An information-flow calculus for the non-security expert Alejandro - - PowerPoint PPT Presentation

an information flow calculus
SMART_READER_LITE
LIVE PREVIEW

An information-flow calculus for the non-security expert Alejandro - - PowerPoint PPT Presentation

Jan 21, 2023 120 likes •330 views

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se) Visiting Associate Professor, Stanford, CA, U.S.A. Chalmers, Gteborg, Sweden Work-in-progress with Pablo Buiras (Chalmers), Deian Stefan (Stanford),

slide-1
SLIDE 1

An information-flow calculus for the non-security expert

Alejandro Russo (russo@chalmers.se) Visiting Associate Professor, Stanford, CA, U.S.A. Chalmers, Göteborg, Sweden Work-in-progress with Pablo Buiras (Chalmers), Deian Stefan (Stanford), and David Mazierès (Stanford)

slide-2
SLIDE 2

Information-flow Scenario

Preserve confidentiality even in the presence of malicious code

slide-3
SLIDE 3

Motivation

slide-4
SLIDE 4

Security measures

  • Access control

– State-of-the-art

slide-5
SLIDE 5

Security lattice

  • It specifies the allowed flows of

information

secret public

slide-6
SLIDE 6

Example of Rules

[Li, Zdancewic 10] Arrows for Secure Information Flow

slide-7
SLIDE 7

Information-flow Scenario

slide-8
SLIDE 8

Towards a Monadic Calculus

Reader Monad

  • The attacker might observe the systems data

Writer Monad

  • The attacker writes input to the system

Informatoin-flow control is almost just about controling reading and writing side-effects

slide-9
SLIDE 9

Towards a Monadic Calculus

Security State (floating label)

Restricted interface for the State monad!

slide-10
SLIDE 10

A Floating Label System

[Stefan et al. 11] Taint Guard

slide-11
SLIDE 11

Example of Rules

[Li, Zdancewic 10] Arrows for Secure Information Flow

Guard

slide-12
SLIDE 12

Example of Rules

[Hedin, Sabelfeld 12] Information-Flow Security for a Core of JavaScript

Taint

slide-13
SLIDE 13

Designing IFC Systems

Read effect Write effect newIORef

readIORef

writeIORef

modifyIORef

 

Read effect Write effect newLIORef Guard readLIORef Taint writeLIORef Guard modifyLIORef Taint Guard

slide-14
SLIDE 14

The IFC Monad

[Swierstra 08]

data ReadEffect l a where Taint :: l -> a -> ReadEffect l a data WriteEffect l a where Guard :: l -> a -> WriteEffect l a Free (ReadEffect l) a Free (WriteEffect l) a IFC l a = Free (WriteEffect l :+: ReadEffect l) a Types reflects the behavior w.r.t taint and guard!

slide-15
SLIDE 15

Label Creep

[Stefan et al. 11][Breeze 13]

  • The floating label gets too high too soon!
slide-16
SLIDE 16

Label Creep

[Stefan et al. 11][Breeze 13]

  • The floating label gets too high too soon!

Fresh environment

slide-17
SLIDE 17

A specific Local (Reader Monad)

local :: forall l. Label l => IFC l () -> IFC l () local m = do (s :: l) <- IFC.ask m IFC.put s return () data Env l a where Ask :: (l -> a) -> Env l a Put :: l -> Env l a

Extended

IFC l a = Free (WriteEffect l :+: ReadEffect l :+: Env l) a

slide-18
SLIDE 18

Is it General Enough?

IFC LIO

LB-Monitors

slide-19
SLIDE 19
  • IFC = controlling reading and writing side-effects

+ a notion of scope (local)

Final Remarks

type IFC l a = Free (ReadEffect l :+: WriteEffect l :+: Env l) a

  • A non-security expert can have a good

impression of the security checks (taint/guard)

  • Floating label systems seems to be more

convenient than traditional LB-monitors

slide-20
SLIDE 20

Interested in Details?

https://github.com/alejandrorusso/ifc-wg2.8.git