Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language-Based Information-Flow Security Richard Mancusi CSCI 297.

Published byRosemary Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Language-Based Information-Flow Security Richard Mancusi CSCI 297."— Presentation transcript:

1 Language-Based Information-Flow Security Richard Mancusi CSCI 297

2 References Andrei Sabelfeld, Andrew C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communication, special issue on Formal Methods for Security, 21(1), January 2003, pages 5-19

3 Information-Flow “Access control checks place restrictions on the release of information but not its propagation.” “Information controlled by a confidentiality policy cannot flow to a location where that policy is violated.” “…practical methods for controlling information flow have eluded researchers for some time.”

4 Symptoms of the Problem SAIC Break-in Stresses Intertwined Nature of Physical and IT Security “A break-in at a government contractor's offices has opened 45,000 former and current employees and stockholders up to identity theft.” SecurityInfoWatch.com, Feb 22, 2005 U.P.S. Loses A Shipment Of Citigroup Client Data “…box of computer tapes containing information on 3.9 million customers was lost on May 2 by United Parcel Service…” The New York Times, June 7, 2005 Security Breach Could Expose 40M To Fraud, “…the security breach involves a computer virus that captured customer data…” The Washington Post, June 18, 2005

5 Standard Security Methods Computer systems have relied upon weak ad-hoc security mechanisms – Access control (i.e., file protections, ACL’s) – Firewalls – Antivirus software “Access does not control how the data is used after it is read from the file”

6 Terminology Confinement “…the ability to prevent capabilities (and hence authority) from being transmitted improperly.” Noninterference A clear separation of confidential data from public data.

7 Terminology Covert Channels Signal mechanisms which are not intended to transfer information about a computing system – Implicit flows – Termination channels – Power channels – Timing channels

8 Implicit Flows Implicit flows result from the control structures of the program Problematic for security levels “Confidentiality can be obtained by by ensuring that the process sensitivity label remains high throughout the rest of the program.” H := H mod 2; L := 0; if ( H == 1 ) L := 1

9 Semantics-Based Security For a given semantic model, noninterference is formalized as follows: C is secure iff Which reads: “If two input states share the same low values, then the behaviors of the program executed on these states are indistinguishable by the attacker.

10 In Other Words… Indicates the absence of any dependency between the program values which operate within a higher security context and the program values which have a lower security context.

11 Security-Type System Mathematically, a language—typing rules– can be defined which encapsulates the security context of a program. With a security-type system in place, static checks can be performed upon programs to identify any security issues.

12 For Example:

13 Research Trends Expanding the expressiveness underlying the language. Exploring security-related concurrency issues Analyzing convert channels Refining security policies

14 Language-based Information Flow Research

15 Language Expressiveness Policies which use language constructs such as procedures and functions can guaranteed to noninterference within the parameters of specific security type systems. Polymorphic concepts can be extended to a type system. This means that generic constructs can be created which depend upon the security context. Proveable.

16 Language Expressiveness Exceptions under normal circumstances can result in nonlocal transfer of control, creating implicit flows. Restrictive type systems are possible which limit the security concerns. [Volpano and Smith] Systems have been created demonstrating Java objects can enforce noninterference.

17 Concurrency The higher security portions of the program must be protected at all times. (simple) Example: h := 0; l := h; With concurrency, values must be protected at all times. enter_critical(); h := 0; l := h; exit_critical()

18 Concurrency Thread security is tied to timing issues and probability. Example: (if h = 1 then C else skip); l := 1 || l := 0 Variations of security levels must be protected during context swaps (difficult)

19 Covert Channels Timing attacks against SSL encryption Encryption attacks are possible because the timing of failure with different values can lead an attacker to understand the true value of a key. Prevent attacks by equalizing the time for successful and failed decryption.

20 Security Policies Systems which allow downgrading of secure channels are subject to exploitation. Example: Password-checking programs – The security is only as good as the algorithm which guards the passwords. Concept of approximate noninterferance.

21 Challenges System-wide security - The integration of language flow and system-wide Information Flow control. Certifying Compilation – Move security checking into Java arena, to perform static analysis on the byte code prior to execution.

22 Challenges Dynamic Policies – Not realistic to assume information-flow policies are available at compile time. – Runtime policies create an additional channel which needs protection. Restrictions placed in languages to deal with the problems may become too restrictive for extensive use.

23 Conclusions End-to-end security is not capable with existing practices. Static analysis of type systems are possible. Something needs to be done with Jif compilers which support languages that are not “security-expressive” enough. There is a lot of ongoing research to be concluded.

Download ppt "Language-Based Information-Flow Security Richard Mancusi CSCI 297."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

Similar presentations

Ads by Google