Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Flow, Security and Programming Languages Steve Steve Zdancewic."— Presentation transcript:

1 Information Flow, Security and Programming Languages Steve Steve Zdancewic

2 What is Security? Resources? Protection? Trust & Integrity? Policy? Principals? Threats?

3 Information Flow Resource = Data Protection = Access Control Threat = Malicious Programs –"leak" private information Policy? Principals? Trust?

4 Why Do We Want It? Untrusted code –Applets/Plugins/Extensible Systems E-Commerce & Privacy Shared Resources –Files on a network –Access Control (i.e. Unix permissions) not enough

5 Outline Lattice-model –Non-interference SLam –Modeling Dependency –Extensions JFlow & Other Approaches Conclusions

6 Principals & Privileges Associate security levels with data –Specifies who can "see" the data What happens when data is merged? x = a +b

7 The Lattice Model Elements represent levels of privilege    ' is ordering      ' is join Bell & LaPadula '75 Denning'75,'76,'77 L H 1111 2222 3333 4444 5555 6666

8 Non-Interference Low security data can't depend on high security data. No information flows from high security values to low security ones.

9 Explicit vs. Implicit low  hi if hi then low  true else low  false

10 SLam Heintze & Riecke POPL '98 Lambda Calculus Security annotations on types Well-typed programs have non- interference property –Proof uses logical relations

11 Types  b   Security Lattice 

12 Subtyping   '  '  b  b  '             '             '

13 SLam Expressions bv  #t | #f | ( x: . e) v  bv  e  x | v | (e e) | (prot  e) | (if e then e else e)

14 Typing Rules    #t  : (b,  )   ( x:  . e)  : (     ,  )  x:     e :  

15 Typing Rules II   (e  e  ) :       e  : (     ,  )   e  :    '     '   

16 Typing Rules III   if e then e  else e  :       e : (b,  )   e i :    e :           e :  

17 Typing Rules IV   e :    prot  e :  

18 Example  if #t H then #t L else #f L : (b, L)  H  #t H : (b, H)  #t L : (b, L) (b, L)  H  (b, L  H)  (b, H)  #f L : (b, L)

19 Operational Semantics (( x:  . e)  e ' )  prot  e[e ' /x] (if #t  then e  else e  )  prot  e  prot  bv  '  bv    '

20 Proving Non-interference? Suppose lattice is L  H Functions of the type:  b H   b L  b L  L “look” like  b  b

21 Modeling “Views” Give a denotational semantics for Slam Instead of just CPO’s, also include binary relations to capture the “view” Functions must preserve the “view”

22 Binary Relations as Views Concrete View C #t#f #t 1 0 #f 0 1 Abstract View A #t#f #t 1 1 #f 1 1 If  x,y  R then x and y "look the same".

23 Semantics of Types  (b,  )   #t  #f   (     ,  )         p      R  "view of  at level  " R        

24 View Relations Abstract View:  '   '    R         Concrete View (bool):  '    R  b  '  C

25 View Relations II Concrete view (functions)  '    R((     ,  '   f,g  x,y  R     f  x ,g  y  R     ' 

26 Adequacy Theorem (Plotkin): If   e :  then    e :    is defined iff e  *v.

27 Related Environments  x     x     x n  n                 n  Theorem: Suppose   e :  and  '      are related environments at , then      e :        e :    '  R(  )

28 Contexts & Equivalence C[ ] is a context (expression with hole) Write e  e ' if whenever e  *v and e '  *v ' it is the case that v  v ' C[e]  C[e ' ]

29 Non-interference Theorem: Suppose    e , e  :  and    C[e  ] :  b  '  where    ' then C[e  ]  C[e  ]. let 

30 Proof I Consider open term: y:    C[y] :  b  '  d i      e i :    Lemma: Since    ' (d 1, d 2 )  R(  ') Proof: R(  ') is abstract.

31 Proof II f i   y:    C[y] :  b  '    d i By Related Environments theorem, we have:  f 1, f 2  R  b  '  ')  C Thus, f 1 = f 2, easy to show that f i      v :  b  '    since v  v,we're done.

32 Recursion Need to show that R 's are "directed complete" Need to finesse termination issues in contexts – y:unit    C[y ()] :  b  '  CBN vs. CBV –Strong vs. Weak non-interference

33 Extending SLam Products, Sums, Recursive Types (Pitts '96) State –“No read up, no write down” –Globally track dependency Integrity –The more people who touch data, the less trustworthy it is.

34 Core Calculus of Dependency Abadi, Banerjee, Heintze, Riecke (POPL '99) Use type constructors T  Can translate SLam, Binding- time calculi, Smith&Volpano's calculi, etc., into DCC.

35 Recap SLam provides language based information-flow protection Non-interference proved by logical relations...but you wouldn't want to program in it.

36 JFlow Myers (POPL ‘99) Emphasis on usable language –Java extension Decentralized label model –Very large, fine grained lattice Security level polymorphism First class labels, principals

37 Threads & Concurrency Smith & Volpano (POPL '98) –Simple, imperative language with threads –Can't loop on high-variables –Assumes non-deterministic thread scheduling –Clock is high-security –Subject to Probabilistic attacks

38 Non-Interference? Too strong: –No encryption –No password lookup Need declassification –Everything ends up at H Hard to define in concurrent setting

39 Alternatives? What you really care about is leakage of "useful" information?...or... What you care about is the rate of leakage of information?

40 Problems Compilation in information- flow setting: –Compiler should preserve flow properties –CPS translation/code-motion not valid: –f (if x then y else z)  (if x then f(y) else f(z))

41 Covert Channels Threads/Concurrency Timing attacks Probabilistic attacks "Semantic" channels - i.e. order of initialization, aliasing and more...

42 Conclusions (Security) Information flow is a useful tool for security. Non-interference is a strong policy (too strong?) Programming language technology can help Lots left to be done...

43 Conclusions (PL) Non-interference expressed in terms of dependency –Polymorphism, Binding Time Analysis, Slicing Denotational techniques useful Still lots to be done...

Download ppt "Information Flow, Security and Programming Languages Steve Steve Zdancewic."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
8/11/2006PCC 20061 Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.

8/11/2006PCC Toward More Typed Assembly Languages for Confidentiality Dachuan Yu DoCoMo USA Labs.
Substitution & Evaluation Order cos 441 David Walker.

Substitution & Evaluation Order cos 441 David Walker.
ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.

ICFP Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
PROOF BY CONTRADICTION

PROOF BY CONTRADICTION
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.

Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.
Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes.

Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
A URA: A language with authorization and audit Steve Zdancewic University of Pennsylvania HCSS 2008.

A URA: A language with authorization and audit Steve Zdancewic University of Pennsylvania HCSS 2008.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.

Time Bounds for General Function Pointers Robert Dockins and Aquinas Hobor (Princeton University) (NUS) TexPoint fonts used in EMF. Read the TexPoint manual.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.

Programming Language Semantics Denotational Semantics Chapter 5 Based on a lecture by Martin Abadi.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
7. Fixed Points. © O. Nierstrasz PS — Fixed Points 7.2 Roadmap  Representing Numbers  Recursion and the Fixed-Point Combinator  The typed lambda calculus.

7. Fixed Points. © O. Nierstrasz PS — Fixed Points 7.2 Roadmap  Representing Numbers  Recursion and the Fixed-Point Combinator  The typed lambda calculus.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Similar presentations

Ads by Google