Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.

Published bySarahi Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough."— Presentation transcript:

1 Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough Sandro Etalle IEEE Symposium on Security and Privacy 2010 (Oakland’10) 1

2 Introduction Language-based information flow aims to analyze programs with respect to flow of information between channels of different security levels Non-interference is a formal property for specifying valid flows (Goguen & Meseguer 1982) 2

3 Non-interference Program Public Input Private Input Public Output Change in the public input can change the outputChange in the private input should not change the output 3

4 Declassification Non-interference is not enough for most practical applications In many occasions, it is necessary to downgrade the security level of specific data i.e., to declassify that data Classic examples: – Average salary – Password verification – Encryption 4

5 Security-typed languages Common approach (Jif) Variables have security types Compilation-time analysis rejects programs which contain insecure flows Declassification is usually associated with specific points in the code, and done explicitly via some declass command – Declassification policy is code-dependant Problem: implies that programmer is trusted, and understands security labeling of variables 5

6 Example: Jif Static labels + declassification: int{Alice:;Alice←*} b; int{Alice:Bob;Alice←*} y = 0; if (b) { // pc is at level {Alice:;Alice←*} at this point. declassify ({Alice:;Alice←*} to {y}) { // at this point, pc has been declassified to the label of the local // variable y (that is, {Alice:Bob;Alice←*} ) permitting the // assignment to y y = 1;} Dynamic labels: int{*lbl} m{*lbl}(label{*lbl} lbl, principal{*lbl} p, int{Alice:p} i) where {Alice:Bob} <= lbl, Bob actsfor p { // since Bob actsfor p, {Alice:p} <= {Alice:Bob}, // and since {Alice:Bob} <= lbl, the label of the argument I // is <= {*lbl}. Therefore, we can return i+1. return i+1; } 6

7 Non security-typed approaches Dataflow analysis are techniques which do not rely on annotated code – Do not provide declassification – Have issues analyzing control-flow dependencies Taint analysis also works on unannotated code, but suffers from the same problems of dataflow analysis + is often too restrictive 7

8 Our contribution We aim for a static flow-based analysis that provides 3 key points: 1.Analysis of programming code without any security- based annotations (therefore, untrusted code) 2.Support for user-defined declassification policies 3.Having code and policy separated and independent from each other Individual solutions do exist – The true challenge lies in a combined solution A first-step in a new direction for information flow analysis 8

9 The core analysis process 1.Identify I/O operations 2.Extract expressions on inputs 3.Check if expressions are recognized by policy ProgramPolicy α β γ δ expression recognizer Match? 9

10 Policy Representation Sets of expressions are represented by graphs α *1*1 length α 0 * 1 *2*2 *3*3 add 2 ϕ2ϕ2 add 1 ϕ1ϕ1 Nodes labels with input channels, constant values or wildcard characters Certain nodes are marked as final nodes Loop expressions can also be expressed Represents the expression set: {0, (0 + α 1 ), (0 + α 1 + α 2 ), …..} A separated restriction (not discussed here) guarantees that indexes on α are unique 10

11 Code analysis – Step 1: Preprocessing Operators are converted to method calls, nested expressions are converted to a series of assignments to temp variables sum := 0; i := 0; len := length( α ); while (i <= len) do val := α ; sum := sum + val; i := i + 1; avg := sum / len ; γ := avg; sum := 0; i := 0; len := length( α ); c := leq(i,len); while (c) do val := α ; sum := add(sum,val); i := add(i,1); c := leq(i,len); avg := div(sum,len); γ := avg; 11

12 Step 2: Static Single Assignment (SSA) Format sum 1 := 0; i 1 := 0; len 1 := length( α ); c 1 := leq(i 1, len 1 ); while ( c 3 := ϕ c3 (c 1, c 2 ); sum 3 := ϕ c3 (sum 1, sum 2 ); i 3 := ϕ c3 (i 1, i 2 ); c 3 ) do val 1 := α ; sum 2 := add(sum 3, val 1 ); i 2 := add(i 3, 1); c 2 := leq(i 2, len 1 ); avg 1 := div(sum 3, len 1 ); γ := avg 1 ; sum := 0; i := 0; len := length( α ); c := leq(i, len) ; while (c) do val := α ; sum := add(sum, val); i := add(i, 1); c := leq(I,len); avg := div(sum, len) ; γ := avg; Every variable is defined only once & Phi functions are declared to keep track of assignments in branching statements 12

