Download - Language-Based Information-Flow Security
![Page 1: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/1.jpg)
Language-Based Information-Flow Security
Richard MancusiCSCI 297
![Page 2: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/2.jpg)
References
Andrei Sabelfeld, Andrew C. Myers. Language-Based Information-Flow Security.
IEEE Journal on Selected Areas inCommunication, special issue on FormalMethods for Security, 21(1), January 2003,pages 5-19
![Page 3: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/3.jpg)
Information-Flow
“Access control checks place restrictions on the release of information but not its propagation.”
“Information controlled by a confidentiality policy cannot flow to a location where that policy is violated.”
“…practical methods for controlling information flow have eluded researchers for some time.”
![Page 4: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/4.jpg)
Symptoms of the Problem
SAIC Break-in Stresses Intertwined Nature of Physical and IT Security“A break-in at a government contractor's offices has opened 45,000 former and current employees and stockholders up to identity theft.”
SecurityInfoWatch.com, Feb 22, 2005
U.P.S. Loses A Shipment Of Citigroup Client Data“…box of computer tapes containing information on 3.9 million customers was lost on May 2 by United Parcel Service…”
The New York Times, June 7, 2005
Security Breach Could Expose 40M To Fraud, “…the security breach involves a computer virus that captured customer data…”
The Washington Post, June 18, 2005
![Page 5: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/5.jpg)
Standard Security Methods
Computer systems have relied upon weak ad-hoc security mechanisms– Access control (i.e., file protections, ACL’s)– Firewalls– Antivirus software
“Access does not control how the data is used after it is read from the file”
![Page 6: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/6.jpg)
Terminology
Confinement“…the ability to prevent capabilities (and hence authority) from being transmitted improperly.”
NoninterferenceA clear separation of confidential data from public data.
![Page 7: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/7.jpg)
Terminology
Covert ChannelsSignal mechanisms which are not intendedto transfer information about a computing system– Implicit flows– Termination channels– Power channels– Timing channels
![Page 8: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/8.jpg)
Implicit Flows
Implicit flows result from the control structures of the program
Problematic for security levels
“Confidentiality can be obtained byby ensuring that the process sensitivitylabel remains high throughout the restof the program.”
H := H mod 2;L := 0;if ( H == 1 )
L := 1
![Page 9: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/9.jpg)
Semantics-Based Security
For a given semantic model, noninterference is formalized as follows: C is secure iff
212121 . sCLsCsLsSss
Which reads: “If two input states share the same low values, then the behaviors of the program executed on these states are indistinguishable by the attacker.
![Page 10: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/10.jpg)
In Other Words…
212121 . sCLsCsLsSss
Indicates the absence of any dependency between the program values which operate within a higher security context and the program values which have a lower security context.
![Page 11: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/11.jpg)
Security-Type System
Mathematically, a language—typing rules–can be defined which encapsulates the security context of a program.
With a security-type system in place, static checks can be performed upon programs to identify any security issues.
![Page 12: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/12.jpg)
For Example:
![Page 13: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/13.jpg)
Research Trends
Expanding the expressiveness underlying the language.
Exploring security-related concurrency issues
Analyzing convert channels Refining security policies
![Page 14: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/14.jpg)
Language-based Information Flow Research
![Page 15: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/15.jpg)
Language Expressiveness
Policies which use language constructs such as procedures and functions can guaranteed to noninterference within the parameters of specific security type systems.
Polymorphic concepts can be extended to a type system. This means that generic constructs can be created which depend upon the security context. Proveable.
![Page 16: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/16.jpg)
Language Expressiveness
Exceptions under normal circumstances can result in nonlocal transfer of control, creating implicit flows. Restrictive type systems are possible which limit the security concerns. [Volpano and Smith]
Systems have been created demonstrating Java objects can enforce noninterference.
![Page 17: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/17.jpg)
Concurrency
The higher security portions of the program must be protected at all times.
(simple) Example:h := 0; l := h;
With concurrency, values must be protected atall times.
enter_critical(); h := 0; l := h; exit_critical()
![Page 18: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/18.jpg)
Concurrency
Thread security is tied to timing issues and probability.
Example:(if h = 1 then C else skip); l := 1 || l := 0
Variations of security levels must be protectedduring context swaps (difficult)
![Page 19: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/19.jpg)
Covert Channels
Timing attacks against SSL encryption
Encryption attacks are possible because the timing of failure with different values can lead an attacker to understand the true value of a key.
Prevent attacks by equalizing the time for successful and failed decryption.
![Page 20: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/20.jpg)
Security Policies
Systems which allow downgrading of secure channels are subject to exploitation.
Example: Password-checking programs– The security is only as good as the algorithm
which guards the passwords. Concept of approximate noninterferance.
![Page 21: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/21.jpg)
Challenges
System-wide security- The integration of language flow and system-wide
Information Flow control. Certifying Compilation
– Move security checking into Java arena, to perform static analysis on the byte code prior to execution.
![Page 22: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/22.jpg)
Challenges
Dynamic Policies– Not realistic to assume information-flow policies
are available at compile time.– Runtime policies create an additional channel
which needs protection. Restrictions placed in languages to deal with
the problems may become too restrictive for extensive use.
![Page 23: Language-Based Information-Flow Security](https://reader036.vdocuments.us/reader036/viewer/2022062521/56813b3c550346895da41113/html5/thumbnails/23.jpg)
Conclusions
End-to-end security is not capable with existing practices.
Static analysis of type systems are possible. Something needs to be done with Jif
compilers which support languages that are not “security-expressive” enough.
There is a lot of ongoing research to be concluded.