improving usability of information flow security in java
play

Improving Usability of Information Flow Security in Java Mark - PowerPoint PPT Presentation

Jul 15, 2023 •201 likes •580 views

Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Mark Thober June 14, 2007 Motivation

  1. Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS ’07 1

  2. Mark Thober June 14, 2007 Motivation • Information security is a critical requirement of software systems – Personal information, trade secrets, national security, etc. PLAS ’07 2

  3. Mark Thober June 14, 2007 Motivation • Information security is a critical requirement of software systems – Personal information, trade secrets, national security, etc. • Secure information flow type systems have been around for a long time, but are not in widespread use – The burden on programmers is great: many annotations, unclear policies, complex reasoning – Overly restrictive type systems reduce the expressiveness and flexibility of programs PLAS ’07 2

  4. Mark Thober June 14, 2007 Motivation • Information security is a critical requirement of software systems – Personal information, trade secrets, national security, etc. • Secure information flow type systems have been around for a long time, but are not in widespread use – The burden on programmers is great: many annotations, unclear policies, complex reasoning – Overly restrictive type systems reduce the expressiveness and flexibility of programs Goal: Give programmers better tools to write information flow secure programs PLAS ’07 2

  5. Mark Thober June 14, 2007 Usability [Nielsen ’93] • Learnability : users should quickly be able to use the system • Efficiency : once learned, users should be highly productive • Memorability : after non-use, users should be able to return without much relearning • Errors : minimize errors and increase recoverability of errors • Satisfaction : users should (subjectively) like it PLAS ’07 3

  6. Mark Thober June 14, 2007 Our Approach • Static information flow type inference for Middleweight Java • IO points explicitly specify the security policy • Infer all other security labels – Program annotations not needed (except for IO points) – Less burden on programmers; errors are less likely, alleviating the programmer’s responsibility of writing correct annotations • High degree of polymorphism – Increases precision, fewer secure programs rejected – Flexible re-use of code across security domains • Top-level declarations clarify the security policy PLAS ’07 4

  7. Mark Thober June 14, 2007 IO Focus • IO points explicitly specify the security policy – Internal checks are not necessary High Low Input Input Program High Low Output Output • The type inference system ensures high inputs do not affect low outputs (Noninterference) PLAS ’07 5

  8. Mark Thober June 14, 2007 Example class HighFileIS extends FileIS { int read() { return read High ( fd ) ; } } class LowFileIS extends FileIS { int read() { return read Low ( fd ) ; } } class LowFileOS extends FileOS { void write(int v) { write Low ( v , fd ) ; } } void main() { FileIS highin = new HighFileIS("high infile"); FileIS lowin = new LowFileIS("low infile"); FileOS lowout = new LowFileOS("low outfile"); int x; int y; x = lowin.read(); y = highin.read(); lowout.write(x); lowout.write(y); } PLAS ’07 6

  9. Mark Thober June 14, 2007 Example class HighFileIS extends FileIS { int read() { return readHigh ( fd ) ; } } class LowFileIS extends FileIS { int read() { return readLow ( fd ) ; } } class LowFileOS extends FileOS { void write(int v) { writeLow ( v , fd ) ; } } void main() { FileIS highin = new HighFileIS("high infile"); FileIS lowin = new LowFileIS("low infile"); FileOS lowout = new LowFileOS("low outfile"); int x; int y; x = lowin.read(); y = highin.read(); lowout.write(x); // Passes lowout.write(y); // Fails } PLAS ’07 7

  10. Mark Thober June 14, 2007 Observe • Only low-level IO declarations change class HighFileIS extends FileIS { int read() { return readHigh ( fd ) ; } } – Signature of the class, and accessor methods do not change • Everything else is inferred – Apart from the IO declarations, programs are in Java – No additional internal annotations are needed • Programmers must use separate IO classes in order to distinguish the security policies PLAS ’07 8

