Language-based Security: Information Flow Control
18739A: Foundations of Security and Privacy
Anupam DattaFall 2009
Lecture Outline
Information Flow Control (IFC)
Security definition Non-interference [Goguen-Meseguer82]
Language-based enforcement Type system [Volpano-Smith-Irvine96] based on
prior work [Denning-Denning77]
IFC in Tax Preparation Software
Definition of Security Non-interference (idea)
Program
HI
LI
HO
LO
HI’ HO’
No information flows from high inputs to low outputs
Security levels:H: ClassifiedL: Unclassified
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
Specification and Enforcement
Approach Use a typed programming language Types represent security levels
H, L,… Sub-typing captures partial order among
security levels L H
Type system captures allowed information flows Soundness theorem
Well-typed programs satisfy non-interference
Language Definition Syntax Type System Operational Semantics
Soundness Theorem Well typed programs satisfy non-interference
Syntax (I)
Syntax (II)
We will focus on the special case where type is either H or L and L H
Type System (I) Typing judgment
Type system (II)
Type System (III)
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
Will justify rows 1 & 2
Example with types
Key rules used are (ASSIGN) and (IF)
Type System (IV)
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
Will justify rows 3 & 4
Example with types Suppose x: L var and y: H var
1. Use (ASSIGN), (CMD-), (SUBTYPE) to infer (y:=1): L cmd and (y:=0): L cmd
2. Now use (IF) rule
x: H var and y: L var is not well-typed as expected
L H
Operational Semantics (I) is memory: a function from locations to values (l) is contents of location l Judgments
1. Evaluating expression e in memory yields value n
2. Evaluating command c in memory yields memory ’
Program executes by evaluating expressions and commands
Operational Semantics (II)
Operational Semantics (III)
Soundness Theorem
Recall Non-interference
Program
HI
LI
HO
LO
HI’ HO’
No information flows from high inputs to low outputs
Security levels:H: ClassifiedL: Unclassified
Practical Languages for IFC Jif [Liskov-Myers et al.]
Java + information flow http://www.cs.cornell.edu/jif/
Flow Caml [Pottier-Simonet] Extends OCaml language with type system for
tracing information flow http://
citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.2104
Web Security: A Domain for IFC
Brendan Eich, Chief Technology Officer, Mozilla Corp.Improving JavaScript's Default Security Model with Information Flow, CSF 2009 Invited talk
Thanks
Questions?
Formal definition
•System is deterministic finite state machine: takes input and transitions to next state producing output•Trace tr is a sequence of inputs and outputs (high & low)•OutputL(S,tr,c): low output of system S when input c is applied to the state corresponding to trace tr•purgeHI(tr): returns a trace with all high inputs in tr removed
Programming Language Definition Syntax and Static Semantics (or “well-formed
programs”) Syntax of types and terms Type system
Semantics (or “meaning of programs”) Operational or dynamic semantics (Defines how programs execute)
Type Safety Well-typed programs do not get stuck, i.e., they
either terminate or keep reducing following the operational semantics
Language Definition Examples Syntax, Semantics (Static, Dynamic) ML:
R. Milner, M. Tofte, R. Harper, and D. MacQueen, The Definition of Standard ML (Revised). MIT Press, 1997
Java: J. Alves-Foss (Ed.), Formal Syntax and Semantics
of Java. LNCS 1523, 1999