Computationally secure information flow

This thesis presents a definition and a static program analysis for secure information flow. The definition of secure information flow is not based on non-interference, but on the computational independence of the programs public outputs from its secret inputs. Such definition allows cryptographic primitives to be gracefully handled, as their security is usually defined to be only computational, not information-theoretical. The analysis works on a simple imperative programming language containing a cryptographic primitive encryption as a possible operation. The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the encryption primitive hides the identity of plaintexts and keys. This thesis also considers the case where the identities of plaintexts and keys are not hidden by encryption, i.e. given two ciphertexts it may be possible to determine whether the corresponding plaintexts are equal or not. We also give an analysis for this case, though it is not a whole program analysis. Namely, we cannot analyse loops. Nevertheless, with the help of the analysis one can check, whether two formal expressions (which are equivalent to the output of programs without loops) have indistinguishable interpretations as bit-strings. In dieser Dissertation wird eine Definition und eine statische Programmanalyse fur sicheren Informationsfluss prasentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflusbarkeit, sondern auf der komplexitatstheoretischen Unabhangigkeit der offentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitatstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlusselung als eine mogliche Operation enthalt. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlusseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, das die Verschlusselungsprimitive die Identitat der Klartexte und Schlussel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlusselungsprimitive die Identitat der Klartexte und Schlussel nicht versteckt, d.h. das man aus zwei Schlusseltexten moglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch fur diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren konnen. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrucke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben.

[1]  William Landi,et al.  Interprocedural aliasing in the presence of pointers , 1992 .

[2]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[3]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[4]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[5]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[6]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[7]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[8]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[11]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[12]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[13]  David Chaum,et al.  Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result , 1987, CRYPTO.

[14]  Peeter Laud Semantics and Program Analysis of Computationally Secure Information Flow , 2001, ESOP.

[15]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[16]  John C. Mitchell Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis , 2001, ESOP.

[17]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[18]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[19]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[20]  Florian Martin,et al.  Generating program analyzers , 1999 .

[21]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[22]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[23]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[24]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[25]  Joshua D. Guttman,et al.  The faithfulness of abstract protocol analysis: message authentication , 2001, CCS '01.

[26]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[27]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[28]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[29]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[30]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[31]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[32]  Dennis M. Volpano Secure introduction of one-way functions , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[33]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[34]  Birgit Pfitzmann,et al.  Digital Signature Schemes: General Framework and Fail-Stop Signatures , 1996 .

[35]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[36]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[37]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[38]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[39]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[40]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[41]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[42]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[43]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[44]  Reinhard Wilhelm,et al.  Übersetzerbau - Theorie, Konstruktion, Generierung , 1992 .

[45]  Michael Backes,et al.  Cryptographically sound analysis of security protocols , 2002 .

[46]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[47]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[48]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[49]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[50]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[51]  Brian A. Davey,et al.  An Introduction to Lattices and Order , 1989 .

[52]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[53]  Birgit Pfitzmann,et al.  Cryptographic Security of Reactive Systems Extended Abstract , 2000 .

[54]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1985, CRYPTO.