Gradual Information Flow Typing Tim Disney Cormac Flanagan - - PowerPoint PPT Presentation

Gradual Information Flow Typing

Tim Disney Cormac Flanagan University of California Santa Cruz January 29th, 2011 - STOP 2011

Combining gradual typing with information flow

Information Flow Gradual Typing

+ = More secure software

Perfect world Security designed upfront

Perfect world Security designed upfront Broken world Security bolted on after the fact vs.

Requirements Design Implementation Verification Maintenance

Finding security requirements upfront is often not economically feasible

Perfect world Broken world

Perfect world Broken world

Do not want

Perfect world Broken world

Do not want Does not exist

Real world Security evolves with program Perfect world Broken world

Do not want Does not exist

Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data

Information Flow

Confidentiality: keeping sensitive data private & Integrity: protect against untrusted data

Information Flow

For this talk we focus on confidentiality

Labels L (public) H (private)

Information Flow

Labels L (public) H (private) Labeled Values 42L 58,000H “hello”L

Information Flow

Dynamically typed program Statically typed program

Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

Gradual Typing

Dynamically typed program Statically typed program

Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

Gradual Typing

Dynamically typed modules Statically typed modules Program

Casts

Mixed static/dynamic

fail with blame

Dynamically typed program Statically typed program

Siek and Taha (2006), Findler and Felleisen (2002), Wadler and Findler (2009), Ahmed et al. (2011), etc.

Gradual Typing

Dynamically typed modules Statically typed modules Program

Casts

Mixed static/dynamic

fail with blame

Static security types No security checks Dynamic security checks

Gradual Security

Static security types No security checks Dynamic security checks Dynamic security modules Static security modules Program

Casts

Mixed static/ dynamic security

fail with blame

Gradual Security

Static security types No security checks Dynamic security checks Dynamic security modules Static security modules Program

Casts

Mixed static/ dynamic security

fail with blame

Gradual Security

rev 0

Static security types No security checks Dynamic security checks Dynamic security modules Static security modules Program

Casts

Mixed static/ dynamic security

fail with blame

Gradual Security

rev 0 rev 1

Static security types No security checks Dynamic security checks Dynamic security modules Static security modules Program

Casts

Mixed static/ dynamic security

fail with blame

Gradual Security

rev 0 rev 1 rev 2

Static security types No security checks Dynamic security checks Dynamic security modules Static security modules Program

Casts

Mixed static/ dynamic security

fail with blame

Gradual Security

rev 0 rev 1 rev 2 rev 3

A language for gradual information flow

The language

Types (a, b): Labeled Types (A, B):

Int, Bool, A → B

Values (r): Labeled Values (v): 42H, (λx:A. t)L

IntL, BoolL, (A → B)H

The language

Private types: potentially private

IntH = {0L, 0H, 1L, 1H, . . .}

The language

Private types: potentially private

IntH = {0L, 0H, 1L, 1H, . . .}

Public types: definitely public

IntL = {0L, 1L, 2L, . . .}

The language

Private types: potentially private

IntH = {0L, 0H, 1L, 1H, . . .}

Public types: definitely public

IntL = {0L, 1L, 2L, . . .}

Subtypes

The language

Default labels are permissive

The language

Default labels are permissive

42 = 42L

The language

Default labels are permissive

Int = IntH

42 = 42L

The language

Default labels are permissive

Int = IntH

42 = 42L

The language

Default labels are permissive

Int = IntH

42 = 42L

Casting checks runtime labels

Syntax similar to “Blame For All” by Ahmed et al.

t: A ⇒p B

Casting checks runtime labels

42L : IntH ⇒p IntL

42L

Syntax similar to “Blame For All” by Ahmed et al.

t: A ⇒p B

Casting checks runtime labels

42L : IntH ⇒p IntL

42L

Syntax similar to “Blame For All” by Ahmed et al.

t: A ⇒p B

42H : IntH ⇒p IntL

blame p

Higher-order casting: cast at fault

wrap fn

(fn): (IntL → IntH) ⇒p (IntL → IntL)

Higher-order casting: cast at fault

wrap fn

(fn): (IntL → IntH) ⇒p (IntL → IntL)

