A derivation framework for dependent security label inference

Dependent security labels (security labels that depend on program states) in various forms have been introduced to express rich information flow policies. They are shown to be essential in the verification of real-world software and hardware systems such as conference management systems, Android Apps, a MIPS processor and a TrustZone-like architecture. However, most work assumes that all (complex) labels are provided manually, which can both be error-prone and time-consuming. In this paper, we tackle the problem of automatic label inference for static information flow analyses with dependent security labels. In particular, we propose the first general framework to facilitate the design and validation (in terms of soundness and/or completeness) of inference algorithms. The framework models label inference as constraint solving and offers guidelines for sound and/or complete constraint solving. Under the framework, we propose novel constraint solving algorithms that are both sound and complete. Evaluation result on sets of constraints generated from secure and insecure variants of a MIPS processor suggests that the novel algorithms improve the performance of an existing algorithm by orders of magnitude and offers better scalability.

[1]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[2]  Danfeng Zhang,et al.  Towards a Flow- and Path-Sensitive Information Flow Analysis , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[3]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[5]  Armando Solar-Lezama,et al.  Enforcing Information Flow Policies with Type-Targeted Program Synthesis , 2016 .

[6]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[7]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[8]  Per Martin-Löf,et al.  Constructive mathematics and computer programming , 1984 .

[9]  W. F. Dowling,et al.  Tractable Constraints in Finite Semilattices , 1996 .

[10]  Danfeng Zhang,et al.  Toward general diagnosis of static errors , 2014, POPL.

[11]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[12]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Ranjit Jhala,et al.  Refinement types for Haskell , 2014, ICFP.

[14]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[15]  Alexander Aiken,et al.  Soft typing with conditional types , 1994, POPL '94.

[16]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[17]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[18]  Steve Zdancewic,et al.  AURA: a programming language for authorization and audit , 2008, ICFP 2008.

[19]  Luís Caires,et al.  Dependent Information Flow Types , 2015, POPL.

[20]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[21]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[22]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[23]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[24]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[25]  Toby C. Murray,et al.  Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[26]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[27]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Yang Liu,et al.  A Permission-Dependent Type System for Secure Information Flow Analysis , 2017, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[29]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[30]  Alexander Aiken,et al.  Introduction to Set Constraint-Based Program Analysis , 1999, Sci. Comput. Program..

[31]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[32]  Rui Xu,et al.  Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis , 2017, ASPLOS.

[33]  Stephen Chong,et al.  Inference of Expressive Declassification Policies , 2011, 2011 IEEE Symposium on Security and Privacy.

[34]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[35]  Lennart Augustsson,et al.  Cayenne—a language with dependent types , 1998, ICFP '98.

[36]  Hongwei Xi,et al.  Imperative programming with dependent types , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[37]  Lennart Beringer,et al.  Noninterference with Dynamic Security Domains and Policies , 2009, ASIAN.

[38]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[39]  Gurvan Le Guernic,et al.  Monitoring Information Flow , 2005 .

[40]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..