language-based information- flow...
TRANSCRIPT
![Page 1: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/1.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Language-Based Information-Flow Security
Andrei Sabelfeld Andrew C. Myers
Presented by Shiyi Wei
![Page 2: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/2.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Literature review Information flow security
• Static program analysis to enforce information-flow • Confidentiality
Year: 2003 Jif (Java information flow) project Active since 1997 More than 34 publications
• System, language, security – SOSP, POPL, CCS, Oakland
Other work based on Jif
2
About the paper
![Page 3: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/3.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Introduction Background Covert channels Mandatory access control
Basics of language-based information flow Research trends Open challenges
3
Overview
![Page 4: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/4.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Protect data confidentiality End-to-end security Enforcement of confidentiality policies
• Information cannot flow to where policy is violated
Challenges • Concurrency • Covert channels
Applications • Military, medical, financial information systems • Web-based services: mail, shopping, social network
4
Introduction
![Page 5: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/5.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Standard security mechanisms Discretionary access control
• Access files/objects based on privilege – Prevent processes not authorized by file owner from reading
• Place restrictions on the release of information, but not its propagation
– Does not control how the data is used after reading from file • To soundly enforce confidentiality
– Grant access privilege only to processes that will not leak confidential data
» A much stronger information-flow policy! » Access control cannot identify these processes
5
Introduction
![Page 6: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/6.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Standard security mechanisms Encryption
• Secure an information channel – Only the communicating endpoints have access
• However, no assurance that once the data is decrypted
Antivirus software • Offers limited protection against new attacks
Firewall • Protects confidentiality by preventing communication • Checking confidentiality violation lies outside its scope
6
Introduction
![Page 7: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/7.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Language-based approach security-typed language
• Use of type systems for information flow – Augmented with annotations
• Specify policies on the use of the typed data • Compile-time type checking
– Add little or no run-time overhead
• E.g. Jif[1], SLam calculus[2], …
7
Introduction
References [1] A.C.Myers and B. Liskov, “A decentralized model for information flow control,” in Proc. ACM Symp. on Operating System Principles, Oct. 1997, pp. 129-142 [2] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 365-377
![Page 8: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/8.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Integrity: a dual to confidentiality “Confidentiality requires that information be
prevented from flowing to inappropriate destinations” “Integrity requires that information be prevented
from flowing from inappropriate sources”
8
Introduction
![Page 9: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/9.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Implicit flows Signal information through the control structure
of a grogram Termination channels The termination/nontermination of a computation
Timing channels Signal information through the time at which an
action occurs rather than through the data • E.g. total execution time of a program
9
Background: Covert Channels
while secret=1 do skip
![Page 10: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/10.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Probabilistic channels Signal information by changing the probability
distribution of observable data
Resource exhaustion channels Signal information by the possible exhaustion of a
finite, shared resource
Power channels Signal information in the power consumed by the
computer
10
Background: Covert Channels
![Page 11: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/11.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Mandatory access control Label each data with a security level
• Run-time enforcement mechanism
Problem: implicit flow • Process sensitivity label
Label creep • Monotonically increase label • Too restrictive
11
Background: Mandatory Access control
h := h mod 2; l := 0; if h = 1 then l :=1 else skip
h := h mod 2;
l := 0;
if h = 1
l := 1 skip
![Page 12: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/12.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Noninterference policy “a variation of confidential(high) input does not
cause a variation of public(low) output” The attacker cannot observe any difference
between two executions that differ only in their confidential input
Security-type system A collection of typing rules Let’s build one!
12
Basics of Language-Based Information Flow
![Page 13: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/13.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 13
Basics of Language-Based Information Flow
Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C
![Page 14: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/14.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 14
Basics of Language-Based Information Flow
Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C
(1) :=
(2) :=
(3) :=
(4) :=
![Page 15: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/15.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 15
Basics of Language-Based Information Flow
C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C
(1) if then else
(2) if then else
(3) if then else
(4) if then else
(5) if then else
(6) if then else
(7) if then else
(8) if then else
![Page 16: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/16.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 16
Basics of Language-Based Information Flow
Language syntax: C ::= skip | var := exp | C1;C2 | if exp then C1 else C2 | while exp do C
![Page 17: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/17.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 17
Research Trends
static certification noninterference
sound security analysis
expressiveness concurrency covert channels
security policies
![Page 18: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/18.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 18
Language Expressiveness
static certification noninterference
sound security analysis
expressiveness concurrency covert
channels security policies
procedures
functions
exceptions
objects
![Page 19: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/19.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Procedures Polymorphism[3]
• The type of commands or expressions may be generic
Functions Slam calculus[4]
• A functional language
19
Language Expressiveness
References [3] D. Volpano and G. Simth, “A type-based approach to program security,” in Proc. TAPSOFT’ 97. Apr. 1997, vol. 1214 of LNCS, pp. 607-621 [4] N. Heintze and J. G. Riecke, “The Slam calculus: programming with secrecy and integrity,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1998, pp. 365-377
![Page 20: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/20.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Exceptions Nonlocal transfer of control; implicit flow Path labels[5]
• Fine-grained tracking of implicit flows caused by exceptions
Objects Java-like imperative object-oriented language[6] JFlow[5]
20
Language Expressiveness
References [5] A. C. Myers, “JFlow: Practical mostly-static information flow control,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 19999, pp. 228-241 [6] A. Banerjee and D. A. Naumann, “Secure information flow and pointer confinement in a Java-like language,” in Proc. IEEE Computer security Foundations Workshop, June 2002, pp. 253-267
![Page 21: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/21.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 21
Concurrency
static certification noninterference
sound security analysis
expressiveness concurrency
covert channels
security policies
non-determinism
threads
distribution
![Page 22: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/22.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Nondeterminism Possibilistic security condition[7]
• High inputs may not affect set of possible low inputs
Dependence analysis between variables[8]
22
Concurrency
References [7] J. McLean, “A general theory of composition for a class of “possibilistic” security properties,” IEEE Transactions on Software Engineering, vol. 22, no. 1, pp. 53-67, Jan. 1996 [8] J. –P. Banatre, C. Bryce, and D. Le Metayer, “An approach to information security in distributed systems,” in Proc. European Symp. on Research in Computer Security. 1994, vol. 875 of LNCS, pp. 55-73, Springer-Verlag.
