Secure Information Flow Typing in LUSTRE

Synchronous reactive data flow is a paradigm that provides a high-level abstract programming model for embedded and cyber-physical systems, including the locally synchronous components of IoT systems. Security in such systems is severely compromised due to low-level programming, ill-defined interfaces and inattention to security classification of data. By incorporating a Denning-style lattice-based secure information flow framework into a synchronous reactive data flow language, we provide a framework in which correct-andsecure-by-construction implementations for such systems may be specified and derived. In particular, we propose an extension of the Lustre programming framework with a security type system. The novelty of our type system lies in a symbolic formulation of constraints over security type variables, in particular the treatment of node calls, which allows us to reason about secure flow with respect to any security class lattice. The main theorem is the soundness of our type system with respect to the co-inductive operational semantics of Lustre, which we prove by showing that well-typed programs exhibit non-interference. Rather than tackle the full language, we first prove the non-interference result for a well-behaved sub-language called “Normalised Lustre” (NLustre), for which our type system is far simpler. We then show that Bourke et al.’s semantics-preserving “normalisation” transformations from Lustre to NLustre are security-preserving as well. This preservation of security types by the normalisation transformations is a property akin to “subject reduction” but at the level of compiler transformations. The main result that well-security-typed Lustre programs are non-interfering follows from a reduction to our earlier result of non-interference for NLustre via the semantics-preservation (of Bourke et al.) and type preservation results.

[1]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[2]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[3]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[4]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[5]  Patrick Viry,et al.  Equational rules for rewriting logic , 2002, Theor. Comput. Sci..

[6]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[7]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[8]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[9]  Barbara Liskov,et al.  IFDB: decentralized information flow control for databases , 2013, EuroSys '13.

[10]  John M. Rushby,et al.  The Versatile Synchronous Observer , 2012, Specification, Algebra, and Software.

[11]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[12]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[13]  Nicolas Halbwachs,et al.  Synchronous Observers and the Verification of Reactive Systems , 1993, AMAST.

[14]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[15]  Timothy Bourke,et al.  A formally verified compiler for Lustre , 2017, PLDI.

[16]  Andrew C. Myers,et al.  Fabric: Building open distributed systems securely by construction , 2017, J. Comput. Secur..

[17]  Thomas H. Austin,et al.  Multiple Facets for Dynamic Information Flow with Exceptions , 2017, ACM Trans. Program. Lang. Syst..

[18]  D. Knuth,et al.  Simple Word Problems in Universal Algebras , 1983 .

[19]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[20]  Andrew Ferraiuolo,et al.  HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security , 2018, CCS.

[21]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[22]  Nicolas Halbwachs,et al.  LUSTRE: A declarative language for programming synchronous systems* , 1987 .

[23]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[24]  Pascal Raymond,et al.  Synchronous Program Verification with Lustre/Lesar , 2010 .

[25]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[26]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[27]  Gilles Kahn,et al.  The Semantics of a Simple Language for Parallel Programming , 1974, IFIP Congress.

[28]  Marc Pouzet,et al.  Mechanized semantics and verified compilation for a dataflow synchronous language with reset , 2019, Proc. ACM Program. Lang..

[29]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[30]  Sanjiva Prasad,et al.  Normalising Lustre Preserves Security , 2021, ICTAC.

[31]  Marc Pouzet,et al.  SCADE 6: A formal language for embedded critical software development (invited paper) , 2017, 2017 International Symposium on Theoretical Aspects of Software Engineering (TASE).

[32]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[33]  John Plaice,et al.  The LUSTRE Synchronous Dataflow Programming Language: Design and Semantics , 1992 .

[34]  Timothy Bourke,et al.  Verified Lustre Normalization with Node Subsampling , 2021, ACM Trans. Embed. Comput. Syst..

[35]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[36]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[37]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[38]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[39]  Mirko Zanotti Security Typings by Abstract Interpretation , 2002, SAS.

[40]  P. J. Landin,et al.  The next 700 programming languages , 1966, CACM.

[41]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[42]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[43]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[44]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[45]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[46]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[47]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[48]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[49]  Bart Preneel,et al.  On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them , 2016, ACSAC.

[50]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[51]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[52]  Subodh Sharma,et al.  Security Types for Synchronous Data Flow Systems , 2020, 2020 18th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE).