Information Flow Control by Program Analysis Markus Mller-Olm - - PowerPoint PPT Presentation

information flow control by program analysis
SMART_READER_LITE
LIVE PREVIEW

Information Flow Control by Program Analysis Markus Mller-Olm - - PowerPoint PPT Presentation

Jul 11, 2023 106 likes •319 views

Information Flow Control by Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017 Context Work in progress from a joint project with Gregor Snelting

slide-1
SLIDE 1

Information Flow Control by Program Analysis

Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017

slide-2
SLIDE 2

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 2

Context

Work in progress from a joint project with Gregor Snelting (KIT) Information flow control for mobile components based on precise analysis of parallel programs Part of priority programme 1496 Reliably Secure Software Systems (RS3) funded by DFG (German Research Foundation) Special thanks to Benedikt Nordhoff

slide-3
SLIDE 3

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 3

What This Talk is About

Theme:

How can program analysis technology be used for information flow analysis?

Program analysis:

data-flow analysis, abstract interpretation, invariant generation, software model checking, ...

Information flow analysis:

see next slide

slide-4
SLIDE 4

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 4

Information Flow: Example

Free Email-App Start of App Contacts and Emails Ad-Server Display Reference scenarios of SPP RS3:

l Certifying app store for Android l E-Voting systems l Software security for mobile devices

slide-5
SLIDE 5

Non-Interference

For simplicity: transformational terminating programs only Semantic setup:

Variables: Var = Low ⨃ High States: S = { s | s : Var → Val } Program semantics: p : S → S

Low-equivalence of states: s ~Ls‘ :⟺ s|Low = s‘|Low Program p is called non-interferent iff f.a. s,s‘ÎS: s ~L s‘ ⟹ p (s) ~L p (s‘)

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 6

slide-6
SLIDE 6

Possibilistic Non-Interference

Semantics of non-deterministic programs: p : S → 2S Refinement: p ⊑ p‘ :⟺ "s: p (s) ⊆ p‘ (s) Program p is called non-interferent iff f.a. s,s‘ÎS: s ~L s‘ ⟹ "rÎ p (s) : $r‘Î p (s‘) : r ~L r‘ Refinement Paradox: Non-interference is not preserved by refinement. Example: l := ? is non-interferent, its refinement l := h is not Reason: Non-interference is a „hyper-property“

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 7

slide-7
SLIDE 7

A Fundamental Problem

l Abstraction is inherent to program analysis l However, as just observed (Refinement Paradox):

Non-interference does not transfer from abstractions

l Consequence:

Program analysis cannot be applied directly to non-interference

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 8

slide-8
SLIDE 8

Program Dependence Graphs (PDGs)

l A structure known from program slicing l Nodes correspond to statements and conditions;

we add artificial nodes for initial and final value of program variables

l Edges capture data dependences and control dependences l PDGs can be applied for non-interference analysis

Analysis principle: If there is no path in PDG from high input to low output then the program is non-interferent

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 9

slide-9
SLIDE 9

Direct and Indirect Flows

Direct flows: l := h captured by data dependence edges in PDG Indirect flows: if h>0 then l := 0 else l := 1 captured by control dependence edges in PDG

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

h? l :=h l := 0 l := 1 if h>0 h:= 99

10

slide-10
SLIDE 10

Example 1

There is a path from h? to l!. Hence: Program may be interferent

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

l:=h l :=0 l! l :=1 if l > 0 h? l:=h l :=0 . l :=1 if l > 0 true false

11

slide-11
SLIDE 11

Example 2

There is no path from h? to l!. Hence: Program is non-interferent

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

l:=10 l :=0 l! l :=1 if l > 0 h? l:=h l:=10 l :=0 . l :=1 if l > 0 true false l:=h

12

slide-12
SLIDE 12

Path Conditions

Goal: Improve precision of PDG-based dependence analysis Idea: For each path in the PDG indicating critical flow, read off a necessary condition for flow from the guards. If all these conditinos are unsatisfiable, there is no flow. Caveat: Requires SSA-form of programs

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

[Snelting]

13

slide-13
SLIDE 13

Path conditions improve precision of PDGs

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

l := x l! . if (! flag) h? x:= h x:=7 if flag

PDG alone: false alarm + path conditions: OK

l := x . . if (! flag) x:= h x :=7 if flag true false true false

flag ∧ ! flag

14

slide-14
SLIDE 14

Further Improvements by Data Analysis Desirable

l := y l! l := x. h? y:= h x:=h if b

PDG + path conditions: false alarm + invariant: OK

l := y . l := x if (goLeft) y:= h x :=h if b true false true false

For left path: b ∧ goLeft ∧ goLeft = ! b

goLeft :=false goLeft :=true if (goLeft)

For right path: ! b ∧ ! goLeft ∧ goLeft = ! b

15

slide-15
SLIDE 15

The Show Stopper

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

l := false l! . h? x:= true . if h

PDG + path conditions + invariant: unsound

l := false . . if (!x) x:= true . if h true false true false

h ∧ !x ∧ x = h

x :=false if (!x) l :=true x :=false l :=true

16

slide-16
SLIDE 16

A Glimpse on Data Flow Slicing

l Guiding intuition: flow happens along PDG paths only l Add new type of dependencies (data control dependencies) to avoid

soundness problem

l Define a notion of critical executions based on data-, control-, and data-

control-dependencies

l Set of critical executions is regular for a given program l Prove: if program has no critical execution, then program is non-

interferent (Isabelle!)

l Check absence of critical executions using data analyses

(e.g. using CPAChecker [Beyer et al.])

l Note: Approach allows to check non-interference by safety analysis!

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 17

slide-17
SLIDE 17

A Glimpse on Data Flow Slicing: Example

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

Program

l := y l := x goLeft y:= h x :=h b ¬ b goLeft :=false goLeft :=true

Critical executions automaton

y:= h DD(h) DD(h) DD(l) DD(y) DD(h), DD(y) x :=h DD(x), DD(h) DD(h) DD(l) DD(x)

18

¬ goLeft l := y l := x ... l:= x l:= y ... ... ... ...

slide-18
SLIDE 18

A Glimpse on Data Flow Slicing: Example

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017

Product of program and automaton

l := y l := x goLeft y:= h x :=h b ¬ b

Constant propagation on product proves absence of critical information flow

goLeft :=false goLeft :=true ⊤ ⊤ true false ⊥ ⊤

19

¬ goLeft goLeft ¬ goLeft l := y l := x ⊥ ⊥ ⊥ false false true true

slide-19
SLIDE 19

Discussion

Approach for non-interference analysis by classic program analysis Alternative approaches:

l Self-composition l Hyper-logics

Further work in our project:

l Use DPNs to help PDG-based non-interference analysis of

parallel programs based on LSOD

l Use DPNs to help type-based non-interference analysis of

parallel programs

Markus Müller-Olm, WWU Münster IFIP WG 2.2 Meeting, Bordeaux, September 18-20, 2017 22