Security for Multithreaded Programs Under Cooperative Scheduling

Information flow exhibited by multithreaded programs is subtle because the attacker may exploit scheduler properties when deducing secret information from publicly observable outputs. Volpano and Smith have introduced a protect command that prevents the scheduler from observing sensitive timing behavior of protected commands and therefore prevents undesired information flows. While a useful construct, protect is nonstandard and difficult to implement. This paper presents a transformation that eliminates the need for protect under cooperative scheduling. We show that both termination-insensitive and termination-sensitive security can be enforced by variants of the transformation in a language with dynamic thread creation.

[1]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[4]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[5]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[6]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[7]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[8]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[9]  Vincent Simonet The Flow Caml system , 2003 .

[10]  Andrei Sabelfeld,et al.  Confidentiality for Multithreaded Programs via Bisimulation , 2003, Ershov Memorial Conference.

[11]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[12]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[13]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[14]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[15]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[16]  Manfred Broy,et al.  Perspectives of System Informatics , 2001, Lecture Notes in Computer Science.

[17]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[18]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[19]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[20]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[21]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).