43L

fn = λx:IntL. x + 1L

(wrap fn) 42L

Higher-order casting: cast at fault

wrap fn

(fn): (IntL → IntH) ⇒p (IntL → IntL)

blame p

(wrap fn) 42L cast blamed

fn = λx:IntL. x + 1H

43L

fn = λx:IntL. x + 1L

(wrap fn) 42L

Higher-order casting: context at fault

wrap fn

(fn): (IntL → IntL) ⇒p (IntH → IntL)

Higher-order casting: context at fault

wrap fn

(wrap fn) 42L

24L

(fn): (IntL → IntL) ⇒p (IntH → IntL)

Higher-order casting: context at fault

wrap fn

(wrap fn) 42L

24L

(wrap fn) 42H

blame p

context blamed (fn): (IntL → IntL) ⇒p (IntH → IntL)

(58000L : IntL V IntH)

58000H

Labeling adds runtime labels

V

(58000L : IntL V IntH)

58000H

Labeling adds runtime labels

V

disk read : (IntL → IntL) V (IntL → IntH)

wrap fn

Evolution Example

Rev 0 (no security)

let intToString : Int → Str = . . .

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 // confidential!

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 let print : Str → Unit = λs:Str. . . .

// confidential!

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 let print : Str → Unit = λs:Str. . . . print(intToString(salary))

// confidential!

Prints “58000”

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 let print : Str → Unit = λs:Str. . . . print(intToString(salary))

// confidential!

Prints “58000”

Rev 0 (no security)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000 let print : Str → Unit = λs:Str. . . . print(intToString(salary))

// confidential!

Add dynamic enforcement

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . print(intToString(salary))

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . print(intToString(salary))

Still prints “58000”H

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . print(intToString(salary))

Still prints “58000”H

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . print(intToString(salary))

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . let s = (s: StrH ⇒p StrL) in . . . print(intToString(salary))

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . let s = (s: StrH ⇒p StrL) in . . . print(intToString(salary))

Fails and blames p since StrH can’t be cast to StrL

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . let s = (s: StrH ⇒p StrL) in . . . print(intToString(salary))

Fails and blames p since StrH can’t be cast to StrL

Rev 1 (dynamic enforcement)

let intToString : Int → Str = . . . let age : Int = 42 let salary : Int = 58000: IntL V IntH let print : Str → Unit = λs:Str. . . . let s = (s: StrH ⇒p StrL) in . . . print(intToString(salary))

Add static enforcement

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . print(intToString(salary))

intToString causes compile error

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . print(intToString(salary))

intToString causes compile error

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . print(intToString(salary))

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(salary))

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(salary))

salary causes compile error

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(salary))

salary causes compile error

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(salary))

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(age))

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(age))

Compiles successfully

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(age))

Compiles successfully

Rev 2 (static enforcement)

let intToString : IntH → StrH = . . . let age : IntL = 42 let salary : IntH = 58000: IntL V IntH let print : StrL → UnitL = λs:StrL. . . . let intToStringL : IntL → IntL = intToString: (IntH → IntH) ⇒p (IntL → IntL) print(intToStringL(age))

Safety Theorems

Theorem: Termination Insensitive Non-Interference Private inputs cannot affect public outputs

See paper for details

Subtyping

L v H L v L H v H

Subtyping

L v H L v L H v H

l v k Intl <: Intk

Subtype

Subtyping

L v H L v L H v H

l v k Intl <: Intk

Subtype Positive Subtype

l v k Intl <:+ Intk

Subtyping

L v H L v L H v H

l v k Intl <: Intk

Subtype Positive Subtype

l v k Intl <:+ Intk

Negative Subtype

k v l Intl <:− Intk

Blame Theorem If two types are subtypes, casting cannot cause blame

Blame Theorem

• 1. If t: A ⇒p B and A <: B then never blames p or p
• 2. If t: A ⇒p B and A <:+ B then never blames p
• 3. If t: A ⇒p B and A <:− B then never blames p

If two types are subtypes, casting cannot cause blame

Conclusion

• Gradually evolve security
• From dynamic info-flow to static info-flow
• Provide language features to allow security

evolution