cs 711 fall 2002 programming languages seminar andrew myers 2. noninterference 4 sept 2002
Post on 21-Dec-2015
212 views
TRANSCRIPT
CS 711Fall 2002
Programming Languages Seminar
Andrew Myers2. Noninterference
4 Sept 2002
2
Information-Flow• Security properties based on
information flow describe end-to-end behavior of system
• Access control: “This file is readable only by processes I have granted authority to.”
• Information-flow control: “The information in this file may be released only to appropriate output channels, no matter how much intervening computation manipulates it.”
3
Noninterference• [Goguen & Meseguer 1982, 1984]• Low output of a system is unaffected
by high inputL H1
L H1
L H2
L H2
L
4
Security properties• Confidentiality: is information secret?
L = public, H = confidential• Integrity: is information trustworthy?
L = trusted, H = untrusted• Partial order: L H,
H L, information canonly flow upward inorder
• Channels: ways forinputs to influenceoutputs
L H1
H1L
5
Formalization• No agreement on how to formalize in general• GM84 (simplified): system is defined by a
transition function do : S×E S and low output function out: S O (what the low user can see)– S is the set of system states– E is the set of events (inputs) : either high or low– Trace is sequence of state-event pairs
((s0,e0),(s1,e1), …) where si+1 = do(si, ei)
• Noninterference: for all event histories (e0,…,en) that differ only in high events, out(sn) is the same where sn is the final state of the corresponding traces
• Alternatively: out(sn) defined by results from a purged event history
6
Example
h1 h2
l l
2
2 2
3 3
l
3
•Visible output from input sequences (l), (h1,l), (h2,l) is 3•Visible output from input sequences (), (h1), (h2) is 2•Low part of input determines visible results
hx
hxhx
7
Limitations• Doesn’t deal with all transition
functions– partial (e.g., nontermination)– nondeterministic (e.g., concurrency)– sequential input, output assumption
8
A generalization• Key idea: behaviors of the system C should
not reveal more information than the low inputs
• Consider applying C to inputs s• Define:
Cs is the result of C applied to s (“do”)s1 =L s2 means inputs s1 and s2 are
indistinguishable to the low user (same “purge”)Cs1 L Cs2 means results are indistinguishable :
the low view relation (same “out”)
• Noninterference for C: s1 =L s2 Cs1 L Cs2
“Low observer doesn’t learn anything new”
9
Unwinding condition• Induction hypothesis for proving noninterference• Assume C, L defined using traces
s1 s1h
s2
=L =L
s1 s1l
s2
=L
s2l
=L
• By induction: traces differing only in high steps, starting from equivalent states, preserve equivalence
• =L must be an equivalence—need transitivity
(s1=L s1) (s1=L s1)
10
Example• “System” is a program with a memoryif h1 then h2:= 0
else h2:= 1;l := 1• s = c, m c1,m1 =L c2, m2 if identical after:
– erasing high terms from ci
– erasing high memory locations from mi
• Choice of =L controls what low observer can see at a moment in time
• Current command c included in state to allow proof by induction
11
Exampleif h1 then h2 := 0 else h2 := 1; l := 1,{h10, h21, l0}
if h1 then h2 := 0 else h2 := 1; l := 1, {h11, h21, l0}
h2 := 1; l := 1, {h10, h21, l0}
h2 := 0; l := 1, {h11, h21, l0}
l := 1, {h10, h21, l0} l := 1, {h11, h20, l0}
=L
=L
=L
{h10, h21, l1} {h11, h20, l1}=L
12
NonterminationIs this program secure?while h > 0 do h := h+1;l := 1
{h 0, l 0} * {h 0, l 1}{h 1, l 0} * {h i, l 0} (i>0)
• Low observer learns value of h by observing nontermination, change to l
• But… might want to ignore this channel to make analysis feasible
13
Equivalence classes• Equivalence relation =L generates
equivalence classes of states indistinguishable to attacker[s]L = { s | s =L s }
• Noninterference transitions act uniformly on each equivalence class
• Given trace = (s1, s2, …), low observer sees at most ([s1]L, [s2]L, …)
14
Low views• Low view relation L on traces modulo =L determines
ability of attacker to observe system execution• Termination-sensitive but no ability to see
intermediate states:(s1, s2,…,sm) L (s1, s2,…sn) if sm=L sn
& all infinite traces are related by L
• Termination-insensitive:(s1, s2,…,sm) L (s1, s2,…sn) if sm=L sn
& infinite traces are related by L to all traces
• Timing-sensitive:(s1, s2,…,sn) L (s1, s2,…sn) if sn=L sn
& all infinite traces are related by L
• Not always an equivalence relation!
15
Nondeterminism• Two sources of nondeterminism:
– Input nondeterminism– Internal nondeterminism
• GM assume no internal nondeterminism• Concurrent systems are nondeterministic
s1 s1
s1 | s2 s1 | s2
s2 s2
s1 | s2 s1 | s2
• Noninterference for nondeterministic systems?
s1, s2 . s1 =L s2 Cs1 L Cs2
16
Possibilistic security• [Sutherland 1986, McCullough 1987]• Result of a system Cs is set of possible
outcomes (traces)• Low view relation on traces is lifted to
sets of traces:Cs1 L Cs2 if
1Cs1 . 2Cs2 . 1 L 2 &2Cs2 . 1Cs1 . 2 L 1
“For any trace produced by C1 there is an indistinguishable one produced by C2 (and vice-
versa)”
17
Proving possibilistic security
• Almost the same induction hypothesis:
s1 s1h
s2
=L =L
s1 s1l
s2
=L
s2l
=L(s1=L s1) (s1=L s1)
• Show that there is a transition that preserves state equivalence (for termination-insensitive security)
18
Example l := true | l := false | l := h
h=true: possible results are{htrue, lfalse}, {htrue, ltrue}
h = false:{hfalse, lfalse}, {hfalse, ltrue}
• Program is possibilistically secure
=L =L
19
What is wrong?• Round-robin scheduler: program equiv. to l:=h• Random scheduler: h most probable value of l• System has a refinement with information leak
l:=h
l:=true
l:=false
l := true | l := false | l := h
20
Refinement attacks• Implementations of an abstraction
generally refine (at least probabilistically) transitions allows by the abstraction
• Attacker may exploit knowledge of implementation to learn confidential info.
l := true | l := false
• Is this program secure?
21
Determinism-based security
• Require that system is deterministic from the low viewpoint [Roscoe95]
• High information cannot affect low output – no nondeterminism to refine
• Another way to generalize noninterference to nondeterministic systems : don’t change definition!
s1, s2 . s1 =L s2 Cs1 L Cs2
• Nondeterminism may be present, but not observable
• More restrictive than possibilistic security