End-to-end Multilevel Hybrid Information Flow Control

We present models and soundness results for hybrid information flow, i.e. for mechanisms that enforce noninterference-style security guarantees using a combination of static analysis and dynamic taint tracking. Our analysis has the following characteristics: (i) we formulate hybrid information flow as an end-to-end property, in contrast to disruptive monitors that prematurely terminate or otherwise alter an execution upon detecting a potentially illicit flow; (ii) our security notions capture the increased precision that is gained when static analysis is combined with dynamic enforcement; (iii) we introduce path tracking to incorporate a form of termination-sensitivity, and (iv) develop a novel variant of purely dynamic tracking that ignores indirect flows; (v) our work has been formally verified, by a comprehensive representation in the theorem prover Coq.

[1]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[2]  Andrew W. Appel,et al.  A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow , 2012, POST.

[3]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[4]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[5]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[6]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[7]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[8]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[9]  David Sands,et al.  From Exponential to Polynomial-Time Security Typing via Principal Types , 2011, ESOP.

[10]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[11]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[12]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[13]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[14]  Martín Abadi,et al.  A Functional View of Imperative Information Flow , 2012, APLAS.

[15]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[16]  Vijay Varadharajan,et al.  Security and Privacy - Silver Linings in the Cloud - 25th IFIP TC-11 International Information Security Conference, SEC 2010, Held as Part of WCC 2010, Brisbane, Australia, September 20-23, 2010. Proceedings , 2010, SEC.

[17]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Gérard Boudol,et al.  On Typing Information Flow , 2005, ICTAC.

[19]  Martin Hofmann,et al.  Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[20]  Martin Wirsing,et al.  Theoretical Aspects of Computing - ICTAC 2005, Second International Colloquium, Hanoi, Vietnam, October 17-21, 2005, Proceedings , 2005, ICTAC.

[21]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[22]  Angelos D. Keromytis,et al.  A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware , 2012, NDSS.

[23]  David I. August,et al.  Decoupled software pipelining with the synchronization array , 2004, Proceedings. 13th International Conference on Parallel Architecture and Compilation Techniques, 2004. PACT 2004..

[24]  Andrew W. Appel Verified Software Toolchain - (Invited Talk) , 2011, ESOP.

[25]  Gurvan Le Guernic Precise Dynamic Verification of Confidentiality , 2008, VERIFY.

[26]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[27]  Gilles Barthe,et al.  A certified lightweight non-interference Java bytecode verifier† , 2007, Mathematical Structures in Computer Science.

[28]  Mark A. Hillebrand,et al.  Invariants, Modularity, and Rights , 2009, Ershov Memorial Conference.

[29]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[30]  Gurvan Le Guernic,et al.  Monitoring Information Flow , 2005 .

[31]  Mark Ryan,et al.  Reduction of Equational Theories for Verification of Trace Equivalence: Re-encryption, Associativity and Commutativity , 2012, POST.

[32]  Wei Xu,et al.  Provably Correct Runtime Enforcement of Non-interference Properties , 2006, ICICS.

[33]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[34]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.