Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis...
-
Upload
allyson-dawson -
Category
Documents
-
view
216 -
download
2
Transcript of Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis...
![Page 1: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/1.jpg)
Security of Multithreaded Programs by Compilation
Tamara RezkINDES Project, INRIA Sophia Antipolis Mediterranee
Joint work with Gilles Barthe, Alejandro Russo, Andrei Sabelfeld
Torino, April 21st
Matyss COLOR Project
![Page 2: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/2.jpg)
In this talk:
• Security of mobile code (proof carrying code)
• Verification of confidentiality in low level languages
• Connection between different type systems
• A modular approach to verification of multithreaded code and its connection to low level multithreaded code
![Page 3: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/3.jpg)
In this talk:
• Security of mobile code (proof carrying code)
• Verification of confidentiality in low level languages
• Connection between different type systems
• A modular approach to verification of multithreaded code and its connection to low level multithreaded code
![Page 4: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/4.jpg)
Proof Carrying Code scenarios
PRODUCER SIDE CONSUMER SIDE
![Page 5: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/5.jpg)
Mobile Codeexample: Java applets
program program
PRODUCER SIDE CONSUMER SIDE
![Page 6: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/6.jpg)
Mobile Codeexample: Java applets
program program
PRODUCER SIDE CONSUMER SIDE
NETWORK
compiler
security guarantees?
![Page 7: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/7.jpg)
program program
PRODUCER SIDE CONSUMER SIDE
NETWORK
compiler
iflow type inference
difficult!
![Page 8: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/8.jpg)
program program
PRODUCER SIDE CONSUMER SIDE
NETWORK
compiler
iflow type inference
difficult!
accepted
rejected
iflow type checking
easy
![Page 9: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/9.jpg)
Proof Carrying Code
program program
PRODUCER SIDE CONSUMER SIDE
NETWORK
compiler
iflow type inference
difficult!
accepted
rejected
iflow type checking
easy
TCB
![Page 10: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/10.jpg)
Motivation of this work
• Insecure flows in mobile code can be prevented by program analysis but
• Information flow for multithreaded low-level
code has not been addressed so far
![Page 11: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/11.jpg)
Contribution of this work
We propose a framework to enforce security for multithreaded low-level programs and extends it for security-type preserving
compilation
![Page 12: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/12.jpg)
In this talk:
• Security of mobile code (proof carrying code)
• Verification of confidentiality in low level languages
• Connection between different type systems for iflow
• A modular approach to verification of multithreaded code and its connection to low level multithreaded code
![Page 13: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/13.jpg)
Verification of iflow for low level code
![Page 14: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/14.jpg)
Verification of iflow for low level code
High-level code Low-level code
![Page 15: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/15.jpg)
Verification of iflow for low level code
High-level code• Typing rules are syntax
directed
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
![Page 16: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/16.jpg)
Verification of iflow for low level code
High-level code• Typing rules are syntax
directed
• Memory model includes a store
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
• Memory model includes a store and an operand stack
![Page 17: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/17.jpg)
Verification of iflow for low level code
High-level code• Typing rules are syntax
directed
• Memory model includes a store
• Typability: given by the typing rule of sequential composition
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
• Memory model includes a store and an operand stack
• Typability : composition is given by the successor relation between program points
![Page 18: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/18.jpg)
18
• Tracking information flow via control flow in high-level languages is syntax-directed:
Control dependence regions are given by control structureif (y==0) then
x :=3;else x:=1;
Control dependence region includes program points x:=3; and x:=1 (dependent on expression y==0)
Verification of iflow for low level code
![Page 19: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/19.jpg)
|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2
if (y==0) then x :=3;else x:=1;
![Page 20: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/20.jpg)
|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2
if (y==0) then x :=3;else x:=1;
1 load y
2 ifeq 6
3 push 3
4 store x
5 goto 8
6 push 1
7 store x
8…
![Page 21: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/21.jpg)
|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2
if (y==0) then x :=3;else x:=1;
1 load y
2 ifeq 6
3 push 3
4 store x
5 goto 8
6 push 1
7 store x
8…
region(2)
![Page 22: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/22.jpg)
22
|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2
if (y==0) then x :=3;else x:=1;
1 load y
2 ifeq 6
3 push 3
4 store x
5 goto 8
6 push 1
7 store x
8…
region(2)
se |- k :: st => st
Instr[pc]=ifeq j i in region(pc) k≤ se(i)
k1
k1
k
k2
k2
se
![Page 23: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/23.jpg)
Observation: low level verification is more general….
