A type system for data-flow integrity on Windows Vista

The Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically restricting trusted code. We formalize this model by designing a type system that can efficiently enforce data-flow integrity on Windows Vista. Typechecking guarantees that objects whose contents are statically trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Some of Windows Vista's runtime access checks are necessary for soundness; others are redundant and can be optimized away.

[1]  Avik Chaudhuri Dynamic Access Control in a Concurrent Object Calculus , 2006, CONCUR.

[2]  Martín Abadi,et al.  Analyzing security protocols with secrecy types and logic programs , 2002, POPL '02.

[3]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[4]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[5]  Anindya Banerjee,et al.  Using access control for secure information flow in a Java-like language , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[6]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[7]  Luca Cardelli,et al.  Secrecy and Group Creation , 2000, CONCUR.

[8]  Nobuko Yoshida,et al.  A uniform type structure for secure information flow , 2002, POPL '02.

[9]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[10]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[11]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[12]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[13]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  Akinori Yonezawa,et al.  A Typed Process Calculus for Fine-Grained Resource Access Control in Distributed Computation , 2001, TACS.

[16]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[17]  Martín Abadi,et al.  Secrecy by typing and file-access control , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Matthew Conover Analysis of the Windows Vista Security Model , 2006 .

[19]  Andrew D. Gordon,et al.  Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus , 2005, CONCUR.

[20]  Martín Abadi,et al.  Explicit substitutions , 1989, POPL '90.

[21]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[22]  Davide Sangiorgi,et al.  On asynchrony in name-passing calculi , 1998, Mathematical Structures in Computer Science.

[23]  Davide Sangiorgi,et al.  Environmental Bisimulations for Higher-Order Languages , 2007, LICS.

[24]  Trent Jaeger,et al.  Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[25]  Nobuko Yoshida,et al.  Channel dependent types for higher-order mobile processes , 2004, POPL.

[26]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[27]  Scott F. Smith,et al.  A systematic approach to static access control , 2001, TOPL.

[28]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[29]  Julian Rathke,et al.  safeDpi: a language for controlling mobile code , 2005, Acta Informatica.

[30]  K S T1Q Secrecy by typing and fileaccess control , 1999 .

[31]  Larry Wall,et al.  Programming Perl , 1991 .

[32]  Naoki Kobayashi Type-based information flow analysis for the π-calculus , 2005, Acta Informatica.

[33]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[34]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[35]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[36]  Analysis and caching of dependencies , 1996, ICFP '96.

[37]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[38]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[39]  田端 利宏,et al.  Network and Distributed System Security Symposiumにおける研究動向の調査 , 2004 .

[40]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[41]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[42]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[43]  Michael Howard,et al.  Writing Secure Code for Windows Vista , 2007 .

[44]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[45]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[46]  Cormac Flanagan,et al.  Hybrid type checking , 2006, POPL '06.

[47]  Andrew D. Gordon,et al.  Ðð Blockinøöóòò Aeóøø× Ò Ìììóööøø Blockin Blockinð Óñôùøøö Ë Blockin , 2007 .

[48]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[49]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[50]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[51]  Davide Sangiorgi,et al.  Environmental Bisimulations for Higher-Order Languages , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[52]  Andrew D. Gordon,et al.  A Concurrent Object Calculus: Reduction and Typing , 1998, HLCL.

[53]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[54]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[55]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[56]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[57]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[58]  PottierFrançois,et al.  Information flow inference for free , 2000 .

[59]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[60]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[61]  Matthias Felleisen,et al.  The theory and practice of first-class prompts , 1988, POPL '88.

[62]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.