Achieving Information Flow Security Through Precise Control of Effects

Bill HarrisonDepartment of Computer

ScienceUniversity of Missouri at

Columbia

Ph.D 2001, UIUC Thesis: Modular Compilers and Their

Correctness Proofs Thesis Advisor: Sam Kamin

Post-doc, Oregon Graduate Inst. (OGI) Three years on Programatica Project

using Haskell language as basis for formal methods

Assistant Professor, University of Missouri-Columbia since Fall 2003

Separation Kernel Approach [Rushby82,81,…]

• Relies on taming effects via state partitioning AND controlling interactions through trusted kernel services• Today: Outline development of separation kernel & its security verification based on well-understood properties of monads• To appear: Proceedings of the IEEE Computer Security Foundations Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison

Kernel

“system resources”

Lo “domain”

Lo state

Hi “domain”

Hi state

mediating services

mediating services

Domain Separation by Construction

Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81]

Reasoning about systems in familiar algebraic style Implemented directly in higher-order functional languages

Promise of the approach: Scalability/Modularity of systems & their verifications through monads

Monads provide an algebraic theory of programming useful in formal specification & verification

Verification promoted via “by construction” properties of monads

System development through refinement to underlying monads

Cost of re-verification of a refined system can be minimal

Outline

Background Language-based Security

Precise Control of Effects from Monads

Constructing Separation Kernels Verifying Separation Kernels Conclusions and Future Work

Language Based Security

Idea: Apply techniques and structures from programming language research to the computer security

Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article

Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004]

Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems

An Example: Security via Type-checking

From λsec (Li & Zdancewic, POPL2005):

e1 e2 : intH

e1 : intl e2 : intl

e1 e2 : intL

e1 : intL e2 : intL

“Reading up is permitted”

“Low computations consider low”

(l {L,H})

Refinements to Monads

Enhanced Capabilities

reactivity

separation

basicseparation

interdomaincommunication

shared-state concurrency

0

1

2

3

4

message passing

forking

The constructive approach

semaphores

System enhancements have minimal impact on re-verification

intradomain behaviors

Monads are ADTs for computational paradigms

Monad captures a distinct notion of computation as an algebra …defines a programming language with (at

least) sequencing “;” and skip features plus operators particular to its paradigm

paradigm = shared state concurrency for separation kernel

What makes monads useful are their other features called “non-proper morphisms” in monad-

speak their behavior is specified with equational

axioms new features added by monad transformers

Monads, formally and informally

c ; skip = c(c0 ; c1) ; c2 = c0 ; (c1 ; c2)

skip ; c = c

Monad M is a type constructor (functor) with extra structure, η and , obeying the “monad laws”

A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm

State monad

Behavioral Propertiesfor any f, f' : Sto Sto,

mask = u (λ_.σ0)

Two State Monad

Two sets of stateful effects

…for Hi and Lo effects commute

Monad transformers are constructors for monads

Lo state

Concurrency

Reactivity

Hi state

• monad defines a programming language• each application of a monad transformer introduces new features

• monads constructed in “layers”

Intuition

:=||

:=

send receive

Periodic Table of Effects

StateTimperative

:=

EnvTbinding @ v

ErrorTexceptionsraise/catch

ContTcontinuationscallcc

NondetTnon-determ.choose

ResTthreads

step pause

DebugTdebuggingrollback

BackTbacktracking

cut

IoTinput/outputprintf

ReactTreactivity

send,recv,…

Moggi: Prog Langs are collections of effects captured as monads Monads assembled from constructors (monad transformers)

Our view Systems are collections of effects captured as monads “Systems” broadly construed

“Properties for free”

Lo state

Hi state

Cancellation

Atomic Non-interference

x:=e ; y:=e’ = y:=e’ ; x:=e

For all Hi and Lo assignments, x:=e & y:=e’,

x:=e ; maskHi = maskHi

read(d) ; x:=e

read(d) ; y:=e’

“Clobber”

A key meta-property is that these properties are preserved by monad transformers

= Two StateT Hi (StateT Lo M) for any monad M

*Theorems 1-3 of the CSFW paper.

Concurrency based on the resumption monad

x1:=e1 x2:=e2 x3:=e3…

…defines a precise notion of “thread”:

an “atom”

:: ::

“Security-conscious” Concurrency Paradigm

x1:=e1 x2:=e2 x3:=e3 …

y1:=f1 y2:=f2 y3:=f3…

x1:=e1 x2:=e2…y1:=f1

“Hi” security threads

“Lo” security threads

System executions

:: ::

:: ::

:: ::

Specifying Non-interference Properties in a Monadic Setting

Ex: Generalized Non-interference [GoguenMeseguer]

“Changes in high-security inputs only result in changes to high-security outputs”

x1:=e1 x2:=e2y1:=f1 maskHi; ;; y1:=f1maskHi;=

= Hi security actions

= Lo security actions

Take Separation: Hi effects must cancel

Monadic theory of effects supports simple verification

x1:=e1 x2:=e2y1:=f1 maskHi; ;;

y1:=f1maskHi;= x1:=e1

;

y1:=f1maskHi;= x1:=e1

;

y1:=f1maskHi= ;

y1:=f1maskHi= ;

Each interaction rule used above comes for free “by construction” of the monad!

To build a Separation Kernel, just construct the right monad!

Lo state

Concurrency

Reactivity Hi state

Kernel

“system resources”

Lo “domain”

Lo state

Hi “domain”

Hi state

mediating services

mediating services

Monad for shared-state concurrency with separation:

Kernel Structure

For a resumption monad R

waiting list, semaphores, message

channels,…

requests by user thread to access

kernel-level structures

• sched and handler are mutually recursive functions• compact: process forking, preemption, synchronization, message passing in less than 50 lines of Haskell 98 code!• reasoning resembles well-understood stream-based reasoning.• See “Cheap (But Functional) Threads” for further details:

www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf

“No Write Down” Policy Enforced By Kernel

handler sys ( )send Lo v ; … handler sys ( )skip ; …=

Theorem 4 (No write down) An attempt to “write down” has no effect.

Hi security thread

Refinements to Monad Transformers

Enhanced Capabilities

reactivity

separation

basicseparation

interdomaincommunication

shared-state concurrency

0

1

2

3

4

message passing

forking

Underlying architecture is very flexible…

semaphores

• OS behaviors are easily expressed• System enhancements = Refinements to MTs• Tend to have minimal impact on re-verification

* see “Cheap (But Functional) Threads” for more details

System Models are Executable

brc = x := 100 ; loop(x := x+1 ; broadcast x)

rcv = loop (receive x)

Increment & broadcast

Receive & receive

The monadic constructions can be readily represented in any functional language • allowing system models to be type-checked & tested• Haskell implementations at www.cs.missouri.edu/~harrison/CSFW05

Ex:

Future Work: Underlying architecture applies to all manner of concurrent applications

handler sys ( )GET urlHI ; handler sys ( ) (page-contents)=

handler sys ( )GET urlHi ; handler sys ( )= skip ;

An HTTP web server with a verified separation property:

• garbage collectors, • network drivers, • device drivers, • virtual machines, • the IO monad

Other possibilities include

A Constructive Approach to Controlling Information Flow

Illustrates the utility of viewing systems as collections of interacting effects

Our approach is constructive relies on properties of monads & monad

transformers to build, verify, and extend secure software systems

Many useful properties are given by construction of the monads themselves …and are preserved by monad transformers …thereby aiding system refinements

Thank You!