Asymmetric Secure Multi-execution with Declassification

Secure multi-execution SME is a promising black-box technique for enforcing information flow properties. Unlike traditional static or dynamic language-based techniques, SME satisfies noninterference soundness by construction and is also precise. SME executes a given program twice. In one execution, called the high run, the program receives all inputs, but the program's public outputs are suppressed. In the other execution, called the low run, the program receives only public inputs and declassified or, in some cases, default inputs as a replacement for the secret inputs, but its private outputs are suppressed. This approach works well in theory, but in practice the program might not be prepared to handle the declassified or default inputs as they may differ a lot from the regular secret inputs. As a consequence, the program may produce incorrect outputs or it may crash. To avoid this problem, existing work makes strong assumptions on the ability of the given program to robustly adapt to the declassified inputs, limiting the class of programs to which SME applies. To lift this limitation, we present a modification of SME, called asymmetric SME or A-SME. A-SME gives up on the pretense that real programs are inherently robust to modified inputs. Instead, A-SME requires a variant of the original program that has been adapted by the programmer or automatically to react properly to declassified or default inputs. This variant, called the low slice, is used in A-SME as a replacement for the original program in the low run. The original program and its low slice must be related by a semantic correctness criteria, but beyond adhering to this criteria, A-SME offers complete flexibility in the construction of the low slice. A-SME is provably sound even when the low slice is incorrect and when the low slice is correct, A-SME is also precise. Finally, we show that if the program is policy compliant, then its low slice always exists, at least in theory. On the side, we also improve the state-of-the-art in declassification policies by supporting policies that offer controlled choices to untrustworthy programs.

[1]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[2]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[3]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[4]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[5]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[7]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[8]  V. N. Venkatakrishnan,et al.  Data Sandboxing: A Technique for Enforcing Confidentiality Policies , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[9]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[10]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[11]  Jonas Magazinius,et al.  Decentralized Delimited Release , 2011, APLAS.

[12]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[13]  Alejandro Russo,et al.  Precise Enforcement of Confidentiality for Reactive Systems , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[14]  Dominique Devriese,et al.  Stateful Declassification Policies for Event-Driven Programs , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[15]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[16]  A. Prasad Sistla,et al.  Preventing Information Leaks through Shadow Executions , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[17]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[18]  Armando Solar-Lezama,et al.  Faceted execution of policy-agnostic programs , 2013, PLAS '13.

[19]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[20]  Frank Piessens,et al.  Runtime Enforcement of Security Policies on Black Box Reactive Programs , 2015, POPL.

[21]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[22]  Andrei Sabelfeld,et al.  Securing Interactive Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[23]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[24]  Michael Hicks,et al.  Verified enforcement of stateful information release policies , 2008, PLAS '08.

[25]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[26]  Scott Moore,et al.  Precise enforcement of progress-sensitive security , 2012, CCS '12.

[27]  Andrei Sabelfeld,et al.  Localized delimited release: combining the what and where dimensions of information release , 2007, PLAS '07.