Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Slides:



Advertisements
Similar presentations
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Advertisements

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Information Flow and Covert Channels November, 2006.
Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
SECURITY AND VERIFICATION Lecture 1: Why to prove cryptography? The origins of provable cryptography Tamara Rezk INDES TEAM, INRIA January 3 rd, 2012.
CSS 548 Dan Chock.  What are some ways that compilers can affect application security? ◦ Improving Application Security  Checking for and preventing.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Oblivious Transfer based on the McEliece Assumptions
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,
A Type System for Expressive Security Policies David Walker Cornell University.
1 Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing Jason Franklin Joint work with Deepak Garg, Dilsun Kaynar, and.
Data Security in Local Networks using Distributed Firewalls
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
Project supported by YESS 2009 Young Engineering Scientist Symposium « Identity Management » Cryptography for the Security of Embedded Systems Ambient.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
Abstraction Interpretation Abstract Interpretation is a general theory for approximating the semantics of dynamic systems (Cousot & Cousot 1977) Abstract.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.
Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.
CSE 219 Computer Science III Program Design Principles.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
1 Security on Social Networks Or some clues about Access Control in Web Data Management with Privacy, Time and Provenance Serge Abiteboul, Alban Galland.
New Cryptographic Techniques for Active Networks Sandra Murphy Trusted Information Systems March 16, 1999.
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
Securing Class Initialization in Java-like Languages.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
G53SEC 1 Reference Monitors Enforcement of Access Control.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Hop Operational Semantics
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.
Understanding Security
TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.
Enabling Control over Adaptive Program Transformation for Dynamically Evolving Mobile Software Validation Mike Jochen, Anteneh Anteneh, Lori Pollock University.
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
6.033 Quiz3 Review Spring How can we achieve security? Authenticate agent’s identity Verify the integrity of the request Check the agent’s authorization.
Secure Information Flow for Reactive Programming Paradigm Zhengqin Luo SAFA workshop 2009.
Intrusion Tolerant Architectures
Paper Reading Group:. Language-Based Information-Flow Security. A
A Verified DSL for MPC in
Security in Java Real or Decaf? cs205: engineering software
Information Security CS 526
Data Security in Local Networks using Distributed Firewalls
Information Security CS 526
Information Security CS 526
Carmine Abate Rob Blanco Deepak Garg Cătălin Hrițcu Jérémy Thibault
Presentation transcript:

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric Fournet – Microsoft Research Gurvan Le Guernic – INRIA-MSR Joint Centre FMCrypto Meeting, Campinas April 30 th, 2009

The problem Confidentiality and integrity properties in distributed systems ◦ These properties are not always simple to specify ◦ Their enforcement may involve several different protocols ◦ Systems may become complex very fast

LET THE COMPILER DO THE HARD TASK! Our proposal:

Our proposal A compiler that generates code: ◦ from a simple specification ◦ verifiable using concrete cryptography hypos

The big picture

SECURITY POLICIES AND INFORMATION FLOW SECURITY

Confidentiality and Integrity confidentiality (leak of secret information) integrity (tainted data)

A clean specification for security Data is labeled with confidentiality and integrity levels from a security lattice The adversary is modeled as a level ( ® ) in the lattice There are typed programming languages that support information flow control (Jif by A.Myers et al, FlowCaml by F.Pottier et al) Confidentiality Integrity write read write read L LHLH H HLHL High trusted Low tainted High secret Low public secure info flows declassification endorsement ®

ADVERSARY HYPOTHESES AND SECURITY PROPERTIES

What can an adversary observe or do? Adversary is an arbitrary program but polynomially bounded. [Modern cryptography: Yao, Goldwasser, Micali, Rivest,...] A (r,w)-adversary can read variables under r, write variables above w. [Information flow security: Denning, Myers, Liskov,...]

|Pr[C; b=g] – ½ | is negligible Confidentiality= b  {0,1}; I ; if b then B else B’ g  P[A]

Interaction of system and adversary Source program contexts are of the form: _; P;_;P’; _ Distributed programs contexts are of the form: _ [ P, P’]

A note on integrity Integrity non-interference (rightfully) excludes implicit flows All cryptographic checks create “implicit” flows! E.g. we dynamically check whether a signature is correct We refine our model to accommodate runtime errors If the program completes, then it guarantees integrity The command context is considered correct, as it preserves the integrity of h (or leaves h uninitialized) l:=receive(); if (l=4) then {h:= 10} else Q l:=4 send(l) 4 If the adversary does not change anything: h=10 (correct behaivour) If the adversary changes the value of l, then Q is executed.

