ ✓ ✡ ✔ ✂ ☛ ✌ ✕ � � ☎ ✑ ✁ � ☎ ✝ ✂ � ☎ ✝ ✔ ✂ ✝ ✂ ☛ ✌ ✕ ✝ ✝ ✂ ✌ � � � ☎ ✆ ✡ ✌ ✝ ✆ ✌✍ ✡ ☛ ✖ ✝ ✏ ☛ ✌ ✝ ✑ ✎ ✒ � ✁ Types & Soundness ✝✟✞✠ �☞☛ ✁✄✂ ✁✄✂ Theorem 1. Typable programs are non-interferent CASSIS - March 2004 Security Types Preserving Compilation – p.14/18

☞ ✚ ✁ ✓ ✑ ☛ ✓ ✁ ✓ ✁ ✆ ✒ ✑ ✔ ✆ ✡ ✁ ✁ ✂ ✎ ✁ ☎ ✘ ✒ ✓ ☎ ✄ ✂ ✁ ✞ ✏ ✂ ✝ ✗ ☞ ✄☎ ✝ ✑ ✂ ✑ ✁ ✁ ✁ ✑ ✠ ✟ ✡ ✏ � ✡ ✏ ✂ ✁ ✁ ✑ ✂ ✁ ✓ ✄ ☛ ✆ ✆ ☎ ✡ ✁ ✁ ✂ ✡ ✞ ✑ ✂ ✝ ✡ ✑ ✚ Security Types Preserving Compilation – p.15/18 Source Language CASSIS - March 2004

✍ ✍ ✎ ✂ ✄ ✝ ✞ Preservation of Security Types Theorem 2. ✎ ✁� The proof is itself an algorithm: given the security type of the source program and the compiled program, a security type for the low-level program can be computed. CASSIS - March 2004 Security Types Preserving Compilation – p.16/18

✍ ✎ � ✍ Conclusion In this work: type system to guarantee stronger confidentiality for a low level language proof: compilation preserves security types We can recover non-interference of a high-level program, if the compiler preserves the semantics: Lemma 1 (Non-interference for source language). If , then is non-interferent w.r.t. . CASSIS - March 2004 Security Types Preserving Compilation – p.17/18

Further Work JVM Develop a Type-Preserving compiler for non-interference for Java Formal proofs Study more liberal, yet secure, verification techniques CASSIS - March 2004 Security Types Preserving Compilation – p.18/18