Language-based Security: Information Flow Control
description
Transcript of Language-based Security: Information Flow Control
![Page 1: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/1.jpg)
Language-based Security: Information Flow Control
18739A: Foundations of Security and Privacy
Anupam DattaFall 2009
![Page 2: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/2.jpg)
Lecture Outline
Information Flow Control (IFC)
Security definition Non-interference [Goguen-Meseguer82]
Language-based enforcement Type system [Volpano-Smith-Irvine96] based on
prior work [Denning-Denning77]
![Page 3: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/3.jpg)
IFC in Tax Preparation Software
![Page 4: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/4.jpg)
Definition of Security Non-interference (idea)
Program
HI
LI
HO
LO
HI’ HO’
No information flows from high inputs to low outputs
Security levels:H: ClassifiedL: Unclassified
![Page 5: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/5.jpg)
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
![Page 6: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/6.jpg)
Specification and Enforcement
Approach Use a typed programming language Types represent security levels
H, L,… Sub-typing captures partial order among
security levels L H
Type system captures allowed information flows Soundness theorem
Well-typed programs satisfy non-interference
![Page 7: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/7.jpg)
Language Definition Syntax Type System Operational Semantics
Soundness Theorem Well typed programs satisfy non-interference
![Page 8: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/8.jpg)
Syntax (I)
![Page 9: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/9.jpg)
Syntax (II)
We will focus on the special case where type is either H or L and L H
![Page 10: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/10.jpg)
Type System (I) Typing judgment
![Page 11: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/11.jpg)
Type system (II)
![Page 12: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/12.jpg)
Type System (III)
![Page 13: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/13.jpg)
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
Will justify rows 1 & 2
![Page 14: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/14.jpg)
Example with types
Key rules used are (ASSIGN) and (IF)
![Page 15: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/15.jpg)
Type System (IV)
![Page 16: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/16.jpg)
Exampleif x = 1 then y:=1 else y:=0
NoLHYesHL
YesLL
YesHHNIyx
Will justify rows 3 & 4
![Page 17: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/17.jpg)
Example with types Suppose x: L var and y: H var
1. Use (ASSIGN), (CMD-), (SUBTYPE) to infer (y:=1): L cmd and (y:=0): L cmd
2. Now use (IF) rule
x: H var and y: L var is not well-typed as expected
L H
![Page 18: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/18.jpg)
Operational Semantics (I) is memory: a function from locations to values (l) is contents of location l Judgments
1. Evaluating expression e in memory yields value n
2. Evaluating command c in memory yields memory ’
Program executes by evaluating expressions and commands
![Page 19: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/19.jpg)
Operational Semantics (II)
![Page 20: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/20.jpg)
Operational Semantics (III)
![Page 21: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/21.jpg)
Soundness Theorem
![Page 22: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/22.jpg)
Recall Non-interference
Program
HI
LI
HO
LO
HI’ HO’
No information flows from high inputs to low outputs
Security levels:H: ClassifiedL: Unclassified
![Page 23: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/23.jpg)
Practical Languages for IFC Jif [Liskov-Myers et al.]
Java + information flow http://www.cs.cornell.edu/jif/
Flow Caml [Pottier-Simonet] Extends OCaml language with type system for
tracing information flow http://
citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.2104
![Page 24: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/24.jpg)
Web Security: A Domain for IFC
Brendan Eich, Chief Technology Officer, Mozilla Corp.Improving JavaScript's Default Security Model with Information Flow, CSF 2009 Invited talk
![Page 25: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/25.jpg)
Thanks
Questions?
![Page 26: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/26.jpg)
Formal definition
•System is deterministic finite state machine: takes input and transitions to next state producing output•Trace tr is a sequence of inputs and outputs (high & low)•OutputL(S,tr,c): low output of system S when input c is applied to the state corresponding to trace tr•purgeHI(tr): returns a trace with all high inputs in tr removed
![Page 27: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/27.jpg)
Programming Language Definition Syntax and Static Semantics (or “well-formed
programs”) Syntax of types and terms Type system
Semantics (or “meaning of programs”) Operational or dynamic semantics (Defines how programs execute)
Type Safety Well-typed programs do not get stuck, i.e., they
either terminate or keep reducing following the operational semantics
![Page 28: Language-based Security: Information Flow Control](https://reader035.fdocuments.in/reader035/viewer/2022062521/5681693f550346895de0be20/html5/thumbnails/28.jpg)
Language Definition Examples Syntax, Semantics (Static, Dynamic) ML:
R. Milner, M. Tofte, R. Harper, and D. MacQueen, The Definition of Standard ML (Revised). MIT Press, 1997
Java: J. Alves-Foss (Ed.), Formal Syntax and Semantics
of Java. LNCS 1523, 1999