Information Flow Tracking Andrei Sabelfeld Chalmers - - PowerPoint PPT Presentation

Information Flow Tracking

Andrei Sabelfeld Chalmers

https://www.cse.chalmers.se/~andrei EWSCS 2019

2

Language

c ::= skip | x:=exp | c;c | if exp then c else c | while exp do c

3

Explicit flows

l:=h insecure l:=h; l:=0 secure h:=l; l:=h secure low (public) high (secret)

4

Implicit flows

Problem: insecure even when nothing is assigned to l inside the if!

h:=…; l:=false; if h then l:=true else skip;

• ut(l)

implicit flow from h to l low (public) high (secret)

5

Confidentiality

• Noninterference [Goguen & Meseguer]: as high

input varied, low-level outputs unchanged h1 l h2 l l’ h1’ l’ h2’

6

Confidentiality for sequential programs: noninterference

• How do we formalize noninterference in

terms of program semantics? <c,m> ⇓ m’

initial memory command final memory

m: Vars → Vals

Low equivalence

7

• Indistinguishability by attackers

low projection

m=L m’ ⟺ m|L =m’|L

8

Noninterference

• As high input varied, low-level behavior

unchanged

∀m1,m2. m1=L m2 & <c, m1> ⇓ m’1 ⟹ m’1=L m’2 & <c, m2> ⇓ m’2

c is secure if

9

Security type system

• Prevents explicit flows:
• Prevents implicit flows; no public side

effects when branching on secrets:

l:=…

may not use high variables

if e then …

may not assign to low

while e do …

may not assign to low

• Order: low ⊑ high
• Security lattice

– high ⊔ low = high

Security structure

10

high:{h,…} low:{l,…}

public secret

Γ:Vars → {low,high}

Security type system: expressions

11

exp : high ∀x ∈ Vars(exp). Γ(x)=low exp : low

12

Security-type system: commands 1

pc ⊢ skip Atomic commands context exp:ℓ ℓ ⊔ pc ⊑ Γ(x) pc ⊢ x:=exp

13

exp:ℓ ℓ ⊔ pc ⊢c1 ℓ ⊔ pc ⊢ c2 pc ⊢ if exp then c1 else c2 exp:ℓ ℓ ⊔ pc ⊢c pc ⊢ while exp do c pc ⊢c1 pc ⊢ c2 pc ⊢ c1; c2

implicit flows: branches

• f a high

if must be typable in a high context

Security-type system: commands 2

14

A security-type system: Examples

low ⊢ h:=l+4; l:=l-5 pc ⊢ if h then h:=h+7 else skip low ⊢ while l<34 do l:=l+1 pc ⊢ while h<4 do l:=l+1

15

Type Inference: Example

3 : low 5 : low [low] ⊢ h:=h+1; if l=0 then l:=5 else l:=3 l=0: low [low] ⊢ l:=5 [low] ⊢ l:=3 [low] ⊢ if l=0 then l:=5 else l:=3 [low] ⊢ h:=h+1

16

What does the type system guarantee?

Soundness theorem: pc ⊢ c ⟹ c is secure

Proof

• Confinement

– high ⊢ c & <c,m> ⇓ m’ ⟹ m =L m’

• Security

– pc ⊢ c ⟹ c is secure

• Induction on the structure of c

17

18

Confidentiality: Examples

l:=h insecure (direct) untypable l:=h; l:=0 secure untypable h:=l; l:=h secure untypable if h=0 then l:=0 else l:=1 insecure (implicit flow) untypable while h=0 do skip secure (up to termination) typable if h=0 then sleep(1000) secure (up to timing) typable

19

Covert channels: Termination

• Covert channels are mechanisms not

intended for information transfer

• So far, our definition has been termination-

insensitive Is while h>0 do h:=h+1 secure?

Termination-sensitive noninterference

20

∀m1,m2. m1=L m2 & <c, m1> ⇓ m’1 ⟹ <c, m2> ⇓ m’2 & m’1=L m’2

c is secure if

21

Covert channels: Timing

(if h then sleep(1000)); l:=1 || sleep(500); l:=0

• Timing-sensitive noninterference

22

Example: Mk mod n

s = 1; for (i=0; i<w; i++){ if (k[i]) C = (s*M) mod n; else C = s; s = C*C; }

No information flow to low variables, but entire key can be revealed by measuring timing

[Kocher96]

23

Transforming out timing leaks

Branching on high causes leaks k[i] C = (s*M) mod n C = s

24

Transforming out timing leaks

Cross-copy low slices k[i] C = (s*M) mod n C = s C /= s C /= (s*M) mod n

Non-assignment

25

Covert channels: Probabilistic

• Possibilistically but not probabilistically secure

program:

l:=PIN |9/10 l:=rand(9999)

• Probabilistic noninterference

Information flow challenge

• Attack the system to learn the secret
• Type systems to break

1. No restriction 2. Explicit flows 3. Implicit flows 4. Termination 5. Declassification 6. Exceptions 7. Let 8. Procedures 9. References 10. Arrays

• First to complete: send me an email J

26

http://ifc-challenge.appspot.com/

27

References

• Language-based information-flow

security

[Sabelfeld & Myers, IEEE JSAC, 2003]