Security Types Preserving Compilation Tamara Rezk (Joint work with - - PowerPoint PPT Presentation

▶

Aug 23, 2023 226 likes •411 views

Security Types Preserving Compilation Tamara Rezk (Joint work with Gilles Barthe and Amitabh Basu) E VEREST T EAM INRIA S OPHIA A NTIPOLIS http://www-sop.inria.fr/everest/ CASSIS - March 2004 Security Types Preserving Compilation p.1/18

SLIDE 1

CASSIS - March 2004

Security Types Preserving Compilation

Tamara Rezk (Joint work with Gilles Barthe and Amitabh Basu) EVEREST TEAM INRIA SOPHIA ANTIPOLIS

http://www-sop.inria.fr/everest/

Security Types Preserving Compilation – p.1/18

SLIDE 2

CASSIS - March 2004

Motivation

Mobile code + Security properties of the compiled code + Untrusted compiler (on the server side) + Efficiency (on the client side) Without trusting the compiler, we want to know whether the compiled code is secure, w.r.t non-interference or not. Compute a type for the compiled code on the client side is possible: but this is not efficient!

Security Types Preserving Compilation – p.2/18

SLIDE 3

CASSIS - March 2004

What do we want?

1. On the server side: compute a type for the

source code that assures security properties

f the source code(security source type).
2. Send the compiled code + type for the source

code

3. On the client side: transform the source type

into a security target type that assures security properties of the target code.

Security Types Preserving Compilation – p.3/18

SLIDE 4

CASSIS - March 2004

What do we do?

We use the type system for non-interference for a while-language given by Volpano & Smith. We define a type system for low-level code and prove soundness . Given a compiler, we prove that a type for source-code ALWAYS can be transformed into a type for target-code.

Security Types Preserving Compilation – p.4/18

SLIDE 5

CASSIS - March 2004

Outline of the Talk

Non-Interference: An Overview JVM-like Language Indistinguishability Type System Compilation Source Language Preservation of Security Types Conclusion & Further Work

Security Types Preserving Compilation – p.5/18

SLIDE 6

CASSIS - March 2004

Non Interference

High Information Low Information

Security Types Preserving Compilation – p.6/18

SLIDE 7

CASSIS - March 2004

Non Interference

Executing a program on initial states that are indistinguishables will not result in observable differences for the attacker.

More formally:

✂ ✄

✆ ✆

✁ ✂ ✄

☎

Security Types Preserving Compilation – p.7/18

SLIDE 8

CASSIS - March 2004

JVM-like Language

✁ ✂ ✄☎ ✆✞✝ ✟✠

primitive value/operation

✡ ☛✌☞ ✍ ✎ ✏

load value of

✏

n stack

✡ ✑ ✒ ☞ ☎ ✓ ✏

store top of stack in

✏ ✡ ✆ ✔ ✕

conditional jump

✡ ✖ ☞ ✒ ☞ ✕

unconditional jump

✡ ✗ ✍ ☛ ☛

procedure call

✡ ☎ ✓ ✒✙✘ ☎✚

return

Security Types Preserving Compilation – p.8/18

SLIDE 9

CASSIS - March 2004

Memory Model

A state of an execution is a tuple

✁ ✄ ✁ ☎ ✂

, is a procedure name and

a program

point

✄

is a mapping from variables to values

☎

is an stack of values

Security Types Preserving Compilation – p.9/18

SLIDE 10

CASSIS - March 2004

Memory Indistinguishability

Value indistinguishability wrt a security level The relation is extended pointwise to maps:

✄

✄ ✂

is defined as

✄ ✏ ☎ ✆ ✝ ✄ ✏ ✞

✁ ✠ ✡ ✝ ✄ ✂ ✏ ✞

Stack indistinguishability

Security Types Preserving Compilation – p.10/18

SLIDE 11

CASSIS - March 2004

Operand Stack Indistinguishability

Defined relative to two operand stacks of security levels

Security Types Preserving Compilation – p.11/18

SLIDE 12

CASSIS - March 2004

Abstract Semantics

✂ ✄ ☎ ✆ ✝✟✞ ✠ ✡ ✝ ✄☞☛ ☎ ✡ ☛ ☎ ✆ ✝✟✞ ✌ ✄ ☎ ✝ ✆ ✍ ✁ ✗ ✑ ✎ ☎ ✏ ✁ ☎✑ ☎ ✏ ✂ ✁ ☎ ✑ ✂

is a partial function.

