Securing functional programs with floating-label information-flow control

The work presented in this thesis focuses on information-flow control systems for functional programs, particularly on the LIO library in Haskell. The thesis considers three main aspects in this area: timing covert channels, dynamic policies and enforcement mechanisms that improve precision of the analysis. Timing channels are dangerous in the presence of concurrency. We start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. In further work, we tackle leaks that result from hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO and proposes two solutions that rely on time-agnostic scheduling: the first one consists in a modification to the Haskell runtime and the other one is a purely language-based implementation. We also present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. Dynamic policies arise when the set of allowed flows of information is permitted to change as the program runs. Declassification can be viewed as a special case of dynamic policies. This thesis introduces an extension to LIO which supports dynamic policies and can encode well-known label formats such as the DLM and DC labels. Moreover, we also present the notion of restricted privileges, giving principals the ability to restrict the ways in which their authority can be used in the system, and supporting robust declassification. We also add flow-sensitivity to LIO, which consists in the ability for the security labels of references to mutate, depending on the sensitivity of what is stored in them. Finally, we introduce a hybrid enforcement which mixes static and dynamic analyses. In particular, we leverage advanced type system features in Haskell to give the programmer control over which parts of the program are dynamically checked and which parts are statically checked. The core of this library is a general technique for deferring checking of type-class constraints to runtime which is applicable to other domains beyond language-based security.

[1]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[2]  Philip Wadler Monads for Functional Programming , 1995, Advanced Functional Programming.

[3]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[4]  Andrei Sabelfeld,et al.  Securing Interactive Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[5]  Sam Tobin-Hochstadt,et al.  Interlanguage migration: from scripts to programs , 2006, OOPSLA '06.

[6]  Alejandro Russo,et al.  Secure Multi-execution in Haskell , 2011, Ershov Memorial Conference.

[7]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[8]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[9]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[10]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[11]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[12]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[13]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[14]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[15]  Koen Claessen,et al.  A poor man's concurrency monad , 1999, Journal of Functional Programming.

[16]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[17]  Stephanie Weirich,et al.  Dependently typed programming with singletons , 2013, Haskell '12.

[18]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Steve Zdancewic,et al.  PROGRAMMING LANGUAGES FOR INFORMATION , 2002 .

[20]  Marianne Winslett,et al.  A Trust Management Approach for Flexible Policy Management in Security-Typed Languages , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[21]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[22]  Alejandro Russo,et al.  Security for Multithreaded Programs Under Cooperative Scheduling , 2006, Ershov Memorial Conference.

[23]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[24]  Deian Stefan,et al.  Flexible dynamic information flow control in the presence of exceptions* , 2012, Journal of Functional Programming.

[25]  John Hughes,et al.  Generalising monads to arrows , 2000, Sci. Comput. Program..

[26]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[27]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[28]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[29]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[30]  Andrew C. Myers,et al.  A Semantic Framework for Declassification and Endorsement , 2010, ESOP.

[31]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[32]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[33]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[34]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[35]  Wing H. Wong,et al.  Timing attacks on RSA: revealing your secrets through the fourth dimension , 2005, CROS.

[36]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[37]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[38]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[39]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[40]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[41]  William L. Harrison,et al.  Achieving information flow security through precise control of effects , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[42]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[43]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[44]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[45]  Michael Hicks,et al.  Polymonadic Programming , 2014, MSFP.

[46]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[47]  Vincent Simonet The Flow Caml system , 2003 .

[48]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[49]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[50]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[51]  Ilaria Castellani,et al.  Noninterference for Concurrent Programs , 2001, ICALP.

[52]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[53]  Juan Chen,et al.  Gradual typing embedded securely in JavaScript , 2014, POPL.

[54]  Deian Stefan,et al.  Toward Principled Browser Security , 2013, HotOS.

[55]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[56]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[57]  Robert Atkey,et al.  Parameterised notions of computation , 2006, J. Funct. Program..

[58]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[59]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[60]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[61]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[62]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[63]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[64]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[65]  Stephen Chong,et al.  Learning is Change in Knowledge: Knowledge-Based Security for Dynamic Policies , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[66]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[67]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[68]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[69]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[70]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[71]  Ron van der Meyden,et al.  What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[72]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[73]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[74]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[75]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[76]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[77]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[78]  Simon L. Peyton Jones,et al.  Giving Haskell a promotion , 2012, TLDI '12.

[79]  David Sands,et al.  Very Static Enforcement of Dynamic Policies , 2015, POST.

[80]  David Sands,et al.  The Anatomy and Facets of Dynamic Policies , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[81]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[82]  John Hughes Programming with Arrows , 2004, Advanced Functional Programming.

[83]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[84]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[85]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[86]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[87]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[88]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[89]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[90]  Kenneth Knowles,et al.  Hybrid type checking , 2010, TOPL.

[91]  John Launchbury,et al.  A natural semantics for lazy evaluation , 1993, POPL '93.

[92]  Simon L. Peyton Jones,et al.  Closed type families with overlapping equations , 2014, POPL.

[93]  Gavin M. Bierman,et al.  Safe & Efficient Gradual Typing for TypeScript , 2015, POPL.

[94]  Lujo Bauer,et al.  Run-Time Enforcement of Information-Flow Properties on Android - (Extended Abstract) , 2013, ESORICS.

[95]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[96]  Andrew C. Myers,et al.  Decentralized robustness , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[97]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[98]  Deian Stefan,et al.  A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems , 2013, TGC.

[99]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[100]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[101]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[102]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[103]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[104]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[105]  Alejandro Russo,et al.  Lazy Programs Leak Secrets , 2013, NordSec.

[106]  Jim Baker,et al.  Design and evaluation of gradual typing for python , 2014, DLS.

[107]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[108]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[109]  Keiko Nakata,et al.  Securing Class Initialization in Java-like Languages , 2013, IEEE Transactions on Dependable and Secure Computing.

[110]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[111]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[112]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[113]  Simon Peyton Jones,et al.  A monad for deterministic parallelism , 2012 .

[114]  Simon N. Foley,et al.  A security model of dynamic labelling providing a tiered approach to verification , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[115]  Ellis Choen,et al.  Information transmission in computational systems , 1977, SOSP 1977.

[116]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[117]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[118]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[119]  Tom Schrijvers,et al.  Haskell Type Constraints Unleashed , 2010, FLOPS.

[120]  Simon L. Peyton Jones,et al.  Concurrent Haskell , 1996, POPL '96.

[121]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[122]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[123]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[124]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[125]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[126]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[127]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[128]  Peter Thiemann,et al.  Gradual Security Typing with References , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[129]  Jeremy G. Siek Gradual Typing for Functional Languages , 2006 .

[130]  Ed Komp,et al.  The HERMIT in the machine: a plugin for the interactive transformation of GHC core language programs , 2013, Haskell 2013.

[131]  Arnar Birgisson,et al.  Capabilities for information flow , 2011, PLAS '11.

[132]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[133]  W. Harrison,et al.  Cheap (But Functional) Threads † , 2015 .

[134]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[135]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[136]  Sam Tobin-Hochstadt,et al.  Gradual typing for first-class classes , 2012, OOPSLA '12.

[137]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[138]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[139]  Wouter Swierstra,et al.  A functional specification of effects , 2009 .

[140]  Pablo Buiras,et al.  Dynamic Enforcement of Dynamic Policies , 2015, PLAS@ECOOP.

[141]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[142]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[143]  Chenyi Zhang,et al.  Conditional Information Flow Policies and Unwinding Relations , 2011, TGC.

[144]  C. Flanagan,et al.  Gradual Information Flow Typing , 2011 .

[145]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[146]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).