  11. Mark Thober June 14, 2007 Polymorphism Two purposes: • Distinguish Input and Output classes, which may have different security policies • Permit re-use of code across security domains – Should not be overly conservative PLAS ’07 9

  12. Mark Thober June 14, 2007 Example Streams, again class HighFileIS extends FileIS { int read() { return read High ( fd ) ; } } class LowFileIS extends FileIS { int read() { return read Low ( fd ) ; } } class LowFileOS extends FileOS { void write(int v) { write Low ( v , fd ) ; } } PLAS ’07 10

  13. Mark Thober June 14, 2007 Polymorphism Example void main() { int i; int j; HashSet highSet = new HashSet(); FileIS hin = new HighFileIS("high infile"); while(i = hin.read()) { highSet.add(i); } HashSet lowSet = new HashSet(); FileIS lin = new LowFileIS("low infile"); while(j = lin.read()) { lowSet.add(j); } Iterator lowIt = lowSet.iterator(); FileOS lowout = new LowFileOS("low outfile"); lowout.write(lowIt.next()); } PLAS ’07 11

  14. Mark Thober June 14, 2007 Polymorphism Example void main() { int i; int j; HashSet highSet = new HashSet(); FileIS hin = new HighFileIS("high infile"); while(i = hin.read()) { highSet.add(i); } HashSet lowSet = new HashSet(); FileIS lin = new LowFileIS("low infile"); while(j = lin.read()) { lowSet.add(i); } Iterator lowIt = lowSet.iterator(); FileOS lowout = new LowFileOS("low outfile"); lowout.write(lowIt.next()); // No leakage! } PLAS ’07 12

  15. Mark Thober June 14, 2007 Top-level Policies • Clarify the policy in the API PLAS ’07 13

  16. Mark Thober June 14, 2007 Top-level Policies • Clarify the policy in the API • Add security policies to an existing program – The program internals don’t change, only the policy High Low Inputs Input Input Translation Program Program High Low Outputs Output Output PLAS ’07 13

  17. Mark Thober June 14, 2007 Top-level Policies • Read and write policies add security labels to methods of input and output stream classes • Declassify policy adds a declassification to the return value of a method PLAS ’07 14

  18. Mark Thober June 14, 2007 Top-level Policies • Read and write policies add security labels to methods of input and output stream classes • Declassify policy adds a declassification to the return value of a method Example Policies class HighFileIS: High class LowFileIS: Low class LowFileOS: Low class TripleDES byte[] Encrypt (byte[] input, SecretKey key): Declassify(Low) PLAS ’07 14

  19. Mark Thober June 14, 2007 Top-level Policies • Channel policies are evident in API • Restricting declassification to method returns clarifies the declassification policy and makes it observable in the API • Observe top-level policies to decide if declassification is intuitively warranted – Some knowledge of the underlying code may be required to certify declassifications PLAS ’07 15

  20. Mark Thober June 14, 2007 Assumptions • Direct and indirect flows – Direct: x = h + 1; – Indirect: if (h == 0) then { x = 0; } else { } • No termination, timing, or other covert channels • Declassification is allowed, but breaks Noninterference PLAS ’07 16

  21. Mark Thober June 14, 2007 Language • Extension of Middleweight Java (MJ) – Core object-oriented features of Java, including state • Add constants ( int , bool , etc.) and operators ( + , - , etc.) • Add low-level reads and writes read L ( fd ) and write L ( e , fd ) – fd is the file descriptor naming the channel – L is the security level of the channel • Add Declassify(e,L) , which downgrades expression e PLAS ’07 17

  22. Mark Thober June 14, 2007 Language • Extension of Middleweight Java (MJ) – Core object-oriented features of Java, including state • Add constants ( int , bool , etc.) and operators ( + , - , etc.) • Add low-level reads and writes read L ( fd ) and write L ( e , fd ) – fd is the file descriptor naming the channel – L is the security level of the channel • Add Declassify(e,L) , which downgrades expression e • End goal is full Java – A core subset with full formalism and proofs is a first step PLAS ’07 17

