achieving information flow security through precise control of effects bill harrison department of...
Post on 21-Dec-2015
213 views
TRANSCRIPT
Achieving Information Flow Security Through Precise Control of Effects
Bill HarrisonDepartment of Computer
ScienceUniversity of Missouri at
Columbia
Ph.D 2001, UIUC Thesis: Modular Compilers and Their
Correctness Proofs Thesis Advisor: Sam Kamin
Post-doc, Oregon Graduate Inst. (OGI) Three years on Programatica Project
using Haskell language as basis for formal methods
Assistant Professor, University of Missouri-Columbia since Fall 2003
Separation Kernel Approach [Rushby82,81,…]
• Relies on taming effects via state partitioning AND controlling interactions through trusted kernel services• Today: Outline development of separation kernel & its security verification based on well-understood properties of monads• To appear: Proceedings of the IEEE Computer Security Foundations Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison
Kernel
“system resources”
Lo “domain”
Lo state
Hi “domain”
Hi state
mediating services
mediating services
Domain Separation by Construction
Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81]
Reasoning about systems in familiar algebraic style Implemented directly in higher-order functional languages
Promise of the approach: Scalability/Modularity of systems & their verifications through monads
Monads provide an algebraic theory of programming useful in formal specification & verification
Verification promoted via “by construction” properties of monads
System development through refinement to underlying monads
Cost of re-verification of a refined system can be minimal
Outline
Background Language-based Security
Precise Control of Effects from Monads
Constructing Separation Kernels Verifying Separation Kernels Conclusions and Future Work
Language Based Security
Idea: Apply techniques and structures from programming language research to the computer security
Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article
Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004]
Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems
An Example: Security via Type-checking
From λsec (Li & Zdancewic, POPL2005):
e1 e2 : intH
e1 : intl e2 : intl
e1 e2 : intL
e1 : intL e2 : intL
“Reading up is permitted”
“Low computations consider low”
(l {L,H})
Refinements to Monads
Enhanced Capabilities
reactivity
separation
basicseparation
interdomaincommunication
shared-state concurrency
0
1
2
3
4
message passing
forking
The constructive approach
semaphores
System enhancements have minimal impact on re-verification
intradomain behaviors
Monads are ADTs for computational paradigms
Monad captures a distinct notion of computation as an algebra …defines a programming language with (at
least) sequencing “;” and skip features plus operators particular to its paradigm
paradigm = shared state concurrency for separation kernel
What makes monads useful are their other features called “non-proper morphisms” in monad-
speak their behavior is specified with equational
axioms new features added by monad transformers
Monads, formally and informally
c ; skip = c(c0 ; c1) ; c2 = c0 ; (c1 ; c2)
skip ; c = c
Monad M is a type constructor (functor) with extra structure, η and , obeying the “monad laws”
A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm
Monad transformers are constructors for monads
Lo state
Concurrency
Reactivity
Hi state
• monad defines a programming language• each application of a monad transformer introduces new features
• monads constructed in “layers”
Intuition
:=||
:=
send receive
Periodic Table of Effects
StateTimperative
:=
EnvTbinding @ v
ErrorTexceptionsraise/catch
ContTcontinuationscallcc
NondetTnon-determ.choose
ResTthreads
step pause
DebugTdebuggingrollback
BackTbacktracking
cut
IoTinput/outputprintf
ReactTreactivity
send,recv,…
Moggi: Prog Langs are collections of effects captured as monads Monads assembled from constructors (monad transformers)
Our view Systems are collections of effects captured as monads “Systems” broadly construed
“Properties for free”
Lo state
Hi state
Cancellation
Atomic Non-interference
x:=e ; y:=e’ = y:=e’ ; x:=e
For all Hi and Lo assignments, x:=e & y:=e’,
x:=e ; maskHi = maskHi
read(d) ; x:=e
read(d) ; y:=e’
“Clobber”
A key meta-property is that these properties are preserved by monad transformers
= Two StateT Hi (StateT Lo M) for any monad M
*Theorems 1-3 of the CSFW paper.
Concurrency based on the resumption monad
x1:=e1 x2:=e2 x3:=e3…
…defines a precise notion of “thread”:
an “atom”
:: ::
“Security-conscious” Concurrency Paradigm
x1:=e1 x2:=e2 x3:=e3 …
y1:=f1 y2:=f2 y3:=f3…
x1:=e1 x2:=e2…y1:=f1
“Hi” security threads
“Lo” security threads
System executions
:: ::
:: ::
:: ::
Specifying Non-interference Properties in a Monadic Setting
Ex: Generalized Non-interference [GoguenMeseguer]
“Changes in high-security inputs only result in changes to high-security outputs”
x1:=e1 x2:=e2y1:=f1 maskHi; ;; y1:=f1maskHi;=
= Hi security actions
= Lo security actions
Take Separation: Hi effects must cancel
Monadic theory of effects supports simple verification
x1:=e1 x2:=e2y1:=f1 maskHi; ;;
y1:=f1maskHi;= x1:=e1
;
y1:=f1maskHi;= x1:=e1
;
y1:=f1maskHi= ;
y1:=f1maskHi= ;
Each interaction rule used above comes for free “by construction” of the monad!
To build a Separation Kernel, just construct the right monad!
Lo state
Concurrency
Reactivity Hi state
Kernel
“system resources”
Lo “domain”
Lo state
Hi “domain”
Hi state
mediating services
mediating services
Monad for shared-state concurrency with separation:
Kernel Structure
For a resumption monad R
waiting list, semaphores, message
channels,…
requests by user thread to access
kernel-level structures
• sched and handler are mutually recursive functions• compact: process forking, preemption, synchronization, message passing in less than 50 lines of Haskell 98 code!• reasoning resembles well-understood stream-based reasoning.• See “Cheap (But Functional) Threads” for further details:
www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf
“No Write Down” Policy Enforced By Kernel
handler sys ( )send Lo v ; … handler sys ( )skip ; …=
Theorem 4 (No write down) An attempt to “write down” has no effect.
Hi security thread
Refinements to Monad Transformers
Enhanced Capabilities
reactivity
separation
basicseparation
interdomaincommunication
shared-state concurrency
0
1
2
3
4
message passing
forking
Underlying architecture is very flexible…
semaphores
• OS behaviors are easily expressed• System enhancements = Refinements to MTs• Tend to have minimal impact on re-verification
* see “Cheap (But Functional) Threads” for more details
System Models are Executable
brc = x := 100 ; loop(x := x+1 ; broadcast x)
rcv = loop (receive x)
Increment & broadcast
Receive & receive
The monadic constructions can be readily represented in any functional language • allowing system models to be type-checked & tested• Haskell implementations at www.cs.missouri.edu/~harrison/CSFW05
Ex:
Future Work: Underlying architecture applies to all manner of concurrent applications
handler sys ( )GET urlHI ; handler sys ( ) (page-contents)=
handler sys ( )GET urlHi ; handler sys ( )= skip ;
An HTTP web server with a verified separation property:
• garbage collectors, • network drivers, • device drivers, • virtual machines, • the IO monad
Other possibilities include
A Constructive Approach to Controlling Information Flow
Illustrates the utility of viewing systems as collections of interacting effects
Our approach is constructive relies on properties of monads & monad
transformers to build, verify, and extend secure software systems
Many useful properties are given by construction of the monads themselves …and are preserved by monad transformers …thereby aiding system refinements