CoSMed: A Confidentiality-Verified Social Media Platform Thomas Bauereiß Armando Pesenti Gritti Andrei Popescu Franco Raimondi
Introduction • Security in web-based applications • Goal: Information flow control not just access control! CoSMed: A Confidentiality-Verified Social Media Platform
Previous work • Security framework: Bounded Deducibility Security (Kanav, Popescu, Lammich) Highly expressive wrt. what information may be released and when (Interactive) verification technique • CoCon Verified confidentiality of ► papers, ► reviews, ► reviewer names, ► discussions CoSMed: A Confidentiality-Verified Social Media Platform
CoSMed • Prototype social media platform • Focus on confidentiality • Tailored for needs of a charity organization CoSMed: A Confidentiality-Verified Social Media Platform
CoSMed CoSMed: A Confidentiality-Verified Social Media Platform
CoSMed CoSMed: A Confidentiality-Verified Social Media Platform
System Architecture step : state ⇒ act ⇒ out × state Code generation Isabelle Scala specification code REST API Proof wrapper Web application Security specification CoSMed: A Confidentiality-Verified Social Media Platform
Security Requirements • Confidentiality of Friend-only posts ► Text, image, and title updates Friendship information ► Who is friends with whom? CoSMed: A Confidentiality-Verified Social Media Platform
Bounded Deducibility Security • Generalization of Nondeducibility (Sutherland, ‘86): ∀𝑢 ∈ 𝑇𝑧𝑡, 𝑡 ∈ 𝑀𝑗𝑡𝑢(𝑇𝑓𝑑). ∃𝑢 ′ ∈ 𝑇𝑧𝑡. 𝑃 𝑢 ′ = 𝑃 𝑢 ∧ 𝑇 𝑢 ′ = 𝑡 where 𝑇𝑧𝑡 ⊆ 𝑀𝑗𝑡𝑢(𝑈𝑠𝑏𝑜𝑡) is the set of possible execution traces of a system (i.e., sequences of system transitions) 𝑃 ∶ 𝑀𝑗𝑡𝑢(𝑈𝑠𝑏𝑜𝑡) → 𝑀𝑗𝑡𝑢(𝑃𝑐𝑡) maps traces to observations 𝑇 ∶ 𝑀𝑗𝑡𝑢(𝑈𝑠𝑏𝑜𝑡) → 𝑀𝑗𝑡𝑢(𝑇𝑓𝑑) maps traces to secrets CoSMed: A Confidentiality-Verified Social Media Platform
Bounded Deducibility Security • Adding declassification: ∀𝑢 ∈ 𝑇𝑧𝑡, 𝑡 ∈ 𝑀𝑗𝑡𝑢(𝑇𝑓𝑑). 𝑻 𝒖 , 𝒕 ∈ 𝑪 ∧ ¬𝑼(𝒖) ⟶ ∃𝑢 ′ ∈ 𝑇𝑧𝑡. 𝑃 𝑢 ′ = 𝑃 𝑢 ∧ 𝑇 𝑢 ′ = 𝑡 where 𝑪 ⊆ 𝑀𝑗𝑡𝑢(𝑇𝑓𝑑) × 𝑀𝑗𝑡𝑢(𝑇𝑓𝑑) : declassification bound ► Specifies which secrets have to be indistinguishable from which other secrets 𝑼 : declassification trigger ► If 𝑈 is true, secret information is allowed to be declassified CoSMed: A Confidentiality-Verified Social Media Platform
Post Confidentiality • Observations: Actions (and outputs) performed by arbitrary but fixed set of users • Secrets Content updates of arbitrary but fixed post 𝑞 “1” “2” 𝑠𝑒(𝑞) ⇒ "2" “3” 𝑑𝑠𝑢(𝑞, "1") 𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "2") 𝑠𝑒(𝑞) ⇒ "2" 𝑣𝑜𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "3") CoSMed: A Confidentiality-Verified Social Media Platform
Post Confidentiality • Declassification bound: Too weak! What about All secrets indistinguishable “unfriending”? • Declassification trigger: Observer and post owner become friends or post becomes public “1” “2” 𝑠𝑒(𝑞) ⇒ "2" “3” 𝑑𝑠𝑢(𝑞, "1") 𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "2") 𝑠𝑒(𝑞) ⇒ "2" 𝑣𝑜𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "3") CoSMed: A Confidentiality-Verified Social Media Platform
Post Confidentiality Sec = Post_Content Distinguish two phases + {Open, Close} Mark transitions Closed Open Closed “1” “2” 𝑠𝑒(𝑞) ⇒ "2" “3” Open Close 𝑑𝑠𝑢(𝑞, "1") 𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "2") 𝑠𝑒(𝑞) ⇒ "2" 𝑣𝑜𝑔𝑠𝑜𝑒(𝑣 1 , 𝑣 2 ) 𝑣𝑞𝑒(𝑞, "3") CoSMed: A Confidentiality-Verified Social Media Platform
Dynamic Declassification Declassification bound for the closed phase: 𝐶𝐷(𝑣𝑚, 𝑣𝑚′) CoSMed: A Confidentiality-Verified Social Media Platform
Dynamic Declassification ... declassification bound for the open phase: 𝐶𝐷(𝑣𝑚, 𝑣𝑚′) 𝐶𝑃(𝑣𝑚, 𝑣𝑚) CoSMed: A Confidentiality-Verified Social Media Platform
Dynamic Declassification 𝐶 = 𝐶𝐷 ... iterated via mutual induction: 𝐶𝐷(𝑣𝑚, 𝑣𝑚′) 𝐶𝑃(𝑣𝑚, 𝑣𝑚) last 𝑣𝑚 = last 𝑣𝑚 ′ 𝐶𝑃(𝑡𝑚, 𝑡𝑚 ′ ) … 𝐶𝐷 𝑣𝑚 ⋅ Open ⋅ 𝑡𝑚, 𝑣𝑚 ′ ⋅ Open ⋅ 𝑡𝑚 ′ 𝐶𝐷 𝑡𝑚, 𝑡𝑚 ′ 𝐶𝑃(𝑣𝑚 ⋅ Close ⋅ 𝑡𝑚, 𝑣𝑚 ⋅ Close ⋅ 𝑡𝑚 ′ ) CoSMed: A Confidentiality-Verified Social Media Platform
Verification • Unwinding Construct alternative trace incrementally Strategy for when and how to: ► match observable transitions in both traces ► insert/delete secret transitions as required by bound “Unwinding relation” between original and alternative states and remaining secrets Proof of unwinding conditions CoSMed: A Confidentiality-Verified Social Media Platform
Verification 7000 6500 6000 5000 4000 3000 1800 2000 1000 700 500 200 0 System Security spec. Safety BD Security Accountability specification and proofs properties Framework properties CoSMed: A Confidentiality-Verified Social Media Platform
Conclusion • CoSMed: https://cosmed.globalnoticeboard.com Social media platform tailored for charity organization Verified dynamic confidentiality requirements Lesson learned for BD Security: declassification bounds incorporating dynamic triggers • Next step: CoSMeDis Extension of CoSMed to distributed system Compositionality result for BD Security CoSMed: A Confidentiality-Verified Social Media Platform
Recommend
More recommend