Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977.

Published byKatherine Marilyn Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977."— Presentation transcript:

1 Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977

2 Language-based Security (LBS) Many security models are based on abstract formalisms Typically, state machines [Bell-LaPadula73, Goguen- Meseguer82,84,Rushby81] or traces [Goldschmidt88, McCullough88] Challenge: faithfully relating formal security specification to concrete implementations Denning & Denning proceed from a new (at the time) starting point: language-based security Define security certification of programs at the language level Compile-time, completely automated process based on well-known “attribute grammar” compiler concept Goal: If program p is certified by the compiler, then it is secure

3 Example begin i,n : integer security class L; flag : boolean security class L; f1,f2 : file security class L; x,sum : integer security class H; f3, f4 : file security class H; begin i := 1; n := 0; sum := 0; … if flag then begin n := n + 1; sum := sum + x; end; … end storage objects labeled statically with security level Basic Idea: Certify at compile-time that insecure flows don’t occur within program

4 Information Flow Policy as Lattice greatest lower bound x  y least upper bound x  y xy “x  y” means that information flow is permitted by policy from object x to object y security level of storage object “x”

5 “Information Flows” Attribute “x  y” means that information flows from x to y this is the attribute calculated during certification Explicit flow: e.g., “y := x” implies “x  y” Implicit flow: “y := 1; if x=0 then y:=0” Assuming x is 0 or 1, then x=y after completion  x  y Generally, control structures in language cause such indirect/implicit flows Transitive: x  y and y  z implies x  z Defn. Program statement specifies a flow if its execution could result in flow N.b., this is weaker than “does result in flow”

6 Security Requirements Program p is secure iff flow x  y results from executing p only when x  y Security Definition (1st shot): flow x  y results from executing p only when x  y Undecidable: is there a flow from x to y in “if f(x) halts then y:=0”? Security Definition: flow x  y is specified by p only when x  y note that “is specified by” is weaker than “results from executing” Living with imprecision: “if x=0 then if x  0 then y:=z” is disallowed if z  y

7 Certification Mechanism b Stmt Var c := Exp + * a 2 Stmt Var c := Exp + * a 2 a L b a  L=a c b c abab abab a  b  c ??? Calculate flows “upwards”

8 Certification Mechanism (cont’d) Statement Statement-list ; s sl s  sl Statement ifExpthenStatementelseStatement e s1s1 s2s2 e  s 1  s 2 ??? if this doesn’t hold, then certification fails Not shown: control mechanisms, exceptions, IO, etc. (see paper for details)

9 Example, redux begin i,n : integer security class L; flag : boolean security class L; f1,f2 : file security class L; x,sum : integer security class H; f3, f4 : file security class H; begin i := 1; n := 0; sum := 0; … if flag then begin n := n + 1; sum := sum + x; end; … end Theorem: a program is certified only if it is secure (recall the converse may not hold). Use certification across entire program structure at compile-time; process is automatic

10 Denning Descendents: Security as Type-checking From λ sec ( Li & Zdancewic, POPL2005): “Reading up is permitted” “Low computations considered low”   e 1 + e 2 : int H   e 1 : int l   e 2 : int l (l  {L,H} )   e 1 + e 2 : int L   e 1 : int L   e 2 : int L  usually written as turnstile |-

11 Summary Compile-time security certification is big plus check the program once and no run-time checks necessary assuming faithful language implementation, of course Dynamic security checks (e.g., access control) are relatively expensive: repeated over and over Weaknesses: Most “systems” are not single programs Security definition is, of necessity, an approximation Denning and Denning started a new branch within computer security research: language-based security very active area, typically based in type theory see “Language-based Information Flow Security” (2003) by Sabelfeld and Myers for an excellent survey

12 Tips for Presentations You have 20 minutes good rule of thumb is two minutes per slide i.e., about 10 slides practice at home and see how close you get Introduce the problem “How do you relate security spec. to implementation?” Say why it’s interesting Give an overview of the solution “compile-time security certification via attributes” Nice to refer to others work: if you cite someone in the audience, they will consider you a pal Have small examples illustrating the technique

13 More tips Avoid presenting all details Important: your goal is to give the audience a taste of the paper to motivate them to read it You do not have time to explain all of the results! Even if you did, all of your listeners would be asleep after 20 minutes of it This is why examples are crucial --- they convey the essence of the work without overwhelming the audience You want to leave the listener with a “bottom line” message “Hmmm, neat, here’s how my compiler can help make things secure” Rather than: “Oh God, when will it end…”

Download ppt "Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ISBN 0-321-49362-1 Chapter 7 Expressions and Assignment Statements.

ISBN Chapter 7 Expressions and Assignment Statements.
CSE 341, Winter 2010 1 Type Systems Terms to learn about types: –Type –Type system –Statically typed language –Dynamically typed language –Type error –Strongly.

CSE 341, Winter Type Systems Terms to learn about types: –Type –Type system –Statically typed language –Dynamically typed language –Type error –Strongly.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Type Checking.

Type Checking.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.

6/18/2015 4:21 AM Information Flow James Hook CS 591: Introduction to Computer Security.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
6/20/2015 11:09 PM Information Flow James Hook CS 591: Introduction to Computer Security.

6/20/ :09 PM Information Flow James Hook CS 591: Introduction to Computer Security.
1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.

1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Data Flow Analysis 1 15-411 Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.

Data Flow Analysis Compiler Design October 5, 2004 These slides live on the Web. I obtained them from Jeff Foster and he said that he obtained.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Communication in Distributed Systems –Part 2

Communication in Distributed Systems –Part 2
CSE 341 -- S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.

CSE S. Tanimoto Syntax and Types 1 Representation, Syntax, Paradigms, Types Representation Formal Syntax Paradigms Data Types Type Inference.

Similar presentations

Ads by Google