steve zdancewic esop011 secure information flow and cps steve zdancewic joint work with andrew myers...
Post on 20-Dec-2015
219 views
TRANSCRIPT
Steve Zdancewic ESOP01 1
Secure Information Flow and CPS
Steve Zdancewic Joint work with Andrew Myers
Cornell University
Steve Zdancewic ESOP01 2
Valuable Data On-line
• Internet and Connectivity– banks/brokerage firms– e-mail services– applets, plugins, etc.– …
• Creates problem of protection
Steve Zdancewic ESOP01 3
Protect It!
• Confidentiality– Data doesn't escape– Does my accounting software
transmit my private information?
• Integrity– Trustworthiness of data– Does my accounting software use
“bad” information to compute taxes?
Steve Zdancewic ESOP01 4
Information Flow
• Policies on information• End-to-End
– Once data is released to a program, must ensure that policy is obeyed.
• Need static analysis
Steve Zdancewic ESOP01 5
Security-Typed Languages
• Statically enforce security policies in an extended type system– Smith & Volpano [SVI96, SV98,...]
– Heintze & Riecke [HR98, ABHR99]
– Myers [ML97,My99,...]
– Sabelfeld & Sands [SS99, SS00]
– Pottier & Conchon [PC00,...]
Steve Zdancewic ESOP01 6
Noninterference
"Low-security behavior of the program is not affected by any
high-security data."Goguen & Messeguer 1982
H1 L1
L2H2
H3 L1
L2H4
L
Steve Zdancewic ESOP01 7
Our Goal
• Study information flow in rich language– Higher-order functions– State
• Noninterference proof
Steve Zdancewic ESOP01 8
Continuation Passing Style
• Useful representation of low-level code – verify output of the compiler.
• Main complication: explicit control and interaction with effects
Steve Zdancewic ESOP01 9
Outline
• Motivating Example• Problem with Naïve CPS translation• Ordered Linear Continuations• Wrap up
Steve Zdancewic ESOP01 10
Security Types
• A lattice L of labels– order L H– join L H = H
• Types have labels: intH or boolL
Steve Zdancewic ESOP01 11
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01 12
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
pc:L
Steve Zdancewic ESOP01 13
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
pc:H
pc:L
Steve Zdancewic ESOP01 14
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
Example
pc:L
pc:H
Steve Zdancewic ESOP01 15
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
pc:L
pc:H
pc:H
Steve Zdancewic ESOP01 16
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
pc:L
pc:L
pc:H
pc:H
Steve Zdancewic ESOP01 17
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3; // z:intL
pc:L
pc:H
pc:H
pc:L
Steve Zdancewic ESOP01 18
PC Label
• Side-effects are bounded by PC label.
x := e
x:s ref e:r(p r) spc:p
Steve Zdancewic ESOP01 19
What about functions?
• Effects inside a function must also be bounded by PC label.
f(e)
f:r
p rpc:p
e:
Steve Zdancewic ESOP01 20
Naive CPS
let k = (). z := 3;
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
Steve Zdancewic ESOP01 21
Naive CPS
let k = (). z := 3;
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
pc:H
Steve Zdancewic ESOP01 22
Naive CPS
let k = (). z := 3; //z:intH
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
pc:H
pc:H
Steve Zdancewic ESOP01 23
Linear Continuations
let k = (). z := 3; //z:intH
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
k is used linearly!
Steve Zdancewic ESOP01 24
Main Idea
• Use linear continuations to express the control-flow properties of the source language via types
• But...not quite enough
Steve Zdancewic ESOP01 25
Order of Evaluation
• Order the continuations are invoked is also important!
• Can observe the order via side effects
• So...ordered linear continuations
Steve Zdancewic ESOP01 26
What Are They?
• Linear continuations: First-class postdominators of control flow graph
• Ordered linear continuations: Encode the control stack
Steve Zdancewic ESOP01 27
Target CPS Language
• Includes regular continuations and ordered linear continuations
• Careful manipulation of context:
| kn,…,k1 [pc] e
Ordered list encodes stack
Steve Zdancewic ESOP01 28
Noninterference
If x:H |[L] e : intL
v1,v2 : H (M,e{v1/x}) * (M1,n1)
(M,e{v2/x}) * (M2,n2)
Then M1 L M2 and n1 = n2
Steve Zdancewic ESOP01 29
Results
• Formalize ordered linear continuations in the type system
• Prove that the CPS language enjoys noninterference– Proof hinges on ordering property– First proof for such a rich language
• Expressive enough as a target
Steve Zdancewic ESOP01 31
Other Connections
• Linearity of control also plays a role in security typed versions of -calculus. [Honda et. al.]
• Linear control is interesting in its own right