Static Evaluation of Noninterference Using Approximate Model Counting

Noninterference is a definition of security for secret values provided to a procedure, which informally is met when attacker-observable outputs are insensitive to the value of the secret inputs or, in other words, the secret inputs do not "interfere" with those outputs. This paper describes a static analysis method to measure interference in software. In this approach, interference is assessed using the extent to which different secret inputs are consistent with different attacker-controlled inputs and attacker-observable outputs, which can be measured using a technique called model counting. Leveraging this insight, we develop a flexible interference assessment technique for which the assessment accuracy quantifiably grows with the computational effort invested in the analysis. This paper demonstrates the effectiveness of this technique through application to several case studies, including leakage of: search-engine queries through auto-complete response sizes; secrets subjected to compression together with attacker-controlled inputs; and TCP sequence numbers from shared counters.

[1]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[2]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[3]  Tevfik Bultan,et al.  Synthesis of Adaptive Side-Channel Attacks , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[4]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[6]  Colin Boyd,et al.  Protecting Encrypted Cookies from Compression Side-Channel Attacks , 2015, Financial Cryptography.

[7]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[8]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[9]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  Supratik Chakraborty,et al.  A Scalable Approximate Model Counter , 2013, CP.

[11]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2016, Journal of Functional Programming.

[12]  Adam O'Neill,et al.  Generic Attacks on Secure Outsourced Databases , 2016, CCS.

[13]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[14]  Chris Hankin,et al.  Approximate non-interference , 2004 .

[15]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[16]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[19]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[20]  Peter Chapman,et al.  Automated black-box detection of side-channel vulnerabilities in web applications , 2011, CCS '11.

[21]  Sharad Malik,et al.  On computing minimal independent support and its applications to sampling and counting , 2015, Constraints.

[22]  Vladimir Klebanov,et al.  Practical Detection of Entropy Loss in Pseudo-Random Number Generators : Extended Version , 2016 .

[23]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[24]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[25]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[26]  Suela Kodra Fuzzy extractors : How to generate strong keys from biometrics and other noisy data , 2015 .

[27]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[28]  Thomas Ristenpart,et al.  Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[30]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[31]  Geoffrey Smith,et al.  Quantifying Information Flow Using Min-Entropy , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[32]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[33]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[34]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[35]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[36]  Mário S. Alvim,et al.  Quantifying Information Flow for Dynamic Secrets , 2014, 2014 IEEE Symposium on Security and Privacy.

[37]  David Clark,et al.  A static analysis for quantifying information flow in a simple imperative language , 2007, J. Comput. Secur..

[38]  Pasquale Malacaria,et al.  Abstract model counting: a novel approach for quantification of information leaks , 2014, AsiaCCS.

[39]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[40]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[41]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[42]  Zhou Li,et al.  Sidebuster: automated detection and quantification of side-channel leaks in web application development , 2010, CCS '10.

[43]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[44]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[45]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[46]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[47]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[48]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[49]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.