13 Step 3: Program Expression Graph sum 1 := 0; i 1 := 0; len 1 := length( α ); c 1 := leq(i 1, len 1 ); while ( c 3 := ϕ c3 (c 1, c 2 ); sum 3 := ϕ c3 (sum 1, sum 2 ); i 3 := ϕ c3 (i 1, i 2 ); c 3 ) do val 1 := α ; sum 2 := add(sum 3, val 1 ); i 2 := add(i 3, 1); c 2 := leq(i 2, len 1 ); avg 1 := div(sum 3, len 1 ); γ := avg 1 ; Expression graph for γ α len 1 avg 1 val 1 sum 2 sum 3 sum 1 0 c3c3 lengthdiv 2 div 1 add 1 add 2 ϕ2ϕ2 ϕ1ϕ1 ctrl γ 13

14 Step 4: Policy Matching Expression graph for γ (control dep. omitted) α len 1 avg 1 val 1 sum 2 sum 3 sum 1 0 length div 2 div 1 add 1 add 2 ϕ2ϕ2 ϕ1ϕ1 γ Policy graphs α 0 * 1 *2*2 *3*3 add 2 ϕ2ϕ2 add 1 ϕ1ϕ1 α *1*1 length c3c3 ctrl Control dependency needs to be green 14

15 Revisiting the security property Program Private Input Public Output Public Input Declassification policies split the domain into different parts each of which are indistinguishable 15

16 Policy Controlled Release (PCR) Private Input R Revealed Knowledge(R) : Given an environment, π, and a declassification policy, d, R is the set of all environments for which the value of the declassifiable expressions is the same. Observed Knowledge(K) : Given an environment, π, and declassification policy, d, K is the set of all environments which produce the same sequence of visible outputs as π. The observer cannot distinguish between environments in K. Policy Controlled Release Theorem: If the program satisfies PCR, then the knowledge obtained from observing the program (K) is bound by the information released by the declassification policy (R). That is,. 16

17 Did I mention “towards” something? Assumptions that can be relaxed: – We use a simple toy language, that lacks: More control-flow commands such as break, case, etc. (easy) User-defined functions, object orientation (currently working on it) Arrays and pointers (SSA solution for these helps a lot) – Matching mechanism is currently defined mathematically: algorithms are under way – Some operational issues still untreated: Enforcing how many times a given loop runs Algebraic equivalence of expressions denoted by the graphs i.e., add(x,y) = add(y,x) 17

18 Thank you! Questions? 18

19 The core idea Identify input and output operations in the code Track all the possible expressions on inputs that each variable can hold Declassification policies work as expression recognizers, determining which expressions can be declassified On outputs, analysis checks whether every possible expression sent to that channel is safe to be output (i.e., recognized by the policy) 19

Download ppt "Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough."

Similar presentations

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Chapter 6 Type Checking. The compiler should report an error if an operator is applied to an incompatible operand. Type checking can be performed without.

Chapter 6 Type Checking. The compiler should report an error if an operator is applied to an incompatible operand. Type checking can be performed without.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Compiler Construction

Compiler Construction
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.

Prof. Fateman CS 164 Lecture 221 Global Optimization Lecture 22.
Arrays Data Structures - structured data are data organized to show the relationship among the individual elements. It usually requires a collecting mechanism.

Arrays Data Structures - structured data are data organized to show the relationship among the individual elements. It usually requires a collecting mechanism.
Prof. Bodik CS 164 Lecture 16, Fall 20041 Global Optimization Lecture 16.

Prof. Bodik CS 164 Lecture 16, Fall Global Optimization Lecture 16.

Similar presentations

Ads by Google