A Derivation Framework for Dependent Security Label Inference Peixuan Li and Danfeng Zhang Pennsylvania State University University Park, PA, 16801 {pzl129, zhang}@cse.psu.edu
Background o Information Flow Analysis o Study: how information propagate through the system o Goal: prevent leakage of sensitive information x y z m temp p 2
Background o Information Flow Analysis Security Specifications Ø Annotate the program with security labels Ø Track and validate flows in program § Explicit Flow 𝑦, 𝑧, 𝑨 : ??? § Implicit Flow Program (secure) 3
Program Annotation o Annotation Burden § Time-consuming and error-prone § Requiring good knowledge of implementation details § Hard to distinguish incorrect label from false-positive 4
Security Label Inference o Goal: to infer the security labels o Lattice Labels [Denning 1976] classified, trusted S o Rehof-Mogensen Algorithm [Rehof et al. 1999] o Implemented in Jif [Myers et al. 2006] classified, untrusted public, trusted P v Expressiveness public, untrusted • Security levels are unknown in static time [Chen et al. 2018; Li and Zhang 2017] • Security levels are not fixed during execution [Murray et al 2016; Lourenço and Caires 2015; Zhang et al. 2015; ] v Precision • Limited to path-insensitive analyses [Li and Zhang 2017; Zhang et al. 2015] 5
Dependent Security Labels o Dependent Label: labels that may depend on concrete program states o Ternary Labels [Li and Zhang 2017] : o Predicate Labels [Murray et al. 2016, Polikarpova et al.2018] : Ø Limited to two-point Lattice o Permission Labels [Chen et al. 2018] : o Dynamic Labels [Myers et al. 2006]: 𝑚 ∶ 𝑀𝑏𝑐𝑓𝑚; 𝑦 ∶ 𝑚 ; o Inference Engines o Liquid Type [Rondon et al. 2008] o SMT Solver o Permission Label Inference [Chen et al. 2018] Ø Exponential 6
Overview o Goal: to efficiently infer the dependent security labels o Ternary label Dependent Security Labels o Predicate as Labels Core Constraint Language o Permission Predicates o Dynamic Labels Inference Engines One-Shot Early-Accept Derivation Framework Early-Reject Hybrid 7 Evaluation
Core Constraint Language Syntax o Security Specifications Any decidable predicates 𝑦, 𝑧, 𝑨 : ??? Program (secure) 8 Encoding details are in the paper…
Overview o Goal: to efficiently infer the dependent security labels o Ternary label Dependent Security Labels o Predicate as Labels Core Constraint Language o Permission Predicates o Dynamic Labels Inference Engines One-Shot Early-Accept Derivation Framework Early-Reject Hybrid 9 Evaluation
Derivation Framework o Insights : deriving constraints into a more manageable format. 2. Derive Ideal constraint format : Constraints (satisfiable) 𝛽 . : S; 𝛽 1 : P ; 𝑒 > 0 : 𝛽 . : 𝑒 > 0 ? S ∶ P 𝛽 1 : P 1. Partition 𝛽 . : P; 𝛽 1 : P ; 𝑒 ≤ 0 : v No overlapping predicates ⟹ Construct a global solution by merging local solutions 10
Derivation Framework o Partitioning o Non-overlapping predicates o Derivations Ø Sound Derivation: ü Solution Preserved § solutions on sound-derivation always work for original constraints. Ø Complete Derivation: § solutions on original constraints always work for complete-derivations. Ø Equivalent Derivation ü Counter-example Preserved 11
