An Axiomatic Approach to Detect Information Leaks in Concurrent Programs

Realizing flow security in a concurrent environment is extremely challenging, primarily due to non-deterministic nature of execution. The difficulty is further exacerbated from a security angle if sequential threads disclose control locations through publicly observable statements like print, sleep, delay, etc. Such observations lead to internal and external timing attacks. Inspired by previous works that use classical Hoare style proof systems for establishing correctness of distributed (real-time) programs, in this paper, we describe a method for finding information leaks in concurrent programs through the introduction of leaky assertions at observable program points. Specifying leaky assertions akin to classic assertions, we demonstrate how information leaks can be detected in a concurrent context. To our knowledge, this is the first such work that enables integration of different notions of non-interference used in functional and security context. While the approach is sound and relatively complete in the classic sense, it enables the use of algorithmic techniques that enable programmers to come up with leaky assertions that enable checking for information leaks in sensitive applications.

[1]  Alejandro Russo,et al.  HLIO: mixing static and dynamic typing for information-flow control in Haskell , 2015, ICFP.

[2]  Matthew Chan,et al.  Foundations for Parallel Information Flow Control Runtime Systems , 2019, POST.

[3]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[4]  Gilles Barthe,et al.  Security of multithreaded programs by compilation , 2007, TSEC.

[5]  Leslie Lamport,et al.  An Assertional Correctness Proof of a Distributed Algorithm , 1982, Sci. Comput. Program..

[6]  Stephen D. Brookes,et al.  Full abstraction for a shared variable parallel language , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[7]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[8]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[9]  R. K. Shyamasundar,et al.  Static Security Certification of Programs via Dynamic Labelling , 2018, ICETE.

[10]  Fred B. Schneider,et al.  Putting Time into Proof Outlines , 1991, REX Workshop.

[11]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[12]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[13]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[14]  Stephen Chong,et al.  Hybrid Monitors for Concurrent Noninterference , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[15]  Martin Hofmann,et al.  Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[16]  Alejandro Russo,et al.  Securing Concurrent Lazy Programs Against Information Leakage , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[17]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[18]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[19]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[20]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[21]  Leslie Lamport,et al.  Real Time is Really Simple , 2005 .

[22]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[23]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[24]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[26]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[27]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[28]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[29]  Alejandro Russo,et al.  Security for Multithreaded Programs Under Cooperative Scheduling , 2006, Ershov Memorial Conference.

[30]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[31]  Martín Abadi,et al.  An old-fashioned recipe for real time , 1994, TOPL.

[32]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[33]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[34]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[35]  Vincent Simonet Flow Caml in a Nutshell , 2003 .