information flow control by program analysis
play

Information Flow Control by Program Analysis Markus Mller-Olm - PowerPoint PPT Presentation

Jul 11, 2023 •106 likes •313 views

Information Flow Control by Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017 Context Work in progress from a joint project with Gregor Snelting

  1. Information Flow Control by Program Analysis Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017

  2. Context Work in progress from a joint project with Gregor Snelting (KIT) Information flow control for mobile components based on precise analysis of parallel programs Part of priority programme 1496 Reliably Secure Software Systems (RS 3 ) funded by DFG (German Research Foundation) Special thanks to Benedikt Nordhoff Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 2

  3. What This Talk is About Theme: How can program analysis technology be used for information flow analysis? Program analysis: data-flow analysis, abstract interpretation, invariant generation, software model checking, ... Information flow analysis: see next slide Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 3

  4. Information Flow: Example Free Email-App Start of App Ad-Server Contacts and Display Emails Reference scenarios of SPP RS 3 : l Certifying app store for Android l E-Voting systems l Software security for mobile devices Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 4

  5. Non-Interference For simplicity: transformational terminating programs only Semantic setup: Var = Low ⨃ High Variables: S = { s | s : Var → Val } States: � p � : S → S Program semantics: Low-equivalence of states: s ~ L s ‘ : ⟺ s | Low = s ‘| Low Program p is called non-interferent f.a. s , s ‘ ÎS : iff s ~ L s ‘ ⟹ � p � ( s ) ~ L � p � ( s ‘) Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 6

  6. Possibilistic Non-Interference Semantics of non-deterministic programs: � p � : S → 2 S Refinement: p ⊑ p ‘ "s : � p � ( s ) ⊆ � p ‘ � ( s ) : ⟺ Program p is called non-interferent f.a. s , s ‘ ÎS : iff s ~ L s ‘ ⟹ "rÎ � p � ( s ) : $r ‘ Î � p � ( s ‘) : r ~ L r ‘ Refinement Paradox: Non-interference is not preserved by refinement. Example: l := ? is non-interferent, its refinement l := h is not Reason: Non-interference is a „hyper-property“ Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 7

  7. A Fundamental Problem l Abstraction is inherent to program analysis l However, as just observed (Refinement Paradox): Non-interference does not transfer from abstractions l Consequence: Program analysis cannot be applied directly to non-interference Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 8

  8. Program Dependence Graphs (PDGs) l A structure known from program slicing l Nodes correspond to statements and conditions; we add artificial nodes for initial and final value of program variables l Edges capture data dependences and control dependences l PDGs can be applied for non-interference analysis Analysis principle: If there is no path in PDG from high input to low output then the program is non-interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 9

  9. Direct and Indirect Flows Direct flows: h:= 99 h? l := h l :=h captured by data dependence edges in PDG Indirect flows: if h>0 if h>0 then l := 0 else l := 1 l := 1 l := 0 captured by control dependence edges in PDG Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 10

  10. Example 1 h? l:=h l:=h if l > 0 if l > 0 true false l :=1 l :=1 l :=0 l :=0 . l! There is a path from h? to l!. Hence: Program may be interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 11

  11. Example 2 h? l:=h l:=h l:=10 l:=10 if l > 0 if l > 0 true false l :=1 l :=0 l :=1 l :=0 . l! There is no path from h? to l!. Hence: Program is non-interferent Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 12

  12. [Snelting] Path Conditions Goal: Improve precision of PDG-based dependence analysis Idea: For each path in the PDG indicating critical flow, read off a necessary condition for flow from the guards. If all these conditinos are unsatisfiable, there is no flow. Caveat: Requires SSA-form of programs Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 13

  13. Path conditions improve precision of PDGs h? if flag true false if flag x :=7 x:= h x:=7 x:= h if (! flag) false true . l := x if (! flag) . . l := x PDG alone: false alarm + path conditions: OK l! flag ∧ ! flag Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 14

  14. Further Improvements by Data Analysis Desirable h? if b true false if b x :=h y:= h goLeft :=true goLeft :=false x:=h y:= h if (goLeft) false true l := x l := y if (goLeft) . l := x. l := y PDG + path conditions: false alarm + invariant: OK l! For left path: b ∧ goLeft ∧ goLeft = ! b For right path: ! b ∧ ! goLeft ∧ goLeft = ! b 15

  15. The Show Stopper l :=true h? x :=false if h if h x :=false false true l :=true . . x:= true x:= true if (!x) false true . l := false if (!x) . . l := false PDG + path conditions + invariant: unsound l! h ∧ !x ∧ x = h Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 16

  16. A Glimpse on Data Flow Slicing l Guiding intuition: flow happens along PDG paths only l Add new type of dependencies (data control dependencies) to avoid soundness problem l Define a notion of critical executions based on data-, control-, and data- control-dependencies l Set of critical executions is regular for a given program l Prove: if program has no critical execution, then program is non- interferent (Isabelle!) l Check absence of critical executions using data analyses (e.g. using CPAChecker [Beyer et al.]) l Note: Approach allows to check non-interference by safety analysis! Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 17

  17. A Glimpse on Data Flow Slicing: Example ... DD(h) ¬ b b x :=h y:= h y:= h x :=h l:= x l:= y goLeft :=true goLeft :=false DD(h), DD(y) DD(x), DD(h) ... ... l := y l := x DD(h) DD(h) ¬ goLeft goLeft DD(l) DD(l) ... ... DD(y) DD(x) l := y l := x Program Critical executions automaton Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 18