High-level code• Typing rules are syntax
directed
• Memory model includes a store
• Typability of programs: given by the typing rule of sequential composition
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
• Memory model includes a store and an operand stack
• Typability of programs: composition is given by the successor relation between program points
![Page 24: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/24.jpg)
In this talk:
• Security of mobile code (proof carrying code)
• Verification of confidentiality in low level languages
• Connection between different type systems for iflow
• A modular approach to verification of multithreaded code and its connection to low level multithreaded code
![Page 25: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/25.jpg)
How to connect two different type systems
High-level code• Typing rules are syntax
directed
• Memory model includes a store
• Typability of programs: given by the typing rule of sequential composition
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
• Memory model includes a store and an operand stack
• Typability of programs: composition is given by the successor relation between program points
![Page 26: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/26.jpg)
How to connect two different type systems
High-level code• Typing rules are syntax
directed
• Memory model includes a store
• Typability of programs: given by the typing rule of sequential composition
Low-level code• Code is unstructured.
Typing rules are not based on structure of the syntax
• Memory model includes a store and an operand stack
• Typability of programs: composition is given by the successor relation between program points
![Page 27: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/27.jpg)
How to connect two different type systems
• We annotate high level code with labels and keep these labels for compilation.
• The compiler generate low level control dependence regions for high-level control dependence regions
• We compile types of expressions in high level typing derivation trees into stack types
• Typability does not require further work.
![Page 28: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/28.jpg)
In this talk:
• Security of mobile code (proof carrying code)
• Verification of confidentiality in low level languages
• Connection between different type systems for iflow
• A modular approach to verification of multithreaded code and its connection to low level multithreaded code
![Page 29: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/29.jpg)
A modular approach: from sequential to multithreaded code verification…
• Barthe, Naumann, and Rezk (S&P 06) noticed that low-level type system generalized high-level type systems , and could be connected by specific compilers for information flow
• Russo and Sabelfeld (CSF 06) observed that verification of multithreaded code for a while language with a “fork” feature for thread creation could be done by a non-interference property not based on bisimulations
![Page 30: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/30.jpg)
Feature of our framework
Security guaranteed is not more restrictive than ones of sequential programs
Example of an internal timing leak:
if hi {sleep(100)}; lo:=1 || sleep(50); lo:=0
![Page 31: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/31.jpg)
Approach of multithreaded verification
Security guaranteed is not more restrictive than ones of sequential programs
Example of an internal timing leak:
if hi {sleep(100)}; lo:=1 || sleep(50); lo:=0 The scheduler treats the first thread as “hidden”
from the second thread!!
![Page 32: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/32.jpg)
Modularity is the consequence of the approach
• The framework modularly extends sequential semantics (language independence from the sequential part)
• Modular extension of sequential type systems
• Security type preserving compilation is also a modular extension of the sequential counterpart
![Page 33: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/33.jpg)
A program consists of:
• A set of program points (including entry, exit)
• An instruction map from program points to Ins where Ins= SeqIns U {start pc}
![Page 34: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/34.jpg)
Concurrent Semantics
• A state s consists of a mapping from threads to local states , plus a global state
• A configuration includes an execution history h
![Page 35: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/35.jpg)
Hypothesis on the scheduler
![Page 36: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/36.jpg)
Extended concurrent type system
![Page 37: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/37.jpg)
Extended concurrent type system
![Page 38: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/38.jpg)
In the paper:
• We prove soundness:
by assuming soundness of the sequential type system
• We show how this result directly extends to type-preserving compilation schemes
• We instantiate the framework to a case study: the JAVA-like language to multithreaded JVM
![Page 39: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/39.jpg)
Type-preserving compilation
![Page 40: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/40.jpg)
Type-preserving compilation
![Page 41: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/41.jpg)
Type-preserving compilation
![Page 42: Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.](https://reader036.fdocuments.in/reader036/viewer/2022070306/5519db5e5503467a178b45b8/html5/thumbnails/42.jpg)
Conclusion
• We have proposed a framework for controlling information flow in multithreaded code
• Thanks to modularity and language-independence, results for sequential languages can be reused.