Towards a Flow- and Path-Sensitive Information Flow Analysis - - PowerPoint PPT Presentation

towards a flow and path sensitive information flow
SMART_READER_LITE
LIVE PREVIEW

Towards a Flow- and Path-Sensitive Information Flow Analysis - - PowerPoint PPT Presentation

Apr 11, 2023 130 likes •380 views

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

slide-1
SLIDE 1

Towards a Flow- and Path-Sensitive Information Flow Analysis

Peixuan Li, Danfeng Zhang

Pennsylvania State University

University Park, PA, USA {pzl129,zhang}@cse.psu.edu

slide-2
SLIDE 2
  • Security enforcement to prevent leakage of sensitive data
  • Non-interference: no dependence of public outputs on secret inputs
  • Lattice model: Information has labels that form a lattice
  • Information Flow
  • Explicit flow – assignment
  • Implicit flow – branch

Background: Information Flow Analysis

Program (secure)

08/22/2017 1 30th IEEE Computer Security Foundations Symposium

Secret Input

s

Public Input

p

Public Output

p

S P

S: secret P: public

slide-3
SLIDE 3

Problem of Interest

  • Conservative: sound but not complete
  • Sound: Checked → Secure
  • Complete: Secure → Checked
  • Source of Conservativeness
  • Flow-Sensitivity – to differentiate for the order of execution
  • Path-Sensitivity – to differentiate for the execution paths

08/22/2017 2 30th IEEE Computer Security Foundations Symposium

Secure Program

False Alarm

Flow-Sensitive

Checked Program

Path-Sensitive

slide-4
SLIDE 4

Source of Conservativeness

  • Flow-Sensitivity – to differentiate for the order of execution
  • Path-Sensitivity – to differentiate for execution path

08/22/2017 3 30th IEEE Computer Security Foundations Symposium

Flow-Sensitivity

Insecure Program:

Path-Sensitivity

Insecure Program: Program (secure)

slide-5
SLIDE 5

Overview

08/22/2017 4 30th IEEE Computer Security Foundations Symposium

Flow- & Path- Sensitive Analysis Program Transformation Dependent Type System

Soundness Proof Comparison with a flow-sensitive system Program Transformed Flow-sensitivity Path-sensitivity

slide-6
SLIDE 6

Overview – Sensitivity Knob

08/22/2017 5 30th IEEE Computer Security Foundations Symposium

  • Sensitivity Tuner
  • Flow-sensitivity – Bracketed Assignments
  • Path-sensitivity – Dependent Type Labels
  • Less type annotation
  • Simple analysis
  • Program readability
  • Accept more secure programs

MAX MIN

slide-7
SLIDE 7

Overview

08/22/2017 6 30th IEEE Computer Security Foundations Symposium

Flow- & Path- Sensitive Analysis Program Transformation Dependent Type System

Proof of soundness on non-interference Comparison with a flow-sensitive system Program Transformed Flow-sensitivity Path-sensitivity

slide-8
SLIDE 8

Program Transformation

  • Goal – To gain flow-sensitivity

08/22/2017 7 30th IEEE Computer Security Foundations Symposium

Flow-Sensitive Type System:

v Update & Record types at each program point v Complicates the design of the type system

Program (secure)

slide-9
SLIDE 9

Program Transformation

  • Goal – To gain flow-sensitivity

08/22/2017 8 30th IEEE Computer Security Foundations Symposium

Secure:

v Renaming gains flow-sensitivity Type checked by flow- insensitive type systems

Program (secure)

slide-10
SLIDE 10

Program Transformation

  • Goal – To gain flow-sensitivity

08/22/2017 9 30th IEEE Computer Security Foundations Symposium

Bracketed Assignment Active Set Program (secure) Active Copy

slide-11
SLIDE 11

Program Transformation

  • Goal – To gain flow-sensitivity

08/22/2017 10 30th IEEE Computer Security Foundations Symposium

Bracketed Assignment

Rename Merge

Program (secure)

slide-12
SLIDE 12

Program Transformation

  • Difference from SSA
  • Tunable bracketed assignments – not all assignment need renaming
  • No phi-function – simplify the analysis and soundness proof
  • Details are discussed in the paper

08/22/2017 11 30th IEEE Computer Security Foundations Symposium

slide-13
SLIDE 13

Program Transformation

  • Transformation Correctness
  • memory projection on active set

08/22/2017 12 30th IEEE Computer Security Foundations Symposium

x y … x1 x2 y1 y2 …

Memory of original program Memory of transformed program active set

slide-14
SLIDE 14

Review

08/22/2017 13 30th IEEE Computer Security Foundations Symposium

Flow- & Path- Sensitive Analysis Program Transformation Dependent Type System

Soundness Proof Comparison with a flow-sensitive system Program Transformed Flow-sensitivity Path-sensitivity

slide-15
SLIDE 15
  • Dependent Security Label
  • Predicates Generator
  • Information flow constraints:

Dependent Type System

  • Goal – To gain Path-Sensitivity

08/22/2017 14 30th IEEE Computer Security Foundations Symposium

Program (secure) s y Line 2: Line 3:

slide-16
SLIDE 16

Dependent Type System

  • Challenge

08/22/2017 15 30th IEEE Computer Security Foundations Symposium

Program (secure)

y: S s y: P s

Insecure Program:

Implicit Declassification

Line 2: Line 4:

slide-17
SLIDE 17

Dependent Type System

  • Solution to Implicit Declassification
  • A. Reject if program contains any mutable dependency
  • B. Dynamically erase variable content for mutable dependency
  • Runtime overhead
  • Changing program behavior
  • C. Reject if program contains mutable dependency on live variable

08/22/2017 16 30th IEEE Computer Security Foundations Symposium

y: S s y: P s

slide-18
SLIDE 18

Dependent Type System

  • Soundness

08/22/2017 17 30th IEEE Computer Security Foundations Symposium

slide-19
SLIDE 19

Proof of non-interference

  • Soundness of non-interference

08/22/2017 18 30th IEEE Computer Security Foundations Symposium

Excution 1: Excution 2: Initial State Final State Excution 1: Excution 2: Initial State Final State

slide-20
SLIDE 20

Review

08/22/2017 19 30th IEEE Computer Security Foundations Symposium

Flow- & Path- Sensitive Analysis Program Transformation Dependent Type System

Soundness Proof Comparison with a flow-sensitive system Program Transformed Flow-sensitivity Path-sensitivity

slide-21
SLIDE 21

Comparison

  • Comparison with a classic flow-sensitive type system
  • HS System – S. Hunt and D. Sands, “On flow-sensitive security types,”

in Principles of Programming Languages (POPL), 2006

08/22/2017 20 30th IEEE Computer Security Foundations Symposium

MAX MIN

HS System Our system

MAX MIN MAX MIN MAX MIN

HS System Our system

  • Path-Sensitivity
  • Flow-Sensitivity

v Strictly more precise than HS system

slide-22
SLIDE 22

Comparison

  • Strictly more precise than HS system
  • Subsumes the HS system
  • Accepts more secure program

08/22/2017 21 30th IEEE Computer Security Foundations Symposium

Program (secure)

slide-23
SLIDE 23

Conclusion

08/22/2017 22 30th IEEE Computer Security Foundations Symposium

Flow- & Path Sensitive Analysis

Program Transformation Dependent Type System

Soundness Proof Comparison with classic flow-sensitive system Program Transformed

  • Bracketed Assignment
  • Correctness
  • Dependent Labels
  • Predicates Generator
  • Implicit Declassification
  • Liveness Analysis
slide-24
SLIDE 24