Programming Languages for Information Security

Our society's widespread dependence on networked information systems for everything from personal finance to military communications makes it essential to improve the security of software. Standard security mechanisms such as access control and encryption are essential components for protecting information, but they do not provide end-to-end guarantees. Programming-languages research has demonstrated that security concerns can be addressed by using both program analysis and program rewriting as powerful and flexible enforcement mechanisms. This thesis investigates security-typed programming languages , which use static typing to enforce information-flow security policies. These languages allow the programmer to specify confidentiality and integrity constraints on the data used in a program; the compiler verifies that the program satisfies the constraints. Previous theoretical security-typed languages research has focused on simple models of computation and unrealistically idealized security policies. The existing practical security-typed languages have not been proved to guarantee security. This thesis addresses these limitations in several ways. First, it establishes noninterference, a basic information-flow policy, for languages richer than those previously considered. The languages studied here include recursive, higher-order functions, structured state, and concurrency. These results narrow the gap between the theory and the practice of security-typed languages. Next, this thesis considers more practical security policies. Noninterference is often too restrictive for real-world programming. To compensate, a restricted form of declassification is introduced, allowing programmers to specify a richer set of information-flow policies. Previous work on information-flow security also assumed that all computation occurs on equally trusted machines. To overcome this unrealistic premise, additional security constraints for systems distributed among heterogeneously trusted hosts are considered. Finally, this thesis describes Jif/split, a prototype implementation of secure program partitioning, in which a program can automatically be partitioned to run securely on heterogeneously trusted hosts. The resulting communicating subprograms collectively implement the original program, yet the system as a whole satisfies the security requirements without needing a universally trusted machine. The theoretical results developed earlier in the thesis justify Jif/split's run-time enforcement mechanisms.

[1]  Daniel Le Métayer,et al.  Compile-Time Detection of Information Flow in Sequential Programs , 1994, ESORICS.

[2]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[3]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[4]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality: secure program partitioning , 2001, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[5]  David Walker,et al.  Typed memory management in a calculus of capabilities , 1999, POPL '99.

[6]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[7]  David Wagner,et al.  Static analysis and computer security: new techniques for software assurance , 2000 .

[8]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[9]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[10]  F. Schneider Trust in Cyberspace , 1998 .

[11]  Christopher Strachey,et al.  Fundamental Concepts in Programming Languages , 2000, High. Order Symb. Comput..

[12]  Samson Abramsky,et al.  Computational Interpretations of Linear Logic , 1993, Theor. Comput. Sci..

[13]  James Riely,et al.  Information Flow vs. Resource Access in the Asynchronous Pi-Calculus , 2000, ICALP.

[14]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[15]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[16]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[17]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[18]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[19]  John C. Reynolds,et al.  Types, Abstractions, and Parametric Polymorphism, Part 2 , 1991, MFPS.

[20]  Frank Pfenning,et al.  Properties of Terms in Continuation-Passing Style in an Ordered Logical Framework , 2000 .

[21]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[22]  David Binkley,et al.  Unravel:: a case tool to assist evaluation of high integrity software , 1995 .

[23]  Michael J. Fischer Lambda calculus schemata , 1972 .

[24]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[25]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[26]  James Riely,et al.  Trust and partial typing in open systems of mobile agents , 1999, POPL '99.

[27]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[28]  Andrew W. Appel,et al.  Compiling with Continuations , 1991 .

[29]  John C. Reynolds,et al.  Towards a theory of type structure , 1974, Symposium on Programming.

[30]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[31]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[32]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[33]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[34]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[35]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[36]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[37]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[38]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[39]  Cédric Fournet,et al.  The Join Calculus: A Language for Distributed Mobile Programming , 2000, APPSEM.

[40]  Andrew C. Myers,et al.  Confidentiality and Integrity with Untrusted Hosts , 2000 .

[41]  Martín Abadi,et al.  Object Types against Races , 1999, CONCUR.

[42]  G M Bierman,et al.  A Classical Linear lambda-Calculus , 1999, Theor. Comput. Sci..

[43]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[44]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[45]  Kan Zhang,et al.  A theory for system security , 1997, Proceedings 10th Computer Security Foundations Workshop.

[46]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[47]  Martín Abadi,et al.  Types for Safe Locking , 1999, ESOP.

[48]  Geoffrey L. Burn,et al.  Continuation Passing Transformation and Abstract Interpretation , 1993, Theory and Formal Methods.

[49]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[50]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[51]  Martín Abadi,et al.  A PER model of polymorphism and recursive types , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[52]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[53]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[54]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[55]  Andrew S. Tanenbaum,et al.  A Comparison of Two Distributed Systems: Amoeba and Sprite , 1991, Comput. Syst..