☎ ✑

records for each program point

a security

level

☎ ✏ ✁ ☎ ✑

determines typing constraints for

☎ ✏ ✂ ✁ ☎ ✑ ✂

and

☎ ✏ ✂ ✁ ☎ ✑ ✂

determines constraints for the successors of instruction

Security Types Preserving Compilation – p.12/18

SLIDE 13

CASSIS - March 2004

Control Dependence Regions

The type system is parameterized by control dependence regions .

✂ ✄ ☎✝✆ ✞ ✟ ✠ ✡ ☛ ✆ ☞✝✌ ✆ ✟ ✠ ✡ ✍ ✍ ☞✝✎ ✏ ✑ ✂ ✒

✓ ✔ ✕✖ ✘✗ ☛ ✙ ✌ ✄ ✎ ✖ ✆ ✟ ✚ ✛ ✎ ✄ ✎ ✜ ✓ ✕✖ ✘✗ ✍ ✢ ✌ ✄ ✎ ✖ ✆ ✟ ✜ ✖ ✆ ✄ ✣ ✖ ✞

Security Types Preserving Compilation – p.13/18

SLIDE 14

CASSIS - March 2004

Types & Soundness

✁✄✂

☎ ✆ ✝✟✞✠ ✡ ☞☛ ✌ ✝ ✆ ✌✍ ✡ ☛ ✌ ✎ ✏ ☛ ✌ ✝ ✑ ✒

✝ ✂ ☎ ✝ ✆ ✝ ✞✠ ✓ ✡ ✔ ✂ ☛ ✌ ✕

✁✄✂

☎ ✑

✝ ✂ ☎ ✝ ✔ ✂ ✝ ✂ ☛ ✌ ✕ ✖

Theorem 1. Typable programs are non-interferent

Security Types Preserving Compilation – p.14/18

SLIDE 15

CASSIS - March 2004

Source Language

✑ ✁ ✁ ✂ ✏ ✡

✑ ✟ ✠ ✑ ✁ ✁ ✁ ✂ ✏ ✁ ✂ ✑ ✡ ✝ ✂ ✑ ✞ ✡ ✁ ✄ ✁ ✡ ☎ ✆ ✆ ☛ ✓ ✑ ✎ ☞ ✁ ✡ ✆ ✔ ✑ ✒ ✆ ✓ ✚ ✁ ✓ ☛ ✑ ✓ ✁ ✁ ✁ ✂ ✁ ✄☎ ☞ ✗ ✝ ✂ ✏ ✞ ✂ ✁ ✄ ☎ ✓ ✒ ✘ ☎ ✚ ✂ ✝

Security Types Preserving Compilation – p.15/18

SLIDE 16

CASSIS - March 2004

Preservation of Security Types

Theorem 2.

✍ ✎✁ ✍ ✎ ✂ ✄ ✝ ✞

The proof is itself an algorithm: given the security type of the source program and the compiled program, a security type for the low-level program can be computed.

Security Types Preserving Compilation – p.16/18

SLIDE 17

CASSIS - March 2004

Conclusion

In this work: type system to guarantee stronger confidentiality for a low level language proof: compilation preserves security types We can recover non-interference of a high-level program, if the compiler preserves the semantics:

Lemma 1 (Non-interference for source language). If

✍ ✎

, then

is non-interferent w.r.t.

✍

.

Security Types Preserving Compilation – p.17/18

SLIDE 18

CASSIS - March 2004

Further Work

JVM Develop a Type-Preserving compiler for non-interference for Java Formal proofs Study more liberal, yet secure, verification techniques

Security Types Preserving Compilation – p.18/18