  18. A Glimpse on Data Flow Slicing: Example ⊤ ¬ b b ⊤ ⊤ y:= h x :=h goLeft :=true goLeft :=false true false ¬ goLeft ¬ goLeft goLeft goLeft ⊥ ⊥ false true l := y l := x l := y l := x ⊥ false ⊥ true Product of program and automaton Constant propagation on product proves absence of critical information flow Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 19

  19. Discussion Approach for non-interference analysis by classic program analysis Alternative approaches: l Self-composition l Hyper-logics Further work in our project: l Use DPNs to help PDG-based non-interference analysis of parallel programs based on LSOD l Use DPNs to help type-based non-interference analysis of parallel programs Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single

1.3k views • 53 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems

Program Analysis Chris Hankin(clh) Efficiency Type and Effect Control Flow Analysis Systems Data Flow Abstract Analysis Interpretation Correctness Program Analysis p.1/23 Overview Introduction Data Flow Analysis Control Flow

279 views • 23 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n p ( ) p Dataflow Analysis

Terminology: Program Representation e o ogy: og a ep ese tat o Control Flow Graph: Control Flow Graph: Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of

591 views • 17 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis

Terminology: Program Representation Control Flow Graph: P3 / 2006 Nodes N statements of program Edges E flow of control Foundations of pred(n) = set of all immediate predecessors of n Dataflow Analysis succ(n) = set

377 views • 12 slides
Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Example How many registers do we need a := 0 1 for the program on the right? L1: b := a + 1 2

408 views • 12 slides
Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow

Control-Flow Analysis and Loop Detection Last time PRE Today Control-flow analysis Loops Identifying loops using dominators Reducibility Using loop identification to identify induction

270 views • 15 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information

From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information

Introduction Information Flow Qualitative IF Quantitative IF Conclusion From Qualitative to Quantitative Program Analysis: Permissive Enforcement of Secure Information Flow Mounir Assaf Software Security Lab, CEA LIST, Saclay CIDre,

1.28k views • 95 slides
x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence...

x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence...

x86 CONTROLLING PROGRAM FLOW CONTROL FLOW Computers execute instructions in sequence... ...Except when we change the flow of control. Two main ways of doing this: Jump instructions (this lecture) Call instructions

517 views • 29 slides
Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI

Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI

5/1/19 Motivation Quantitative Information O I U N Program / Flow Analysis T P P Function U U T T CSCI 5271 Guest Lecture An output has some data of an input. Seonmo (Sean) Kim If the input contains some sensitive data,

86 views • 5 slides
Status and Plans for Version-6 at SRT Joel Susskind, John Blaisdell 1 , Lena Iredell 1 NASA GSFC

Status and Plans for Version-6 at SRT Joel Susskind, John Blaisdell 1 , Lena Iredell 1 NASA GSFC

Status and Plans for Version-6 at SRT Joel Susskind, John Blaisdell 1 , Lena Iredell 1 NASA GSFC Laboratory for Atmospheres Sounder Research Team AIRS Science Team Meeting April 27, 2011 1. SAIC Outline Highlights from April 7 Net-Meeting

495 views • 37 slides
Low-Cost Radio and TO as an Enabling Technology Presented by Bernhard Firner And many more,

Low-Cost Radio and TO as an Enabling Technology Presented by Bernhard Firner And many more,

Low-Cost Radio and TO as an Enabling Technology Presented by Bernhard Firner And many more, including Richard Howard, Yanyong Zhang, Richard Martin, Giovanni Vannuci, and Robert Moore Simplification and Enabling Technologies The

437 views • 14 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
PXD9 PROBE CARD MASS TESTING L. ANDRICEK + , M. BORONAT*, J. FUSTER*, P. GOMIS*, M. HENSEL + , D.

PXD9 PROBE CARD MASS TESTING L. ANDRICEK + , M. BORONAT*, J. FUSTER*, P. GOMIS*, M. HENSEL + , D.

BELLE II PXD WORKSHOP PXD9 PROBE CARD MASS TESTING L. ANDRICEK + , M. BORONAT*, J. FUSTER*, P. GOMIS*, M. HENSEL + , D. KLOSE + , C. KOFFMANE + , C. MARIAS, M. VOS* * IFIC (UNIVERSITAT DE VALNCIA/CSIC) + HLL (MPG MNCHEN) UNIVERSITT

488 views • 22 slides
Roadmap for Section 1.2. History of Operating Systems Tasks of an Operating System OS as

Roadmap for Section 1.2. History of Operating Systems Tasks of an Operating System OS as

Unit OS1: Overview of Operating Systems 1.2. The Evolution of Operating Systems Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 1.2. History of Operating Systems Tasks of

556 views • 12 slides
Geothermal energy R& D in the 7th Framew ork Programme Jeroen Schuppers European Commission,

Geothermal energy R& D in the 7th Framew ork Programme Jeroen Schuppers European Commission,

Geothermal energy R& D in the 7th Framew ork Programme Jeroen Schuppers European Commission, DG Research New and Renewable Energy Sources ENGINE Mid-term Conference 1 Potsdam, 10 January 2007 The EGS challenge exploration o resource

581 views • 19 slides
g-2 of the muon Klaus Jungmann with slides from Rijksuniversiteit Groningen B.L. Roberts

g-2 of the muon Klaus Jungmann with slides from Rijksuniversiteit Groningen B.L. Roberts

International Conference on Exotic Atoms and Related Topics - EXA2011 Vienna, September 5-9, 2011 g-2 of the muon Klaus Jungmann with slides from Rijksuniversiteit Groningen B.L. Roberts Kernfysisch Versneller Instituut Boston University

1.21k views • 55 slides
Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen, 21-Sept-2016 Outline Introduction: acoustic neutrino detection The first generation of acoustic neutrino test setups Lessons learned

686 views • 37 slides

More recommend