[56]  William R. Bevier,et al.  Connection policies and controlled interference , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[57]  Martin C. Rinard,et al.  Pointer analysis for multithreaded programs , 1999, PLDI '99.

[58]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[59]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[60]  Fred B. Schneider On Concurrent Programming , 1997, Graduate Texts in Computer Science.

[61]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[62]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[63]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[64]  Matthew Hennessy,et al.  The Security Picalculus and Non-interference (Extended Abstract) , 2003, MFPS.

[65]  Amr Sabry,et al.  Is continuation-passing useful for data flow analysis? , 1994, PLDI '94.

[66]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[67]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[68]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[69]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[70]  Elisa Bertino,et al.  Providing flexibility in information flow control for object oriented systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[71]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[72]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[73]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[74]  Philip Wadler,et al.  Operational Interpretations of Linear Logic , 1999, Theor. Comput. Sci..

[75]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[76]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[77]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[78]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[79]  Karl N. Levitt,et al.  Property-based testing of privileged programs , 1994, Tenth Annual Computer Security Applications Conference.

[80]  James H. Morris,et al.  Lambda-calculus models of programming languages. , 1969 .

[81]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[82]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[83]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[84]  Jr. Guy L. Steele,et al.  Rabbit: A Compiler for Scheme , 1978 .

[85]  Richard Philip Reitman,et al.  Information Flow in Parallel Programs: An Axiomatic Approach , 1978 .

[86]  Glynn Winskel,et al.  Domain Theoretic Models of Polymorphism , 1989, Inf. Comput..

[87]  F. Nielson A Denotational Framework for Data Flow Analysis , 1981 .

[88]  Fred B. Schneider,et al.  Towards Fault-Tolerant and Secure On-Line Services , 2001 .

[89]  Nobuko Yoshida,et al.  A uniform type structure for secure information flow , 2002, POPL '02.

[90]  John C. Reynolds,et al.  Definitional Interpreters for Higher-Order Programming Languages , 1972, ACM '72.

[91]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[92]  John C. Reynolds,et al.  Syntactic control of interference , 1978, POPL.

[93]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[94]  Henk Barendregt,et al.  The Lambda Calculus: Its Syntax and Semantics , 1985 .

[95]  Peter W. O'Hearn,et al.  Linearly Used Continuations , 2000 .

[96]  Andrew P. Black,et al.  Fine-grained mobility in the Emerald system , 1987, TOCS.

[97]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[98]  J. Riecke,et al.  SHOULD A FUNCTION CONTINUE , 1989 .

[99]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[100]  David Walker,et al.  From System F to Typed Assembly Language (Extended Version) , 1997 .

[101]  Matthew Hennessy,et al.  Bisimulation congruences in safe ambients , 2002, POPL '02.

[102]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[103]  Olivier Danvy,et al.  Representing Control: a Study of the CPS Transformation , 1992, Mathematical Structures in Computer Science.

[104]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[105]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[106]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[107]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[108]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[109]  Jakob Rehof,et al.  Tractable Constraints in Finite Semilattices , 1999, Sci. Comput. Program..

[110]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[111]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[112]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[113]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[114]  Davide Sangiorgi,et al.  Behavioral equivalence in the polymorphic pi-calculus , 2000, JACM.

[115]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[116]  Philip Wadler,et al.  A Taste of Linear Logic , 1993, MFCS.

[117]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[118]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[119]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[120]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[121]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[122]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[123]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[124]  Fred B. Schneider,et al.  COCA: a secure distributed online certification authority , 2002 .

[125]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[126]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[127]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[128]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[129]  Olivier Danvy,et al.  Syntactic Accidents in Program Analysis: On the Impact of the CPS Transformation , 2000 .

[130]  Mark Lillibridge,et al.  Explicit polymorphism and CPS conversion , 1993, POPL '93.

[131]  Ivan Damgård,et al.  On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions , 1998, EUROCRYPT.

[132]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[133]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[134]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[135]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[136]  David Walker,et al.  Alias Types for Recursive Data Structures , 2000, Types in Compilation.

[137]  Andrzej Filinski Linear continuations , 1992, POPL '92.

[138]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[139]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.

[140]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[141]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[142]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[143]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[144]  Gordon D. Plotkin,et al.  Call-by-Name, Call-by-Value and the lambda-Calculus , 1975, Theor. Comput. Sci..

[145]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[146]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[147]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[148]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[149]  B. Clifford Neuman,et al.  Kerberos: An Authentication Service for Open Network Systems , 1988, USENIX Winter.

[150]  Gordon D. Plotkin,et al.  An Ideal Model for Recursive Polymorphic Types , 1986, Inf. Control..

[151]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .