A/acker'Knowledge ' Frdric'Besson,'Nataliia'Bielova ,' Thomas'Jensen' - - PowerPoint PPT Presentation

a acker knowledge
SMART_READER_LITE
LIVE PREVIEW

A/acker'Knowledge ' Frdric'Besson,'Nataliia'Bielova ,' Thomas'Jensen' - - PowerPoint PPT Presentation

Nov 07, 2022 295 likes •678 views

Hybrid'Monitoring'of'' A/acker'Knowledge ' Frdric'Besson,'Nataliia'Bielova ,' Thomas'Jensen' INRIA' ' IEEE'Computer'Security'Founda@ons'2016' June'29,'2016' ' Informa@on'flow'control'' Quan=ta=ve' Noninterference' A/ackers'knowledge'

slide-1
SLIDE 1

Hybrid'Monitoring'of'' A/acker'Knowledge'

Frédéric'Besson,'Nataliia'Bielova,'Thomas'Jensen' INRIA'

' IEEE'Computer'Security'Founda@ons'2016' June'29,'2016'

'

slide-2
SLIDE 2

Informa@on'flow'control''

2'

Noninterference' A/acker’s'knowledge' Quan=ta=ve' Informa=on'Flow' Secret'input'does' not'flow'into' public'output' What'informa@on'about' the'secret'is'flown'to'the'

  • utput'in'concrete'

program'execu@on?' How'much'informa@on' (in'bits)'about'secret'a' program'leaks'to'the'

  • utput?'
slide-3
SLIDE 3

Informa@on'flow'control''

3'

Noninterference' A/acker’s'knowledge' Quan=ta=ve' Informa=on'Flow' Secret'input'does' not'flow'into' public'output' What'informa@on'about' the'secret'is'flown'to'the'

  • utput'in'concrete'

program'execu@on?' How'much'informa@on' (in'bits)'about'secret'a' program'leaks'to'the'

  • utput?'
slide-4
SLIDE 4

A'program'which'is'not'secure'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

1' 0' 1'

[l=1,'x=1]' [l=1,'x=0]' set'of'secure'execu@ons'' star@ng'with'l=1,'x=1' ' set'of'insecure'execu@ons'' star@ng'with'l=1,'x=0' '

4'

h1=0h2=0'

slide-5
SLIDE 5

Security'Defini@on'

  • TINI:'Termina=onHInsensi=ve'Noninterference'

! Program'P'is'TINI'if'for'all'lowZequivalence'classes:'

5'

1' '

secure'execu@ons''

1'

[l'='0]' secure'execu@ons'' [l'='1]'

slide-6
SLIDE 6

What'does'an'a^acker'learn?'

0' 1'

[l=1,'x=0]' insecure'execu@ons'' '

6'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

h1=0h2=0'

slide-7
SLIDE 7

What'does'an'a^acker'learn?'

h1=0h2=0' a^acker'knows'' values'of'both'secrets'

0' 1'

[l=1,'x=0]' insecure'execu@ons'' '

7'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

h1=0h2=0'

slide-8
SLIDE 8

What'does'an'a^acker'learn?'

h1=0h2=0' h1=1h2=1 a^acker'knows'' values'of'both'secrets' a^acker'knows'' some'informa=on' about'secrets'

0' 1'

[l=1,'x=0]' insecure'execu@ons'' '

8'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

h1=0h2=0'

slide-9
SLIDE 9

A'program'which'is'secure'

9'

l = 0; if h = 1 then skip else x = 5; while x > 0 do x = x-1; l = x;

  • utput l
  • Does'any'dynamic/hybrid'monitor'accept'all'

execu=ons'of'this'program?'

0'

[l'='0]' h'='1' h=0' secure'execu@ons''

slide-10
SLIDE 10

A'program'which'is'secure'

10'

l = 0; if h = 1 then skip else x = 5; while x > 0 do x = x-1; l = x;

  • utput l

Dynamic'[h=0]' Hybrid'[h=1]' … branch'taken' block'execu@on' due'to'low' assignment'in' high'context' … branch'taken' sta@c'analysis'' …' block'execu@on'since' l'could'be'modified' in'elseZbranch'

  • Dynamic'monitors'block'too'early''

! [Zdancewic'’02,'Aus@n'and'Flanagan'’10]''

  • Hybrid'monitors'block'due'to'imprecision'of'sta=c'analysis'

! [Le'Guernic'‘07,'Russo'and'Sabelfeld'’10,'Besson'et'al'‘13]'

slide-11
SLIDE 11

Challenges'

  • How'to'track'a/acker’s'knowledge?'
  • How'to'make'a'monitor'accept'more'secure'

execu=ons?'

11'

Answer:'' Hybrid'monitoring'of'a/acker’s'knowledge'

slide-12
SLIDE 12

Hybrid'monitor'

  • Dynamic'analysis'monitors'one'execu@on'
  • Sta@c'analysis'is'called'onZtheZfly'for'nonZexecuted'

branches'

  • Two'sets'of'rules:'one'for'dynamic'+'one'for'sta@c'

12'

Dynamic'+'Sta=c'analysis'

slide-13
SLIDE 13

Hybrid'monitor'

  • !,#!’:#Env#∪#{·}#
  • .,#.’#:#Var#→#K##

K##labeling with knowledge

  • Env##for dynamic analysis
  • ·##for static analysis

13'

(P,#!,".)#⇓##(!’,".’)

slide-14
SLIDE 14
  • .(x)#splits'the'ini@al'environments'in'equivalence'classes'

w.r.t.'the'possible'values'of'x .(x)#:' '

Expressive'knowledge'domain'

