On Formalizing Information-Flow Control Libraries

Many state-of-the-art IFC libraries support a variety of advanced features like mutuable data structures, exceptions, and concurrency, whose subtle interaction makes verification of security guarantees challenging. In this paper, we present a full-fledged, mechanically-verified model of MAC---a statically enforced IFC library. We describe three main insights gained during the formalization process. As previous libraries (e.g., LIO and HLIO), we utilize term erasure as the proof technique to show non-interference. This technique essentially states that the same public output should be produced if secrets are erased before or after program execution. Our first insight identifies challenges when the sensitivity of terms may depend on the context where they are used, thus affecting how they will be erased. This situation is not uncommon in MAC as well as other IFC libraries---in fact, we spot problems in the proofs of previous work. To deal with such complicated situations, we propose a novel erasure technique that performs erasure by additional evaluation rules, triggered by special-purpose constructs. Furthermore, we simplify reasoning about exception-aware primitives by removing sensitive exceptions from programs where secrets have been erased. We show progress insensitive non-interference for our sequential calculus and pinpoint sufficient requirements on the scheduler to prove progress-sensitive non-interference for our concurrent calculus. We prove that MAC is secure under a round-robin scheduler by simply instantiating our main scheduler-parametric theorem.

[1]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[2]  Dominique Devriese,et al.  Information flow enforcement in monadic libraries , 2011, TLDI '11.

[3]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[4]  Alejandro Russo,et al.  Secure Multi-execution in Haskell , 2011, Ershov Memorial Conference.

[5]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[6]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Deian Stefan,et al.  IFC Inside: Retrofitting Languages with Dynamic Information Flow Control , 2015, POST.

[8]  Deian Stefan,et al.  Flexible dynamic information flow control in the presence of exceptions* , 2012, Journal of Functional Programming.

[9]  Alejandro Russo,et al.  Flexible Manipulation of Labeled Values for Information-Flow Control Libraries , 2016, ESORICS.

[10]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[11]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[12]  Gilles Barthe,et al.  Security of multithreaded programs by compilation , 2007, TSEC.

[13]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[14]  Alejandro Russo,et al.  HLIO: mixing static and dynamic typing for information-flow control in Haskell , 2015, ICFP.

[15]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[16]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Kenneth Knowles,et al.  Faceted Dynamic Information Flow via Control and Data Monads , 2016, POST.

[20]  Nobuko Yoshida,et al.  A uniform type structure for secure information flow , 2002, POPL '02.

[21]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[22]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[23]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[24]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[25]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[26]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[27]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[28]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[29]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[30]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[31]  Alejandro Russo,et al.  Functional pearl: two can keep a secret, if one of them uses Haskell , 2015, ICFP.

[32]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[33]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[34]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[35]  Naoki Kobayashi Type-based information flow analysis for the π-calculus , 2005, Acta Informatica.