a bipartite graph model of information flow ifip wg 2.3, may 2014 gary t. leavens (with john l....
TRANSCRIPT
![Page 1: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/1.jpg)
A Bipartite Graph Modelof
Information FlowIFIP WG 2.3, May 2014
Gary T. Leavens (with John L. Singleton)University of Central Florida
Orlando Florida
![Page 2: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/2.jpg)
Problem
• Expressing Information Flow Security Specifications• Android applications• Applications in general• Libraries
![Page 3: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/3.jpg)
Why Information Flow?
Formal Methods @ UCF
• ACLs and Firewalls prevent or allow access to data, but they do not control what happens after an access
• Heartbleed, a defect in OpenSSL, could have been found byInformation Flow analysis
![Page 4: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/4.jpg)
Background: Information Flow Problem
Formal Methods @ UCF
send(company, address_book);
company = address_book;
boolean b = false;
if (address_book.get(“president”).num() .equals(“(202) 456-1111”) {
b = true;}
![Page 5: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/5.jpg)
Background: Lattice Model of Information Flow (Denning, 1976)
Formal Methods @ UCF
• Each variable given a security label (e.g., Public, User, Private, …)
• Statically check all statements x = e; permitted only if label(e) label(x)
• Invariant: only permitted information flows allowed
User
Private
Public
![Page 6: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/6.jpg)
Integrity Interpretation
• Where can the variable’s value come from? What can affect it?
Mor
e In
fluen
ces
![Page 7: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/7.jpg)
Confidentiality Interpretation
• Where can a variable’s value be sent? What can learn from it?
{FILE} {NET} {UI}
{NET, UI}{FILE, UI}{FILE, NET}
{FILE, NET, UI}
Mor
e C
onfid
entia
l
![Page 8: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/8.jpg)
The Decentralized Label Model (Myers & Liskov, 1998)
Formal Methods @ UCF
Each variable has two sets of labels
• Sinks: where information can flow
• Sources: where information can be obtained from
Rules:
x = e
• Safe to REMOVE sinks from x
• Safe to ADD sources to x
![Page 9: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/9.jpg)
Example
Formal Methods @ UCF
@Sink({FILE}) @Source({NET}) int x;
@Sink({FILE,UI}) @Source({NET, UI}) int e;
x = e; // legal?
![Page 10: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/10.jpg)
Key Properties of Decentralized Label Model
Formal Methods @ UCF
• Label creation and propagation is not centralized.
• New labels can be created dynamically.
• But checking is mostly static
![Page 11: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/11.jpg)
Drawbacks of the Decentralized Model
Formal Methods @ UCF
• Set-based labels can be cumbersome to write in programs.
• Programmers must reason about 2 directions at once:
• Confidentiality• Integrity
• APIs must be specified once and for all
![Page 12: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/12.jpg)
API Example
package android.content.res;
class AssetFileDescriptor {
@Source({FILESYSTEM}) FileInputStream createInputStream() throws IOException;
}
![Page 13: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/13.jpg)
Client Example
@Source({FILESYSTEM, LITERAL}) InputStream is;
is = encryptedVideoAsset.createInputStream();
![Page 14: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/14.jpg)
Is the Power of the Distributed Label Model needed?
Formal Methods @ UCF
• Many programs are not distributed
• Even distributed programs can belogically centralized
![Page 15: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/15.jpg)
The Bipartite Graph Model of Information Flow
Formal Methods @ UCF
Approach/Idea
![Page 16: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/16.jpg)
Model Idea
Formal Methods @ UCF
UI
FILE
NET
Encrypted Video Viewer
Private
User
Public
Channels Security Labels
Edge Map
LC
E
![Page 17: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/17.jpg)
Approach: Model
Formal Methods @ UCF
• Static security labels, L• Global channels, C• API specified by channels and usage:
• Arguments (I)• Results (O)
• Edge mapping, E : {I,O}xC L
![Page 18: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/18.jpg)
Model Idea
Formal Methods @ UCF
UI
FILE
NET
Encrypted Video Viewer
Private
User
Public
Channels Security Labels
Edge Map
LC
E
![Page 19: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/19.jpg)
Example Security LatticeSecurity.xml file
Formal Methods @ UCF
<linear-lattice> <levels> <level>Private</level> <level>User</level> <level>Public</level> </levels> <level-specs> <level-spec> <name>Public</name> <trusts> <level>Private</level> <level>User</level> </trusts> </level-spec> </level-specs> </linear-lattice>
…
![Page 20: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/20.jpg)
Example Channel MappingChannels.xml file
Formal Methods @ UCF
<Channels> <Channel> <ChannelName>DISPLAY</ChannelName> <ChannelSpec> <InputLevel>Private</InputLevel> <OutputLevel>Public</OutputLevel> </ChannelSpec> </Channel> <Channel> <ChannelName>MICROPHONE</ChannelName> <ChannelSpec> <InputLevel>Private</InputLevel> <OutputLevel>Public</OutputLevel> </ChannelSpec> </Channel> </Channels>
![Page 21: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/21.jpg)
Simple Example (Voting Booth)
Formal Methods @ UCF
public void castVote(@Level(SECRET) User u, @Level(TOPSECRET) Vote v){ .. // ok because TOPSECRET > SECRET String encryptedId = encryptVoterId(u.getUserId()); // ok because TOPSECRET logVote(encryptedId, v); // ... } // in the program, but described with @Channels. public void logVote(@Channel(FILESYSTEM) id, @Channel(FILESYSTEM) vote){ //... } // in an API public @Channel(CRYPT) String encryptVoterId(@Channel(CRYPT) String voterId){ //... }
![Page 22: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/22.jpg)
Using the Model
Formal Methods @ UCF
• User writes:• Security.xml• Channels.xml
• User supplies program annotation via @Level and @Channel for APIs (“poor man’s” polymorphism)
• Runs checking tool over program
![Page 23: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/23.jpg)
Advantages of the Model
Formal Methods @ UCF
• Can mix Channels and Labels in program:• Channels in API• Labels in client code
• Compact types:channels or labels, not two sets
• Can handle confidentiality and integrity separately or together.
• Users can define arbitrarily complex lattices
![Page 24: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/24.jpg)
Suitability for APIs
• @Channel annotations specify information flow generically
• Can customize • security.xml (levels) and • channels.xml (mapping)
to fit the security concerns of the application.
![Page 25: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/25.jpg)
Preliminary Experimental WorkA few systems using these ideas:
• CheckLT – Lattice-based taint checking for Java
• http://checklt.github.io
• FS4A – Flowspecs for Android (an extension to OpenJML)
• Full implementation of the Bipartite Graph Model • Incorporates Conditional Release aspects
![Page 26: A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida](https://reader035.vdocuments.us/reader035/viewer/2022062719/56649ec85503460f94bd5057/html5/thumbnails/26.jpg)
Conclusions
• User-defined lattice to describe security levels
• Fixed set of channels (centralized)
• Mapping from channels to levels allows customization