14'

1 ⊤#(unknown value)

insecure'execu@ons'' ' [l'='0]'

.:#Var#→#K

slide-15
SLIDE 15

Expressive'knowledge'domain'

15'

K#≜#Env#→#Value#∪#{⊤,#⊥}

  • .(x)(!)#=#B##

if the program terminates then x#has value B

  • .(x)(!)#=#⊤

no information (x#can have any value)

  • .(x)(!)#=#⊥#

the program certainly does not terminate on !#'

.:#Var#→#K

slide-16
SLIDE 16

16'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE'

slide-17
SLIDE 17

17'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

slide-18
SLIDE 18

18'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

slide-19
SLIDE 19

19'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

sta=c'analysis' The'result'of'sta=c'analysis''

  • nly'applies'to'environments'

where'h1=1'

slide-20
SLIDE 20

20'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

sta=c'analysis'

1

slide-21
SLIDE 21

21'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

slide-22
SLIDE 22

22'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

The'result'of'sta=c'analysis''

  • nly'applies'to'environments'

where'h2=0' sta=c'analysis'

slide-23
SLIDE 23

23'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

The'new'knowledge'in'these'' environments'comes'from'the'' knowledge'of'x' sta=c'analysis'

slide-24
SLIDE 24

24'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

sta=c'analysis' The'new'knowledge'in'these'' environments'comes'from'the'' knowledge'of'x'

slide-25
SLIDE 25

25'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

sta=c'analysis'

1

The'new'knowledge'in'these'' environments'comes'from'the'' knowledge'of'x'

slide-26
SLIDE 26

26'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1 1

The'knowledge'in'current'' execu=on'applies'to'environments'' where'h2=1'

slide-27
SLIDE 27

27'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1 1

The'knowledge'in'current'' execu=on'applies'to'environments'' where'h2=1'

slide-28
SLIDE 28

28'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1 1

slide-29
SLIDE 29

29'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1 1

slide-30
SLIDE 30

30'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

.(x):#'

[h1'='0,'h2'='1]'

0' 1'

[l'='0,'x=0]'

REAL'KNOWLEDGE' .(l):#'

1

REAL'KNOWLEDGE' ='' APPROXIMATED'KNOWLEDGE''

1

slide-31
SLIDE 31

Implementa@on'

  • Symbolic'representa@on'of'knowledge'

31'

K#⊂#D(E×G)#×#E

  • (f,#e)#∈#E×G#returns'the'value'of'e#when#f#holds'in'!:

! if##⟦f⟧!#then#⟦e⟧!#else#⊤

  • ɸ#∈#E#specifies'when'the'knowledge'is'⊥

! if##⟦ɸ⟧!#then#⊥#' program'expressions' proposi=onal'formulas'

slide-32
SLIDE 32

Result'1:'Correctness'guarantee'

  • Hybrid'monitor'overZapproximates'a^acker’s'knowledge'

32'

h1=1 h2=1

0' 1'

[public'='0]' insecure'execu@ons'' '

h1= 1 REAL'' KNOWLEDGE' APPROXIMATED'' KNOWLEDGE'

slide-33
SLIDE 33

Result'2:'Precision'

33'

0' 1'

h1 = 1 h2 = 1 REAL'' KNOWLEDGE' h1 = 1 h2 = 1 APPROXIMATED'' KNOWLEDGE'

insecure'execu@ons'' ' [l='0,'x=0]'

if h1 = 1 then x = 1 else skip; if h2 = 1 then l = 1 else l = x;

  • utput l

[h1=0,'h2=1,'l=0,'x=0]'

slide-34
SLIDE 34

Result'3:'Enforcement'of' noninterference'

34'

1'

[x=1,'y=0]' secure'execu@ons''

if h = 1 then l = x + y; else l = x - y;

  • utput l

[h=1,'x=1,'y=0]'

no knowledge APPROXIMATED'' KNOWLEDGE'

ACCEPTED'

no knowledge REAL'' KNOWLEDGE'

1

slide-35
SLIDE 35

Result'4:'Provably'more'' permissive'monitor'

35'

l = 0; if h = 1 then skip else x = 5; while x > 0 do x = x-1; l = x;

  • utput l

Our'monitor'combined'with'inlined'dynamic'monitor' accepts'all'execu=ons'of'this'secure'program' 0'

[l'='0]' h'='1' h'='0' secure'execu@ons''

(More'details'in'the'paper)'

slide-36
SLIDE 36

Conclusions'

36'

  • Hybrid'monitor'tracks'a/acker’s'knowledge''

! more'precise'than'[Besson'et'al.'CSF’13]' ! modeled'and'proved'correct' ! enforces'noninterference'(TINI)' ! has'running'prototype''

  • Combina=on'with'another'monitor'

! proved'sound'(TINI)'' ! proved'more'permissive'than'previous'monitors'

slide-37
SLIDE 37

Postdoc'posi@on'

  • Informa=on'flow'control'
  • Security'monitors'and'type'systems'
  • Soundness'and'permissiveness'
  • Star@ng'date:'flexible,'Nov'2016'–'Jun'2017'
  • Dura@on:'1'year'
  • Loca@on:'INRIA'Sophia'An@polis'(Nice,'France)'

37'

slide-38
SLIDE 38

Conclusions'

38'

  • Hybrid'monitor'tracks'a/acker’s'knowledge''

! more'precise'than'[Besson'et'al.’13]' ! modeled'and'proved'correct' ! enforces'noninterference'(TINI)' ! has'running'prototype''

  • Combina=on'with'another'monitor'

! proved'sound'(TINI)'' ! proved'more'permissive'