Observational determinism for concurrent program security

Noninterference is a property of sequential programs that is useful for expressing security policies for data confidentiality and integrity. However, extending noninterference to concurrent programs has proved problematic. In this paper we present a relatively expressive secure concurrent calculi, provides first-class channels, high-order functions, and an unbounded number of threads. Well-typed programs obey a generalization of noninterference that ensures immunity to internal timing attacks and to attacks that exploit information about the thread scheduler. Elimination of these refinement attacks is possible because the enforced security property extends noninterference with observational determinism. Although the security property is strong, it also avoids some of the restrictiveness imposed on previous security-typed concurrent languages.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[7]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[8]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[9]  David Walker,et al.  Alias Types , 2000, ESOP.

[10]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[11]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[12]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[13]  Dennis Volpano,et al.  Probabilistic noninterference in a concurrent language , 1999 .

[14]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[15]  John C. Reynolds,et al.  Syntactic control of interference , 1978, POPL.

[16]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[17]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[18]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[19]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[20]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[21]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[22]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[23]  Heiko Mantel,et al.  A Unifying Approach to the Security of Distributed and Multi-Threaded Programs , 2003, J. Comput. Secur..

[24]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[25]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[26]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[27]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[28]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[29]  Nobuko Yoshida,et al.  A uniform type structure for secure information flow , 2002, POPL '02.

[30]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[31]  Martin C. Rinard,et al.  Pointer analysis for multithreaded programs , 1999, PLDI '99.

[32]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[33]  David Walker,et al.  Alias Types for Recursive Data Structures , 2000, Types in Compilation.

[34]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[35]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[36]  James Riely,et al.  Information Flow vs. Resource Access in the Asynchronous Pi-Calculus , 2000, ICALP.

[37]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[38]  Peter Y. A. Ryan,et al.  A CSP formulation of non-interference and unwinding , 1991 .

[39]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[40]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[41]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[42]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[43]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[44]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[45]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[46]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[47]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[48]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[49]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[50]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.