Securing concurrent programs with dynamic information-flow control

The work presented in this thesis focusses on dealing with timing covert channels in dynamic information-flow control systems, particularly for the LIO library in Haskell. Timing channels are dangerous in the presence of concurrency. Therefore, we start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. Timing channels can also be exploited through hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO that relies on timing perturbations to leak sensitive information through internal timing. To address this problem, we modify the Haskell runtime to support instruction-based scheduling, a scheduling strategy that is indifferent to such perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. Additionally, we provide a purely language-based implementation of the instruction-based strategy for LIO, by means of a library. We leverage the notion of resumptions, a restricted form of continuations, to control the interleaving of threads, forcing each thread to yield after every LIO operation. Due to the flexibility of this approach, we are able to support parallel computation in the library, a novel feature in information-flow control tools. Finally, we present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. We illustrate our claim with a concrete attack on LIO that relies on memoisation of shared thunks to leak information. We also propose a countermeasure based on restricting the implicit sharing of values.

[1]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[2]  Alejandro Russo,et al.  Secure Multi-execution in Haskell , 2011, Ershov Memorial Conference.

[3]  Zhao Zhang,et al.  Gaining insights into multicore cache partitioning: Bridging the gap between simulation and real systems , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[4]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[5]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[6]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[7]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[8]  Koen Claessen,et al.  A poor man's concurrency monad , 1999, Journal of Functional Programming.

[9]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[10]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[11]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[12]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[13]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[14]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[15]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[16]  Alejandro Russo,et al.  Lazy Programs Leak Secrets , 2013, NordSec.

[17]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[18]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[19]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[20]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[21]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[22]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[23]  Matthias Felleisen,et al.  The theory and practice of first-class prompts , 1988, POPL '88.

[24]  Dominique Devriese,et al.  Information flow enforcement in monadic libraries , 2011, TLDI '11.

[25]  Will Partain,et al.  The nofib Benchmark Suite of Haskell Programs , 1992, Functional Programming.

[26]  Paul Hudak,et al.  Monad transformers and modular interpreters , 1995, POPL '95.

[27]  Christoforos E. Kozyrakis,et al.  Vantage: Scalable and efficient fine-grain cache partitioning , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[28]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[29]  Deian Stefan,et al.  A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems , 2013, TGC.

[30]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[31]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[32]  Wing H. Wong,et al.  Timing attacks on RSA: revealing your secrets through the fourth dimension , 2005, CROS.

[33]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[34]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[35]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[36]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[37]  Alejandro Russo,et al.  Security for Multithreaded Programs Under Cooperative Scheduling , 2006, Ershov Memorial Conference.

[38]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[39]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[40]  S. Eranian Perfmon2: a flexible performance monitoring interface for Linux , 2010 .

[41]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[42]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[43]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[44]  Heiko Mantel,et al.  Eliminating Implicit Information Leaks by Transformational Typing and Unification , 2005, Formal Aspects in Security and Trust.

[45]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[46]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[47]  William L. Harrison,et al.  Achieving information flow security through precise control of effects , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[48]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[49]  Simon L. Peyton Jones,et al.  Concurrent Haskell , 1996, POPL '96.

[50]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[51]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[52]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[53]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[54]  Ilaria Castellani,et al.  Noninterference for Concurrent Programs , 2001, ICALP.

[55]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[56]  Robert Atkey,et al.  Parameterised notions of computation , 2006, J. Funct. Program..

[57]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[58]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[59]  Wouter Swierstra,et al.  A functional specification of effects , 2009 .

[60]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[61]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[62]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[63]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[64]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[65]  Gilles Barthe,et al.  Security of Multithreaded Programs by Compilation , 2007, ESORICS.

[66]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[67]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[68]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[69]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[70]  Onur Aciiçmez,et al.  Yet another MicroArchitectural Attack:: exploiting I-Cache , 2007, CSAW '07.

[71]  Peyton Jones,et al.  Haskell 98 language and libraries : the revised report , 2003 .

[72]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[73]  Simon Peyton Jones,et al.  A monad for deterministic parallelism , 2012 .

[74]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[75]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[76]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[77]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[78]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[79]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[80]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[81]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[82]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[83]  Tachio Terauchi,et al.  A Type System for Observational Determinism , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[84]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[85]  John Hughes,et al.  Generalising monads to arrows , 2000, Sci. Comput. Program..

[86]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[87]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[88]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[89]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[90]  Howard M. Heys,et al.  A Timing Attack on RC5 , 1998, Selected Areas in Cryptography.

[91]  Claudia Eckert,et al.  Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture , 2012 .

[92]  Sally A. McKee,et al.  Can hardware performance counters be trusted? , 2008, 2008 IEEE International Symposium on Workload Characterization.