Type-Driven Repair for Information Flow Security

We present Lifty, a language that uses type-driven program repair to enforce information flow policies. In Lifty, the programmer specifies a policy by annotating the source of sensitive data with a refinement type, and the system automatically inserts access checks necessary to enforce this policy across the code. This is a significant improvement over current practice, where programmers manually implement access checks, and any missing check can cause an information leak. To support this programming model, we have developed (1) an encoding of information flow security in terms of decidable refinement types that enables fully automatic verification and (2) a program repair algorithm that localizes unsafe accesses to sensitive data and replaces them with provably secure alternatives. We formalize the encoding and prove its noninterference guarantee. Our experience using Lifty to implement a conference management system shows that it decreases policy burden and is able to efficiently synthesize all necessary access checks, including those required to prevent a set of reported real-world information leaks.

[1]  Fan Long,et al.  Automatic patch generation by learning correct code , 2016, POPL.

[2]  Peter-Michael Osera,et al.  Type-and-example-directed program synthesis , 2015, PLDI.

[3]  Yuriy Brun,et al.  Repairing Programs with Semantic Code Search (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[5]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[6]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[7]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[8]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[9]  Joseph P. Near,et al.  Rubicon: bounded verification of web applications , 2012, SIGSOFT FSE.

[10]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[11]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[12]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[13]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[14]  Pavol Cerný,et al.  Synthesis Through Unification , 2015, CAV.

[15]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[16]  Isil Dillig,et al.  Maximal specification synthesis , 2016, POPL.

[17]  Armando Solar-Lezama,et al.  Faceted execution of policy-agnostic programs , 2013, PLAS '13.

[18]  Sumit Gulwani,et al.  Recursive Program Synthesis , 2013, CAV.

[19]  Fan Long,et al.  Staged program repair with condition synthesis , 2015, ESEC/SIGSOFT FSE.

[20]  Claire Le Goues,et al.  GenProg: A Generic Method for Automatic Software Repair , 2012, IEEE Transactions on Software Engineering.

[21]  Isil Dillig,et al.  Synthesizing data structure transformations from input-output examples , 2015, PLDI.

[22]  Ranjit Jhala,et al.  Refinement types for Haskell , 2014, ICFP.

[23]  Limin Jia,et al.  Encoding information flow in Aura , 2009, PLAS '09.

[24]  Ranjit Jhala,et al.  LiquidHaskell: experience with refinement types in the real world , 2014, Haskell.

[25]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[28]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[29]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[30]  Somesh Jha,et al.  Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement , 2012, CAV.

[31]  Ruzica Piskac,et al.  Complete functional synthesis , 2010, PLDI '10.

[32]  David Garlan,et al.  SASS: Self-Adaptation Using Stochastic Search , 2015, 2015 IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems.

[33]  Armando Solar-Lezama,et al.  Precise, dynamic information flow for database-backed applications , 2015, PLDI.

[34]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[35]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[36]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[37]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[38]  Viktor Kuncak,et al.  Deductive Program Repair , 2015, CAV.

[39]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[40]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[41]  Darko Marinov,et al.  Model-based, event-driven programming paradigm for interactive web applications , 2013, Onward!.

[42]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[43]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[44]  Ranjit Jhala,et al.  Abstract Refinement Types , 2013, ESOP.

[45]  Eric Lahtinen,et al.  Automatic error elimination by horizontal code transfer across multiple applications , 2015, PLDI.

[46]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[47]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[48]  Kathryn T. Stolee,et al.  Repairing Programs with Semantic Code Search , 2015 .

[49]  David Walker,et al.  Example-directed synthesis: a type-theoretic interpretation , 2016, POPL.

[50]  Armando Solar-Lezama,et al.  Program synthesis from polymorphic refinement types , 2015, PLDI.

[51]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[52]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[53]  Simon L. Peyton Jones,et al.  Diagnosing type errors with class , 2015, PLDI.

[54]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[55]  Armando Solar-Lezama,et al.  Type Assisted Synthesis of Recursive Transformers on Algebraic Data Types , 2015, ArXiv.

[56]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[57]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[58]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[59]  Zohar Manna,et al.  A Deductive Approach to Program Synthesis , 1979, TOPL.

[60]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[61]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[62]  Borzoo Bonakdarpour,et al.  Runtime Verification of k-Safety Hyperproperties in HyperLTL , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).