Implicit Flows: Can't Live with 'Em, Can't Live without 'Em

Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide. To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

[1]  Dan Boneh,et al.  Proceedings of the 11th USENIX Security Symposium , 2002 .

[2]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[3]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[4]  David A. Wagner,et al.  Large-scale analysis of format string vulnerabilities in Debian Linux , 2007, PLAS '07.

[5]  Somesh Jha,et al.  Effective blame for information-flow violations , 2008, SIGSOFT '08/FSE-16.

[6]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[7]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[8]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[9]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[10]  Bruce Christianson,et al.  Reducing the Branch Power Cost in Embedded Processors Through Static Scheduling, Profiling and SuperBlock Formation , 2006, Asia-Pacific Computer Systems Architecture Conference.

[11]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[12]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[13]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[14]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[15]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[16]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[17]  Yunheung Paek,et al.  Advances in Computer Systems Architecture, 12th Asia-Pacific Conference, ACSAC 2007, Seoul, Korea, August 23-25, 2007, Proceedings , 2007, Asia-Pacific Computer Systems Architecture Conference.

[18]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[19]  Peter M. Broadwell,et al.  Scrash: A System for Generating Secure Crash Information , 2003, USENIX Security Symposium.

[20]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[21]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[22]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[23]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[24]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[25]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[27]  David A. Wagner,et al.  Setuid Demystified , 2002, USENIX Security Symposium.

[28]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[29]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.

[30]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.