specification and enforcement of information erasure
play

Specification and Enforcement of Information Erasure Policies - PowerPoint PPT Presentation

Aug 21, 2022 •721 likes •1.03k views

Motivation A Language-Based Approach Issues Summary Specification and Enforcement of Information Erasure Policies Sebastian Hunt 1 David Sands 2 Filippo Del Tedesco 2 1 City University London 2 Chalmers University of Technology, Sweden The

  1. Motivation A Language-Based Approach Issues Summary Specification and Enforcement of Information Erasure Policies Sebastian Hunt 1 David Sands 2 Filippo Del Tedesco 2 1 City University London 2 Chalmers University of Technology, Sweden The 12th CREST Open Workshop Security and Code April 2011 Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  2. Motivation A Language-Based Approach Issues Summary Outline Motivation 1 A Language-Based Approach 2 Issues 3 Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  3. Motivation A Language-Based Approach Issues Summary Outline Motivation 1 A Language-Based Approach 2 Issues 3 Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  4. Motivation A Language-Based Approach Issues Summary Why Erase? Erasing sensitive information as soon as possible may give stronger security guarantees: Erasure of identification tokens in e-voting. Erasure of credit card details on completion of transaction. Erasure of fingerprint data from a left-luggage locker. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  5. Motivation A Language-Based Approach Issues Summary End-to-End Information Flow Policies We can’t guarantee to erase information if we don’t know where it has gone. Access control is not enough: we need end-to-end flow policies and enforcement. Control of information-flow is necessary. . . is it sufficient? If we can guarantee that information doesn’t flow out of a system, is there any need to erase it? Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  6. Motivation A Language-Based Approach Issues Summary Keeping Your Memory Clean Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  7. Motivation A Language-Based Approach Issues Summary Cold Boot Attacks DRAM memory reverts to “ground state” when power is disconnected, but this takes several seconds. even longer if memory modules are cooled Sensitive information residing in RAM can be stolen by cutting power and quickly rebooting into a custom kernel. [Halderman et al, 2008] recover disk-encryption keys recover even partially degraded keys by exploiting precomputations kept in RAM by encryption software Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  8. Motivation A Language-Based Approach Issues Summary Cold Boot Attack Countermeasures No silver bullet: keys must be stored somewhere . [Halderman et al, 2008]: “Countermeasures begin with efforts to avoid storing keys in memory. Software should overwrite keys when they are no longer needed, and it should attempt to prevent keys from being paged to disk.” Specific examples: Avoid precomputation; erase precomputed data if unused for a given time interval Obfuscate keys in RAM; recreate usable keys as necessary, erase ASAP Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  9. Motivation A Language-Based Approach Issues Summary Outline Motivation 1 A Language-Based Approach 2 Issues 3 Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  10. Motivation A Language-Based Approach Issues Summary Erasure Policies Example: credit card number should be erased after transaction To erase contents of a variable, overwrite with a constant: input cc from user; t := transaction(cc); output t to bank; cc := 0 Not enough to overwrite cc , must control flows from cc ⇒ Can use a flow-sensitive security type system. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  11. Motivation A Language-Based Approach Issues Summary Erasure Policies Example: credit card number should be erased after transaction To erase contents of a variable, overwrite with a constant: input cc from user; t := transaction(cc); output t to bank; cc := 0 Not enough to overwrite cc , must control flows from cc ⇒ Can use a flow-sensitive security type system. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  12. Motivation A Language-Based Approach Issues Summary Erasure Policies Example: credit card number should be erased after transaction To erase contents of a variable, overwrite with a constant: input cc from user; t := transaction(cc); output t to bank; cc := 0 Not enough to overwrite cc , must control flows from cc ⇒ Can use a flow-sensitive security type system. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  13. Motivation A Language-Based Approach Issues Summary Flow-sensitive Security Type System Typing judgements: ⊢ Γ { C } Γ ′ Γ , Γ ′ : Var → L (lattice of security levels) variable types given by Γ on entry to C , by Γ ′ on exit ⊢ Γ { x := E } Γ[ x �→ Γ( pc ) ⊔ Γ( E )] Γ ′ = Γ[ pc �→ p ⊔ Γ( E )] ⊢ Γ ′ { C } Γ ′ p = Γ( pc ) ⊢ Γ { while E C } Γ Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  14. Motivation A Language-Based Approach Issues Summary Flow-sensitive Security Type System Typing judgements: ⊢ Γ { C } Γ ′ Γ , Γ ′ : Var → L (lattice of security levels) variable types given by Γ on entry to C , by Γ ′ on exit ⊢ Γ { x := E } Γ[ x �→ Γ( pc ) ⊔ Γ( E )] Γ ′ = Γ[ pc �→ p ⊔ Γ( E )] ⊢ Γ ′ { C } Γ ′ p = Γ( pc ) ⊢ Γ { while E C } Γ Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  15. Motivation A Language-Based Approach Issues Summary Flow-sensitive Security Type System Typing judgements: ⊢ Γ { C } Γ ′ Γ , Γ ′ : Var → L (lattice of security levels) variable types given by Γ on entry to C , by Γ ′ on exit ⊢ Γ { x := E } Γ[ x �→ Γ( pc ) ⊔ Γ( E )] Γ ′ = Γ[ pc �→ p ⊔ Γ( E )] ⊢ Γ ′ { C } Γ ′ p = Γ( pc ) ⊢ Γ { while E C } Γ Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  16. Motivation A Language-Based Approach Issues Summary Block-Structured Erase Basic idea: input a value x from channel i ; use freely within command C ; erase x (and all information derived from x ) by the time C completes Generalise: erase to some level a input x : i erase to a after C Allows information to be used after C but only at the higher security level a Complete erasure captured by choosing a = # : a security level higher than allowed for any variable Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  17. Motivation A Language-Based Approach Issues Summary An Erasure Type System ⊢ Γ[ x �→ p ⊔ Γ( i )] { C } Γ 1 ⊢ Γ[ x �→ p ⊔ a ] { C } Γ 2 � Γ 1 ( y ) if y ∈ OVar p = Γ( pc ) Γ ′ ( y ) = Γ 1 ( y ) ⊔ Γ 2 ( y ) otherwise ⊢ Γ { input x : i erase to a after C } Γ ′ [ i += p ] environments track flows between variables and on IO channels ( i ∈ IVar , o ∈ OVar ) two typings for body: one for flows inside body, one for flows to rest of program Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  18. Motivation A Language-Based Approach Issues Summary An Erasure Type System ⊢ Γ[ x �→ p ⊔ Γ( i )] { C } Γ 1 ⊢ Γ[ x �→ p ⊔ a ] { C } Γ 2 � Γ 1 ( y ) if y ∈ OVar p = Γ( pc ) Γ ′ ( y ) = Γ 1 ( y ) ⊔ Γ 2 ( y ) otherwise ⊢ Γ { input x : i erase to a after C } Γ ′ [ i += p ] environments track flows between variables and on IO channels ( i ∈ IVar , o ∈ OVar ) two typings for body: one for flows inside body, one for flows to rest of program Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  19. Motivation A Language-Based Approach Issues Summary Outline Motivation 1 A Language-Based Approach 2 Issues 3 Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  20. Motivation A Language-Based Approach Issues Summary An Implementation Problem (Solved) Typing is Exponential ⊢ Γ[ x �→ p ⊔ Γ( i )] { C } Γ 1 ⊢ Γ[ x �→ p ⊔ a ] { C } Γ 2 � Γ 1 ( y ) if y ∈ OVar p = Γ( pc ) Γ ′ ( y ) = Γ 1 ( y ) ⊔ Γ 2 ( y ) otherwise ⊢ Γ { input x : i erase to a after C } Γ ′ [ i += p ] Double typing required for C . Nesting an input command inside C doubles the size of the derivation. ⇒ Typing is exponential in the size of the program. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