Sound Derivation Solution from Sound-Derivations always work for original constraints. o Derivation 1: (sound) : Projected Constraints (satisfiable) v A sound derivation can be generated by: 𝐷 :;<=> = ⋀(𝐷 ;BCDC=EF ) , if ∃ 𝑄 ;BCDC=EF ∧ 𝑄 :;<=> Projected 12
Complete Derivation o Counter-examples on Complete-Derivation always exist for original constraints Derivation 1: (complete) : Inferred Constraints (unsatisfiable) A complete derivation can be generated by: v Inferred 𝐷 K;LMFNON = ⋀(𝐷 ;BCDC=EF ) , if ∀ 𝑄 K;LMFNON ⟹ 𝑄 ;BCDC=EF 13
Equivalent Derivation Equivalent Derivation o Sound / Complete Derivation: Constraints (satisfiable) 𝐷 :;<=> = ⋀(𝐷 ;BCDC=EF ) , if ∃ 𝑄 ;BCDC=EF ∧ 𝑄 :;<=> Projected Refined ⟺ Refined P1 P P2 𝐷 K;LMFNON = ⋀(𝐷 ;BCDC=EF ) , if ∀ 𝑄 K;LMFNON ⟹ 𝑄 ;BCDC=EF Inferred 14
Overview o Goal: to efficiently infer the dependent security labels o Ternary label Dependent Security Labels o Predicate as Labels Core Constraint Language o Permission Predicates o Dynamic Labels Inference Engines One-Shot Early-Accept Derivation Framework Early-Reject Hybrid 15 Evaluation
Inference Algorithms o One-Shot: o Equivalent Derivation o Derived constraint number grows exponentially with the number of predicates Arbitrary Constraints Refined 𝑄 ¬𝑄 R R 𝑄 R → 𝐷 R V → 𝐷 R V → 𝐷 Y V V 𝑄 𝑄 R Y 𝑄 U → 𝐷 U V → 𝐷 U V → 𝐷 Z V V 𝑄 𝑄 𝑄 T → 𝐷 T 𝑄 U Z U V → 𝐷 [ V → 𝐷 T ¬𝑄 V V 𝑄 𝑄 U 𝑄 [ T T V → 𝐷 X V → 𝐷 \ V V 𝑄 𝑄 ¬𝑄 X T \ 16
Inference Algorithms Arbitrary Constraints 𝑄 R → 𝐷 R o Early-Accept: Sound Derivation 𝑄 U → 𝐷 U 𝑄 T → 𝐷 T o Early-Reject: Complete Derivation … 𝑄 ¬𝑄 R R V ^ → 𝐷 R V ^ 𝑄 R 𝑄 U Sat V ] → 𝐷 U V ] 𝑄 U ¬𝑄 U Sat V ^ → 𝐷 U V ^ 𝑄 U Sat 17
Inference Algorithms Arbitrary Constraints 𝑄 R → 𝐷 R o Hybrid 𝑄 U → 𝐷 U 𝑄 T → 𝐷 T … 𝑄 ¬𝑄 R R V ^ → 𝐷 :R V ^ 𝑄 Sat R 𝑄 V ] → 𝐷 :U V ] 𝑄 U U Sat ¬𝑄 V ^ → 𝐷 :U U V ^ 𝑄 UnSat U V ^ → 𝐷 KU V ^ 𝑄 UnSat U 18
Evaluations o Benchmark Ø Verified MIPS Processor § 1719 lines of Verilog Code, 2455 variables totally Ø Mutate the annotations § 1509 variables unlabeled by randomly removing annotated labels § 14 errors are injected by modifying annotations Ø SecVerilog [Zhang et al. 2015] compiler to generate constraints Ø 100 test files: § 82 involves dependent labels 19
Evaluations OneShot EarlyAccept Hybrid v Overall Performance: 30 Hybrid > Early-Accept > One-Shot Time Out 19 Execution Time (in seconds) 3 10 2 v Time-out: 10 1 Hybrid < Early-Accept < One-Shot 10 0 10 -1 v Scalability: 10 -2 Hybrid > Early-Accept > One-Shot 10 -3 10 -4 10 -5 1 10 100 Number of predicates 20
Conclusions o Goal: to efficiently infer the dependent security labels o Ternary label Dependent Security Labels o Predicate as Labels Core Constraint Language o Permission Predicates o Dynamic Labels Inference Engines One-Shot Early-Accept Derivation Framework Early-Reject Hybrid 21 Evaluation
THANKS! Any questions?
Recommend
More recommend
