Language-Based Information-Flow Security Presenter: Yiming Zhang - PowerPoint PPT Presentation

Language-Based Information-Flow Security Presenter: Yiming Zhang

Goal of this paper? This is a survey paper that studies the research on information-flow security, especially on work that uses static program analysis.

Why language-based security mechanisms? The standard security mechanisms are not a good fit for protecting large information systems against confidential information leak, and they do not support end-to-end protection. E.g.: Access control, Firewall, Cryptography, etc.

Standard way to protect confidentiality (1) Access control . Privileges are assigned to related parties for accessing confidential data. This method only works for access controlling, but not data propagation. e.g.: access control does not control how the data is used after it is read from the file. (2) Firewall . Firewall will monitor all incoming/outgoing traffic based on predetermined security rules. (3) Cryptography . Cryptography is used to analyze and design security protocols that prevent untrusted parties getting confidential information.

What’s the limitation of the standard way? End-to-end security is not provided. There is no easy way to manage malicious data propagation.

What is information flow? "Information flow in an information theoretical context is the transfer of information from a variable to a variable in a given process . A system should not leak any secret (partially or not) to public observers”. Because information is transmitted through the information flows, it’s crucial to analyze how information flows works in the system to ensure the confidentiality. https://en.wikipedia.org/wiki/Information_flow_(information_theory)

How to secure information flow? Information-flow policies need to ensure that confidential information does not flow to a location where the security policies could be violated by having information-flow controls. We need to design security mechanisms to secure the information flow.

Background 1: language-based security “language-based security (LBS) is a set of techniques that may be used to strengthen the security of applications on a high level by using the properties of programming languages .” E.g: Java runtime environment. https://en.wikipedia.org/wiki/Language-based_security

Background 1: language-based security Java runtime environment : includes byte-code verifier, sandbox model, and stack inspection. code verifier : enforce type system in a Java program. sandbox model : restrict classes in a Java program. stack inspection : provide dynamic access control in a Java program. All these mechanisms are enforced by Java language, but are not designed for controlling information flow, which are not effective at protecting confidential data.

Background 2: covert channels Covert channel is an information transfer mechanism by signaling information through a channel in a hidden manner, which is a type of computer security attack that transfers objects between processes that are not allowed by the computer security policy. Because it’s hidden from the access control mechanisms, it’s difficult to prevent information leak from the channels.

Background 2: covert channels Termination channels : signal information through the termination (non-termination) of a computation. Timing channels : signal information through the execution time. Probabilistic channels : signal information through changing the probability distribution of observable data. Resource exhaustion channels : signal information by the possible exhaustion of a finite, shared resource. Power channels : signal information by measuring the power consumption.

Background 3: integrity Integrity is defined to keep the accuracy and completeness of data and it requires the information flow only comes from the appropriate sources. System can damage the data integrity by simply computing data incorrectly. If strong integrity is desired, strong enforcement on the system is required.

Background 4: Mandatory Access Control Each data is labeled with a security level, which is too restrictive for general use. The labels are computed at the run time.

Background 5: Static Information-Flow Control Using static program analysis, like type check, to control information flow is also a conventional method with low run-time overhead. Each program has a static type which is used for type checking.

Background 6: Noninterference Confidential data may not interfere with (affect) public data.

language-based information flow Because this paper is focused on the language-based mechanism, so here is some basics for language-based information flow. There are four directions of research in language-based security: expressiveness, concurrency, covert channels, and security policies.

Language Expressiveness Goal: accommodate the increased expressiveness of modern languages. Definition: Expressiveness of a language is the breadth of ideas that can be represented and communicated in that language. The more expressive a language is, the greater the variety and quantity of ideas it can be used to represent. With the expressiveness, the language can be more precise and intuitive, which easier for security design. https://en.wikipedia.org/wiki/Expressive_power_(computer_science)

concurrency In thread concurrency, the secret can be leaked due to value update. And the scheduler may affect the performance of low-level process which has lower priority in some cases. For distributed system (naturally concurrent), failure and error can lead to secret compromise. Solution: security program partitioning. This architecture allows the program to be partitioned into communicating subprograms that run securely on the available hosts and carry out the original computation.

Security Policies Noninterference policy requires the different security levels does not interfere with each other, meaning that downgrading in security level is not possible. But sometimes, it’s necessary to adjust the security level, for example, some secret needs to be decrypted and passed over a publicly observable medium. Another example is that if a password needs to be checked, the passwords need to be able to be compared with the publicly supplied data. This is also a acvtive research area.

Open Challenges 1: System-Wide Security System-Wide Security depends on the weakest point in the system. The goal here is to make sure that not only each components are secure but also their combination. A possible research direction: integration of language-based information flow and system-wide information flow control.

Open Challenges 2: Certifying Compilation Low level component/language can bring harm to security, e.g. compiler, while validating the information flows. Certifying compilation is focused on developing a secure method to generate machine code and validate information flows. (Java Bytecode verification, typed assembly languages)

Open Challenges 3: Abstraction-Violating Attacks By analyzing the time taken to execute some instructions, attackers can work backwards to the input. (if h=1 then h′ :=h1 else h′ :=h2); h′ :=h1 execution time is likely to be shorter when the initial value of h is 1: by the time the last assignment is executed, the value of h1 will already be present in the cache. https://en.wikipedia.org/wiki/Timing_attack

Open Challenges 4: Dynamic Policies Security policies need to be dynamic if the information-flow policies change dynamically.

Conclusion Standard security practices are not capable of enforcing end-to-end confidentiality policies, and for large systems, the need for end-to-end security policies is huge. Thanks.