Specification and static enforcement of scheduler-independent noninterference in a middleweight Java

We introduce a new timing covert channel that arises from the interplay between multithreading and object orientation. This example motivates us to explore the root of the problem and to devise a mechanism for preventing such errors. In doing so, we first add multithreading constructs to Middleweight Java, a subset of the Java programming language with a fairly rich set of features. A noninterference property is then presented which basically demands program executions be equivalent in the view of whom observing final public values in environments using the so-called high-independent schedulers. It is scheduler-independent in the sense that no matter which scheduler is employed, the executions of the program satisfying the property do not lead to illegal information flows in the form of explicit, implicit, or timing channels. We also give a provably sound type-based static mechanism to enforce the proposed property. HighlightsWe present a multithreaded model language for Java.We introduce a timing channel that arises from dynamic dispatch in the presence of multithreading.We propose a more permissive scheduler-independent noninterference property.We present a security type system to enforce the proposed noninterference property.

[1]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[2]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[3]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[4]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[5]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[6]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[7]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[8]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[9]  Geoffrey Smith,et al.  Improved typings for probabilistic noninterference in a multi-threaded language , 2006, J. Comput. Secur..

[10]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Andrei Popescu,et al.  Noninterfering Schedulers - When Possibilistic Noninterference Implies Probabilistic Noninterference , 2013, CALCO.

[12]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[13]  Gilles Barthe,et al.  Security of multithreaded programs by compilation , 2007, TSEC.

[14]  Heiko Mantel,et al.  Eliminating Implicit Information Leaks by Transformational Typing and Unification , 2005, Formal Aspects in Security and Trust.

[15]  Qi Sun,et al.  Constraint-based modular secure information flow inference for object-oriented programs , 2007 .

[16]  Keiko Nakata,et al.  Securing Class Initialization , 2010, IFIPTM.

[17]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[18]  Tachio Terauchi,et al.  A Type System for Observational Determinism , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[19]  Artem Starostin,et al.  A tool for static detection of timing channels in Java , 2011, Journal of Cryptographic Engineering.

[20]  Deian Stefan,et al.  A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems , 2013, TGC.

[21]  Gilles Barthe,et al.  Static Enforcement of Information Flow Policies for a Concurrent JVM-like Language , 2011, TGC.

[22]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[23]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[24]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[25]  Trevor N. Mudge,et al.  Virtual memory in contemporary microprocessors , 1998, IEEE Micro.

[26]  Clément Hurlin,et al.  Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic , 2009 .

[27]  Heiko Mantel,et al.  Flexible Scheduler-Independent Security , 2010, ESORICS.

[28]  Gilles Barthe,et al.  A Certified Lightweight Non-interference Java Bytecode Verifier , 2007, ESOP.

[29]  Gilles Barthe,et al.  Deriving an information flow checker and certifying compiler for Java , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[30]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[31]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, CSF.

[32]  David Sands,et al.  Assumptions and Guarantees for Compositional Noninterference , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[33]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[34]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[35]  Catherine A. Meadows Introduction to ACM TISSEC special issue on CCS 2005 , 2009, TSEC.

[36]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[37]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[38]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[39]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[40]  Stephen Chong,et al.  Towards a practical secure concurrent language , 2012, OOPSLA '12.

[41]  Gregor Snelting,et al.  A new algorithm for low-deterministic security , 2014, International Journal of Information Security.

[42]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[43]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..