Abstracting Faceted Execution

Faceted execution is a linguistic paradigm for dynamic information-flow control with the distinguishing feature that program values may be faceted. Such values represent multiple versions or facets at once, for different security labels. This enables policy-agnostic programming: a paradigm permitting expressive privacy policies to be declared, independent of program logic. Although faceted execution prevents information leakage at runtime, it does not guarantee the absence of failure due to policy violations. By contrast with static mechanisms (such as security type systems), dynamic information-flow control permits arbitrarily expressive and dynamic privacy policies but imposes significant runtime overhead and delays discovery of any possible violations. In this paper, we present the two different abstract interpretations for faceted execution in the presence of first-class policies. We first present an abstraction which allows one to reason statically about the shape of facets at each program point. This abstraction is useful for statically proving the absence of runtime errors and eliminating runtime checks related to facets. Reasoning statically about the contents of faceted values, however, is complicated by the presence of first-class security labels, especially because abstract labels may conflate more than one runtime label. To address these issues, we also develop a more precise abstraction that relies on an analysis tracking singleton heap abstractions. We present an implementation of our coarse abstraction in Racket and demonstrate its performance on several sample programs. We conclude by showing how our precise domain can be used to verify information-flow properties.

[1]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[2]  Armando Solar-Lezama,et al.  Faceted execution of policy-agnostic programs , 2013, PLAS '13.

[3]  Matthew Might,et al.  Abstracting abstract machines , 2010, ICFP '10.

[4]  Roberto Giacobazzi,et al.  Abstract Non-Interference , 2018, ACM Trans. Priv. Secur..

[5]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[6]  Matthew Might,et al.  Introspective pushdown analysis of higher-order programs , 2012, ICFP.

[7]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[8]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[9]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[10]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[11]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[12]  Kenneth Knowles,et al.  Faceted Dynamic Information Flow via Control and Data Monads , 2016, POST.

[13]  Jean Yang,et al.  Preventing information leaks with policy-agnostic programming , 2015 .

[14]  Andrei Sabelfeld,et al.  Secure Multi-execution: Fine-Grained, Declassification-Aware, and Transparent , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[15]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[16]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[17]  Paul Hudak A semantic model of reference counting and its abstraction (detailed summary) , 1986, LFP '86.

[18]  Olin Shivers,et al.  CFA2: A Context-Free Approach to Control-Flow Analysis , 2010, ESOP.

[19]  David A. Naumann,et al.  Information Flow Monitoring as Abstract Interpretation for Relational Logic , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[20]  Matthew Might Abstract Interpreters for Free , 2010, SAS.

[21]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[22]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[23]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[24]  Michele Pasqua,et al.  Statically analyzing information flows: an abstract interpretation-based hyperanalysis for non-interference , 2019, SAC.

[25]  Thomas Gilray,et al.  Racets: Faceted Execution in Racket , 2018, EasyChair Preprints.

[26]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[27]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[28]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[29]  David A. Naumann,et al.  Calculational Design of Information Flow Monitors , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[30]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[31]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[32]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[33]  Matthew Might,et al.  Pushdown control-flow analysis for free , 2016, POPL.

[34]  Julien Signoles,et al.  Hypercollecting semantics and its application to static analysis of information flow , 2016, POPL.

[35]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[36]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[37]  Michele Pasqua,et al.  Verifying Bounded Subset-Closed Hyperproperties , 2018, SAS.

[38]  Matthew Might,et al.  Improving flow analyses via ΓCFA: abstract garbage collection and counting , 2006, ICFP '06.

[39]  Suresh Jagannathan,et al.  Single and loving it: must-alias analysis for higher-order languages , 1998, POPL '98.

[40]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[41]  Ron van der Meyden,et al.  Algorithmic Verification of Noninterference Properties , 2007, VODCA@FOSAD.

[42]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[43]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[44]  James Lee Parker,et al.  LMonad: Information flow control for Haskell web applications , 2014 .

[45]  Alejandro Russo,et al.  Faceted Secure Multi Execution , 2018, CCS.

[46]  Matthew Might,et al.  Allocation characterizes polyvariance: a unified methodology for polyvariant control-flow analysis , 2016, ICFP.

[47]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.