A note on integrity Integrity non-interference (rightfully) excludes implicit flows All cryptographic checks create “implicit” flows! E.g. we dynamically check whether a signature is correct We refine our model to accommodate runtime errors If the program completes, then it guarantees integrity The command context is considered correct, as it preserves the integrity of h (or leaves h uninitialized) l:=receive(); if (l=4) then {h:= 10} else Q l:=4 send(l) 4 Option 1: We consider implicit flows are insecure. All cryptographic checks create “implicit” flows! E.g. we dynamically check whether a signature is correct Option 2:Accommodate runtime errors If the program completes, then it guarantees integrity The command where Q is skip is considered correct, as it preserves the integrity of h (or leaves h uninitialized)

Integrity= b  {0,1}; I ; if b then B else B’ P[A] g  T

If |Pr[I’; all variables in T are defined] = 1 then |Pr[I; b=g] – ½ | is negligible Integrity= b  {0,1}; I ; if b then B else B’ P[A] g  T I’

THE COMPILER

A security compiler spec The programmer specifies a high-level security policy (confidentiality and integrity of data using information flow security) The compiler implements cryptography and distribution issues (transparent to the programmer)

Control Flow Protocol Typed Slicing Variable Replication Programs with security policy Distributed cryptographic implementations Crypto ProtocolsCompiler

Control Flow Protocol Typed Slicing Variable Replication Programs with security policy Distributed cryptographic implementations Crypto ProtocolsCompiler

Type-based slicing Thread 1 Thread 2 Thread 3 Thread 4 Source Code

Control Flow Protocol Typed Slicing Variable Replication Programs with security policy Distributed cryptographic implementations Crypto ProtocolsCompiler

Control flow and integrity Thread 1 Thread 2 Thread 3 Thread 4 Source Code Target Threads Source Code: integrity of A, B, C is H,L,H A correct implementation should enforce the original control flow: A, B, A, C

Control flow and integrity Target Threads Source Code: integrity of A, B, C is H,L,H

Control flow and integrity Target Threads Source Code: integrity of A, B, C is H,L,H This implementation is not correct! An adversary corrupting B might try to execute thread 2 before thread 1!!

Control flow and integrity Target Threads Source Code: integrity of A, B, C is H,L,H A better implementation.

Control Flow Protocol Typed Slicing Variable Replication Programs with security policy Distributed cryptographic implementations Crypto ProtocolsCompiler

Example Code In a less abstract implementation, a needs to pass x securely to b, b needs to pass y security to a,...

The command may be implemented as Here, we cannot rely on the same keys for protecting x and y ◦ Besides, the adversary can “break” integrity using Example Implementation

Control Flow Protocol Typed Slicing Variable Replication Programs with security policy Distributed cryptographic implementations Crypto Protocols Compiler

Protocols implemented by the compiler

The compiler implements protocols for key establishment, one encryption key per confidentiality level of shared variables among hosts.

Protocols implemented by the compiler The compiler implements protocols for key establishment, one encryption key per confidentiality level of shared variables among hosts. The compiler generates typable code if the original code is typable

A type system for cryptography We use static key labels K for separating keys We use tags for separating signed values (F: t  ¿ )

RESULTS

Theorems 1.For typable source programs, compiled programs are typable 2.Typable distributed programs with secure control flow without declassification and endorsement secure cryptographic schemes are secure 3.Compiled programs do not have more attacks than source programs 4.Absence of adversary: the compiler preserves the semantics

This work is about simple programming language abstractions for security of distributed programs and their robust crypto implementation Connections between high-level security goals and the usage of crypto protocols Ongoing work Improve the compiler (and its underpinning type system) Experimental evaluation Cryptographic back-end for the Jif/Split compiler? Mechanized proofs? Conclusions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.