A Derivation Framework for Dependent Security Label Inference - - PowerPoint PPT Presentation
A Derivation Framework for Dependent Security Label Inference Peixuan Li and Danfeng Zhang Pennsylvania State University University Park, PA, 16801 {pzl129, zhang}@cse.psu.edu Background o Information Flow Analysis o Study: how information
Peixuan Li and Danfeng Zhang
Pennsylvania State University
University Park, PA, 16801 {pzl129, zhang}@cse.psu.edu
2
x y z p m
temp
Ø Annotate the program with security labels Ø Track and validate flows in program § Explicit Flow § Implicit Flow
3
Program (secure) Security Specifications
𝑦, 𝑧, 𝑨 : ???
§ Time-consuming and error-prone § Requiring good knowledge of implementation details § Hard to distinguish incorrect label from false-positive
4
5
S P
classified, untrusted public, trusted classified, trusted public, untrusted
v Expressiveness
v Precision
6
𝑚 ∶ 𝑀𝑏𝑐𝑓𝑚; 𝑦 ∶ 𝑚 ; Ø Limited to two-point Lattice Ø Exponential
Inference Engines
7
Dependent Security Labels
Core Constraint Language Derivation Framework One-Shot Early-Accept Early-Reject Hybrid
Evaluation
Program (secure)
8
𝑦, 𝑧, 𝑨 : ???
Security Specifications
Any decidable predicates
Encoding details are in the paper…
Inference Engines
9
Dependent Security Labels
Core Constraint Language Derivation Framework One-Shot Early-Accept Early-Reject Hybrid
Evaluation
10
Constraints (satisfiable)
Ideal constraint format: 𝛽.: S; 𝛽1: P;
𝑒 > 0 : 𝑒 ≤ 0 :
𝛽.: P; 𝛽1: P; 𝛽.: 𝑒 > 0 ? S ∶ P 𝛽1: P
v No overlapping predicates ⟹ Construct a global solution by merging local solutions
Ø Sound Derivation: § solutions on sound-derivation always work for original constraints. Ø Complete Derivation: § solutions on original constraints always work for complete-derivations. Ø Equivalent Derivation
11
ü Solution Preserved ü Counter-example Preserved
12
Constraints (satisfiable)
Derivation 1: (sound):
Projected 𝐷:;<=> = ⋀(𝐷;BCDC=EF ), if ∃ 𝑄
;BCDC=EF ∧ 𝑄 :;<=>
v A sound derivation can be generated by:
Projected
13
Derivation 1: (complete):
Constraints (unsatisfiable) 𝐷K;LMFNON = ⋀(𝐷;BCDC=EF ), if ∀ 𝑄
K;LMFNON ⟹ 𝑄 ;BCDC=EF
v A complete derivation can be generated by: Inferred Inferred
14
Constraints (satisfiable)
Sound / Complete Derivation:
Refined
𝐷:;<=> = ⋀(𝐷;BCDC=EF ), if ∃ 𝑄
;BCDC=EF ∧ 𝑄 :;<=>
Projected 𝐷K;LMFNON = ⋀(𝐷;BCDC=EF ), if ∀ 𝑄
K;LMFNON ⟹ 𝑄 ;BCDC=EF
Inferred
P1 P2 P
Refined
Inference Engines
15
Dependent Security Labels
Core Constraint Language Derivation Framework One-Shot Early-Accept Early-Reject Hybrid
Evaluation
16
𝑄
R
¬𝑄
R
𝑄
T
¬𝑄
T
𝑄
U
¬𝑄
U
𝑄
R V → 𝐷R V
𝑄
U V → 𝐷U V
𝑄
T V → 𝐷T V
𝑄
X V → 𝐷X V
𝑄
Y V → 𝐷Y V
𝑄
Z V → 𝐷Z V
𝑄
[ V → 𝐷[ V
𝑄
\ V → 𝐷\ V
Arbitrary Constraints 𝑄
R → 𝐷R
𝑄
T → 𝐷T
𝑄
U → 𝐷U
Refined
17
𝑄
R
¬𝑄
R
𝑄
U
¬𝑄
U
𝑄
U V] → 𝐷U V]
𝑄
R V^ → 𝐷R V^
𝑄
U V^ → 𝐷U V^
Sat Sat Sat Arbitrary Constraints 𝑄
R → 𝐷R
𝑄
T → 𝐷T
𝑄
U → 𝐷U
…
18
𝑄
R
¬𝑄
R
𝑄
U
¬𝑄
U
𝑄
U V] → 𝐷:U V]
𝑄
R V^ → 𝐷:R V^
𝑄
U V^ → 𝐷:U V^
𝑄
U V^ → 𝐷KU V^
Arbitrary Constraints 𝑄
R → 𝐷R
𝑄
T → 𝐷T
𝑄
U → 𝐷U
… Sat Sat UnSat UnSat
Ø Verified MIPS Processor § 1719 lines of Verilog Code, 2455 variables totally Ø Mutate the annotations § 1509 variables unlabeled by randomly removing annotated labels § 14 errors are injected by modifying annotations Ø SecVerilog [Zhang et al. 2015] compiler to generate constraints Ø 100 test files: § 82 involves dependent labels
19
20
10-5 10-4 10-3 10-2 10-1 100 101 102 1 10 100
30 19 3
Time Out Execution Time (in seconds)
OneShot EarlyAccept Hybrid
v Overall Performance: Hybrid > Early-Accept > One-Shot v Scalability: Hybrid > Early-Accept > One-Shot v Time-out: Hybrid < Early-Accept < One-Shot
Number of predicates
Inference Engines
21
Dependent Security Labels
Core Constraint Language Derivation Framework One-Shot Early-Accept Early-Reject Hybrid
Evaluation