  21. Motivation A Language-Based Approach Issues Summary An Implementation Problem (Solved) Typing is Exponential ⊢ Γ[ x �→ p ⊔ Γ( i )] { C } Γ 1 ⊢ Γ[ x �→ p ⊔ a ] { C } Γ 2 � Γ 1 ( y ) if y ∈ OVar p = Γ( pc ) Γ ′ ( y ) = Γ 1 ( y ) ⊔ Γ 2 ( y ) otherwise ⊢ Γ { input x : i erase to a after C } Γ ′ [ i += p ] Double typing required for C . Nesting an input command inside C doubles the size of the derivation. ⇒ Typing is exponential in the size of the program. Sebastian Hunt, David Sands, Filippo Del Tedesco Information Erasure Policies

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo, Effective Erasure Codes for Reliable Computer Communication Protocols, ACM p SIGCOMM Computer Communication Review , April 1997 Erasure codes (Simon

705 views • 25 slides
Type Erasure 86 What is Type Erasure? The way for the Java

Type Erasure 86 What is Type Erasure? The way for the Java

Type Erasure 86 What is Type Erasure? The way for the Java compiler to generate byte code which implements our Generic Types & Generic Methods Type

276 views • 15 slides
Erasure Codes. Erasure Code: Example. Example Make polynomial, P ( x ) = a 2 x 2 + a 1 x + a 0

Erasure Codes. Erasure Code: Example. Example Make polynomial, P ( x ) = a 2 x 2 + a 1 x + a 0

Erasure Codes. Erasure Code: Example. Example Make polynomial, P ( x ) = a 2 x 2 + a 1 x + a 0 Satellite n packet message. So send n + k ! with P ( 1 ) = 1, P ( 2 ) = 4, P ( 3 ) = 4. Send message of 1,4, and 4. Modulo 7 to accommodate at least

279 views • 5 slides
Equating quantum and thermodynamic entropy productions (Information erasure in closed system:

Equating quantum and thermodynamic entropy productions (Information erasure in closed system:

Equating quantum and thermodynamic entropy productions (Information erasure in closed system: Nature may operate twirling) Lajos Di osi Wigner Research Centre, Budapest 21 Sept 2016, Sopot Acknowledgements: EU COST Action MP1209

569 views • 8 slides
Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante SPCoding School S.D. Cardell Decoding F q -linear codes over erasure channels Erasure channel We consider as model of errors the erasure channel

290 views • 9 slides
Information erasure in closed system: Nature may operate twirling Lajos Di osi Wigner Center,

Information erasure in closed system: Nature may operate twirling Lajos Di osi Wigner Center,

Information erasure in closed system: Nature may operate twirling Lajos Di osi Wigner Center, Budapest 6 May 2016, P ecs Acknowledgements go to: EU COST Action MP1209 Thermodynamics in the quantum regime Lajos Di osi (Wigner

513 views • 8 slides
SYSTEM Feature Details Specification 3GPP Specification Version 3GPP Release 5 December 2004

SYSTEM Feature Details Specification 3GPP Specification Version 3GPP Release 5 December 2004

DATONG DX SYSTEM - 300 The Datong series of DX products are primarily designed to provide Law Enforcement and the Military with a comprehensive toolkit of functionality in the increasing battle against mobile communications technology.

621 views • 3 slides
ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES

ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES

ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES ENFORCEMENT OFFICERS CASH RESTRICTION INFORMATION SYSTEM INFORMATION SYSTEM (PLAIS) (AIS) VARIOUS PROPERTY REGISTERS ASSET SEIZURE REGISTER (TAAR)

360 views • 14 slides
in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

Monitoring of enforcement in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order Ordering enforcement Authorities court notary public Enforcement order certificate of enforcement

540 views • 12 slides
Error Correction and Erasure Codes in Wireless Communication Networks Pouya Ostovari and Jie Wu

Error Correction and Erasure Codes in Wireless Communication Networks Pouya Ostovari and Jie Wu

Reliable Broadcast with Joint Forward Error Correction and Erasure Codes in Wireless Communication Networks Pouya Ostovari and Jie Wu Computer & Information Sciences Temple University Center for Networked Computing

573 views • 22 slides
Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary Wootters (Stanford) Gilles Zmor (Universit de Bordeaux) ISIT 2020 Linear-Time 3 Erasure List-Decoding of 1 Expander Codes 2 1. Erasure

559 views • 18 slides
Deconstruction and Conditional Erasure of Correlations Joint work with Mario Berta, Fernando

Deconstruction and Conditional Erasure of Correlations Joint work with Mario Berta, Fernando

Deconstruction and Conditional Erasure of Correlations Joint work with Mario Berta, Fernando Brandao, and Mark Wilde (arXiv:1609.06994) Christian Majenz QMATH, University of Copenhagen Beyond I.I.D. in Information Theory, National University

1.01k views • 86 slides
14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement

14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement

14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement Problem Most models of optimal taxation (income or commodity) as- sume away enforcement issues. In practice: 1) Enforcement is costly (eats up around 10%

1.12k views • 45 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis & Requirements are

363 views • 3 slides
JOINT ENFORCEMENT AGREEMENT SE DIVISION Cooperative Enforcement Program Joint Enforcement

JOINT ENFORCEMENT AGREEMENT SE DIVISION Cooperative Enforcement Program Joint Enforcement

Assistant Commander Brandi Reeder Law Enforcement Division - Fisheries Law Administrator JOINT ENFORCEMENT AGREEMENT SE DIVISION Cooperative Enforcement Program Joint Enforcement Agreement One of the most effective programs in NOAAs

600 views • 30 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van Oorschot askillen@ccsl.carleton.ca Carleton Computer Security Lab Carleton University Ottawa, Canada SPSM 2013, Berlin, Germany November 8, 2013 The

488 views • 28 slides
T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference Minneapolis, Minnesota A Brief History PE Resiliency Initial releases of UNICOS/mk system panicked processes hung system would

732 views • 21 slides
Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

631 views • 34 slides
Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is as old as the trade of hacking Common Characteristics: Physical access (at least within transmission range of EM/Accoustic signals). Seemingly

252 views • 22 slides
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei Shih Prasun Gera Taesoo Kim Hyesoon Kim Marcus Peinado 26 th USENIX Security Symposium August 17, 2017 Intel Software Guard Extension (SGX)

437 views • 42 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer Security Day 21: Firewalls, NATs, and IDSes Firewalls and NAT boxes Stephen McCamant University of Minnesota, Computer Science & Engineering

1.35k views • 7 slides
Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

7/15/2014 Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics Agenda 2 FDSOI STNOC with FDSOI Application example Conclusions 1 7/15/2014 FD-SOI Speed & Energy Efficiency

211 views • 8 slides

More recommend