![Page 23: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/23.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Thread concurrency High part has to be protected at all times
Noninterference for a multithreaded language[9] • No while loop may have a high guard • No high conditional may contain a while loop in branch
Encode of a timing leak into a direct leak
23
Concurrency
(thread1) h := 0; l := h; (thread2) h := h’
(if h = 1 then Clong else skip); l :=1 || l := 0
References [9] G. Simth and D. Volpano, “Secure information flow in a multi-threaded imperative language,” in Proc. ACM Symp. on POPL, Jan. 1998, pp. 355-364
![Page 24: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/24.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Distribution The ability to exchange messages
• These communications may be observed by attackers
Mutual distrust Components can fail
• Attempt to compromise the behavior of others
Secure program partitioning[10] • Sequential, security-typed program -> fine-grained
communicating subgrams
24
Concurrency
References [10] S. Zdancewic, L. Zheng, N. Nystrom, and A.C. Myers, “Untrusted hosts and confidentiality: Secure program partitioning,” in Proc. ACM Symp. on Operating System Principles, Oct. 2001, pp. 1-14
![Page 25: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/25.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
25
Covert Channels
static certification noninterference
sound security analysis
expressiveness concurrency covert channels
security policies
termination
timing
probability
![Page 26: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/26.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Termination channels Termination-sensitive noninterference[11]
• Disallows high loops and requires high conditionals have no loops in the branches
Binding-time analysis[12] • Divides program terms into
– Static: known at partial-evaluation time – Dynamic: to be supplied later
• No static term depends on a dynamic variable
26
Covert Channels
while h = 1 do skip
References [11] D. Vlpano and G. Smith, “Eliminating covert flows with minimum typings,” Proc. IEEE Computer Security Foundations Workshop, pp. 156-168, June 1997 [12] M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, “A core calculus of dependency,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 1999, pp. 147-160
![Page 27: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/27.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Timing channels Timing-sensitive noninterference[13]
• High conditionals have no loops in the branches and wrapping each high conditional in a protect statement whose execution is atomic
Program transformation[14] • Cross-copy of the slices of the branches of a high if to
equalize the execution time of the branches
27
Covert Channels
if h = 1 then Clong else skip
References [13] D. Volpano and G. Smith, “Probabilistic noninterference in a concurrent language,” J. Computer Security, vol. 7, no. 2-3, pp. 231-253, Nov. 1999 [14] J. Agat, “Transforming out timing leaks,” in Proc. ACM Symp. on Principles of Programming Languages, Jan. 2000, pp. 200-214
![Page 28: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/28.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Probabilistic channels Probabilistic noninterference
• Two behaviors are indistinguishable by the attacker iff the distribution of low output is the same
Example • []p: probabilistic choice operator
– Selects the left-hand side command with the probability p – Selects the right-hand side with the probability 1-p
• Varying PIN does not change set of possible outcomes – Secure for possibilistic condition
28
Covert Channels
l := PIN []9/10 l := rand(9999)
![Page 29: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/29.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 29
Security Policies
static certification noninterference
sound security analysis
expressiveness concurrency covert channels
security policies
declassification
admissibility
relative security
quantitative security
![Page 30: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/30.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Noninterference rejects downgrading Decentralized model[1] Selective declassification
Admissibility[15] Explicitly states what dependencies between data
are allowed in the program
Quantitative security[16] Allow for a limited bandwidth of information leaks
30
Security Policies
References [15] M. Dam and P. Giambiagi, “Confidentiality for mobile code: The case of a simple payment protocol,” in Proc. IEEE Computer Security Foundations Workshop, July 2000 [16] D. Clark, S. Hunt, and P. Malacaria, “Quantitative analysis of the leakage of confidential data,” in QAPL 2011.
![Page 31: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/31.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
System-Wide Security Computer systems are only as secure as their
weakest point Integration of language-based information flow
and system-wide information-flow control
Certifying Compilation Secure information flow of low-level languages
• Useful information about program structure is lost
31
Open Challenges
![Page 32: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/32.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Abstraction-violating attacks The model of the attacker is an abstraction
• Removes possibly important details about real attacker E.g. cache attack
• When h = 1, execution time is likely to be shorter
Dynamic Policies Information-flow policies are not known statically E.g. Jif compiler
• Type label 32
Open Challenges
(if h =1 then h’ := h1 else h’ := h2); h’ := h1
![Page 33: Language-Based Information- Flow Securitycourses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Language... · Language-Based Information-Flow Security Andrei Sabelfeld Andrew C](https://reader031.vdocument.in/reader031/viewer/2022022711/5bfe5aad09d3f2641b8b599c/html5/thumbnails/33.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Practical issues Improve the precision of type systems
• Do not reject too many secure programs
Experience is needed
Variations of static analysis for security Control- and data-flow analysis
• More accurate than many type systems
E.g.
33
Open Challenges
(if h = 1 then l := 1 else l:= 0); l := 0