  23. Mark Thober June 14, 2007 Type Inference • Types τ are triples, � S , F , A � – S are security types that may be concrete labels, L , or label variables, when the concrete label is unknown – F are the types of the object’s fields – A is a concrete class type for statically determining the concrete class of an object • Type constraints encapsulate certain information flows, and the constraint set must be closed after type inference PLAS ’07 18

  24. Mark Thober June 14, 2007 Class and Program Typing • Requires a Label Table that contains the type of each class and method 1. Initialize a Label Table with type variables • Must initialize all classes to allow for recursion 2. Propagate the label table by typing each class, which requires typing constructors and method bodies 3. Type main 4. Compute the constraint closure and check for inconsistencies PLAS ’07 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le

Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le

Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le Guernic DD2460 (III, L1) February 14 th , 2012 C ONTEXT F ORMALIZATION C HANNELS , F LOWS AND L ABELS W RAP - UP Outline Information Flow Security deals

532 views • 35 slides
Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting

912 views • 57 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Information Flow Security (2) DD2460 Software Safety and Security: Part III, lecture 3 Gurvan Le

Information Flow Security (2) DD2460 Software Safety and Security: Part III, lecture 3 Gurvan Le

Information Flow Security (2) DD2460 Software Safety and Security: Part III, lecture 3 Gurvan Le Guernic DD2460 (III, L3) February 24 th , 2012 V ARIANTS E NFORCEMENT C ONCLUSION / W RAP - UP Outline Information Flow Security deals with

394 views • 21 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Secure Information Flow ! Protecting the confidentiality of secret information Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy Blood type: AB Birth date: 9/5/46 HIV: positive ! Access control and

399 views • 10 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria pm@dcs.qmul.ac.uk School of Electronic Engineering and Computer Science Queen Mary University of London Information Theory and Security: Quantitative Information

835 views • 54 slides
Inquisitive archduchess wrestles comparatively apologetic pelicans: Improving security and

Inquisitive archduchess wrestles comparatively apologetic pelicans: Improving security and

Inquisitive archduchess wrestles comparatively apologetic pelicans: Improving security and usability of passphrases with guided word choice Nikola K. Blanchard 1 , Clment Malaingre 2 , Ted Selker 3 1 IRIF, Universit Paris Diderot 2 Teads France

549 views • 25 slides
Improving the Usability of Geospatial Data an Academic Perspective Claire Ellul University

Improving the Usability of Geospatial Data an Academic Perspective Claire Ellul University

Improving the Usability of Geospatial Data an Academic Perspective Claire Ellul University College London Improving the Usability of Geospatial Data an Academic Perspective Overview Research Perspective Usability and

372 views • 19 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies

Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies

Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies in the The working mechanism complexity of DNN is hard to understand 3-layer DNN with 10K neurons and 25M weights DNNs work as black-

459 views • 16 slides
Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data Networked information systems: PCs store passwords, e-mail, finances,... Businesses rely on computing infrastructure Military &

1.18k views • 102 slides
Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud

Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud

Software Security Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud University Nijmegen Motivating example Imagine using a mobile phone app to 1. locate nearest hotel using google 2. book a room

589 views • 45 slides
I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen Frost sfrost@snowman.net Resonate, Inc. Digital Media PostgreSQL Hadoop techjobs@resonateinsights.com

954 views • 54 slides
Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische Universitt Darmstadt 25.06.2007 POLICY '07, Bologna, Italy 1 Workflow and Kripke Model Workflow: computerized facilitation or automation of a

356 views • 13 slides
Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May

Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May

Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May 2017 Purpose WoT charter: The scope of the Working Group is restricted to APIs and security frameworks that are applicable across platforms. We will

87 views • 8 slides
Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences

Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences

Definitions Security model Mathematical principles Security theorems Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences Joint work with Yicheng Pan, Wei Zhang Fragrant Hill Meeting 6th, Oct 2013

488 views • 36 slides
Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Secrecy

389 views • 23 slides

More recommend