On Automatic Placement of Declassifiers for Information-Flow Security

Security-typed languages can be used to build programs that are information-flow secure, meaning that they do not allow secret data to leak. Declassification allows programs to leak secret information in carefully prescribed ways. Manually placing declassifiers to authorize certain flows of information can be dangerous because an incorrectly placed declassifier can leak far more secure data than intended. Additionally, the sheer number of runtime flows that can cause an error means that determining where to place declassifiers can be difficult. We present a new approach for constructing information-flow secure programs where declassifiers are placed such that no unintended leakage occurs. Leakage restrictions are specified using hard constraints and potential declassifier locations are ranked using soft constraints. Finally, the placement problem is submitted to a pseudo-Boolean optimizing SAT solver that selects a minimal set of declassifiers that prevent unauthorized data leakage. These declassifiers can be reviewed by the programmer to ensure that they correspond with acceptable declassification points: if not, new hard constraints can be added and the optimization framework can be reinvoked. Our experimental results indicate that our analysis suggests declassifiers that will cause no more leakage than those placed by programmers in a fraction of the time it would take to perform a manual analysis. This work provides a foundation for less expert programmers to build information-flow secure programs and to convert existing programs to be information-flow secure.

[1]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[2]  Tracy Larrabee,et al.  Test pattern generation using Boolean satisfiability , 1992, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[3]  Patrick Cousot,et al.  Galois Connection Based Abstract Interpretations for Strictness Analysis (Invited Paper) , 1993, Formal Methods in Programming and Their Applications.

[4]  Jakob Rehof,et al.  Tractable Constraints in Finite Semilattices , 1999, Sci. Comput. Program..

[5]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[6]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[7]  Jean-Louis Lanet,et al.  The PACAP Prototype: A Tool for Detecting Java Card Illegal Flow , 2000, Java Card Workshop.

[8]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[11]  Andrei Sabelfeld,et al.  Secure Implementation of Cryptographic Protocols: A Case Study of Mutual Distrust , 2005 .

[12]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[13]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[14]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[15]  Sushil Jajodia,et al.  Inference Problems in Multilevel Secure Database Management Systems , 2006 .

[16]  Niklas Sörensson,et al.  Translating Pseudo-Boolean Constraints into SAT , 2006, J. Satisf. Boolean Model. Comput..

[17]  Scott F. Smith,et al.  Refactoring programs to secure information flows , 2006, PLAS '06.

[18]  Heiko Mantel,et al.  Transformational typing and unification for automatically correcting insecure programs , 2007, International Journal of Information Security.

[19]  Isil Dillig,et al.  Static error detection using semantic inconsistency inference , 2007, PLDI '07.

[20]  Pasquale Malacaria,et al.  Quantitative analysis of leakage for multi-threaded programs , 2007, PLAS '07.

[21]  Steve Zdancewic,et al.  A Cryptographic Decentralized Label Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[22]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[23]  Igor L. Markov,et al.  Solution and Optimization of Systems of Pseudo-Boolean Constraints , 2007, IEEE Transactions on Computers.

[24]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[25]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[26]  Somesh Jha,et al.  Effective blame for information-flow violations , 2008, SIGSOFT '08/FSE-16.

[27]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..