decentralized robustness
DESCRIPTION
Decentralized Robustness. Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006. Information flow. Strong end-to-end security guarantees Noninterference [Goguen and Meseguer 1982] Enforceable with type systems [Volpano, Smith, and Irvine 1996] and many others - PowerPoint PPT PresentationTRANSCRIPT
Decentralized Robustness
Stephen Chong
Andrew C. Myers
Cornell University
CSFW 19
July 6th 2006
2
Information flow Strong end-to-end security guarantees
Noninterference [Goguen and Meseguer 1982]
Enforceable with type systems [Volpano, Smith, and Irvine 1996] and many others
But programs declassify information Breaks noninterference! Need semantic security conditions that
hold in presence of declassification
3
Robustness Intuition: An attacker should not be able to
control the release of information
Zdancewic and Myers [CSFW 2001] Defined semantic security condition An “active” attacker should not learn more
information than a “passive” attacker.
Myers, Sabelfeld, and Zdancewic [CSFW 2004] Language-based setting Data to declassify and decision to declassify
should not be influenced by attacker Type system for enforcement
• Track integrity• High-integrity = not influenced by attacker
4
May be many attackers Different attackers have
different powers How to ensure a system
is robust against an unknown attacker?
Different users trust different things
Issues with robustness
Alice
Bob Charlie
Damien
5
Decentralized robustness Define robustness against all attackers
Generalization of robustness Not specialized for a particular attacker Uses decentralized label model [Myers and Liskov 2000]
to characterize the power of different attackers Enforce robustness against all attackers
Complicated by unbounded, unknown attackers Sound type system
• Implemented in Jif 3.0
Decentralized robustness = robustness + DLM
6
WA
RA
Attackers Language-based setting An attacker A may
view certain memory locations knows program text inject code at certain program points
• (and thus modify memory)
Power of attacker is characterized by security labels RA and WA RA is upper bound on info A can read WA is lower bound on info A can write
Defn: Program c has robustness w.r.t. attacks by A with power RA and WA if A’s attacks cannot influence information released to A.
most restrictive
least restrictive
security lattice ℒ
7
Example// Charlie can read pub, can’t read salary[i], totalSalary, avgSalary// pub ⊑ RCharlie avgSalary ⋢ RCharlie …
// Charlie can modify employeeCount// WCharlie ⊑ employeeCount
totalSalary = i = 0;
while (i < employeeCount) { totalSalary += salary[i]; i += 1;}avgSalary := totalSalary / i;pub := declassify(avgSalary, (Alice or Bob) to (Alice or Bob or Charlie));
employeeCount := 1;
Alice Bob Charliefrom to
8
Decentralized label model Allows mutually distrusting principals to
independently specify security policies [Myers and Liskov 2000] This work: full lattice and integrity policies
Security labels built from reader policies and writer policies
Reader policies o→r Owner o allows r (and implicitly o) to read information Any principal that trusts o adheres to policy
• (i.e., allows at most o and r to read) Any principal not trusting o gives policy no credence
Confidentiality policies Close reader policies under conjunction and disjunction
9
Integrity policies Writer policies o←w
Owner o allows w (and implicitly o) to have influenced (written) information
Any principal that trusts o adheres to policy • (i.e., allows at most o and w to have written)
Any principal not trusting o gives policy no credence
Integrity policies Close writer policies under conjunction and
disjunction
10
Semantics of policies Confidentiality
readers(p, c) is set of principals that principal p allows to read based on confidentiality policy c
c is no more restrictive than d (written c ⊑C d) if for all p, readers(p, c) ⊇ readers(p, d)
⊑C forms a lattice: meet is disjunction, join is conjunction
Integrity writers(p, c) is set of principals that principal p has
allowed to write based on integrity policy c c is no more restrictive than d (written c ⊑I d)
if for all p, writers(p, c) ⊆ writers(p, d) ⊑I forms a lattice: meet is conjunction, join is disjunction Dual to confidentiality
11
Labels A label ⟨c, d⟩ is a pair of a confidentiality
policy c and an integrity policy d ⟨c, d ⊑ ⟩ ⟨c′, d′ ⟩ if and only if c ⊑C c′ and d ⊑I d′
Labels are expressive and concise language for confidentiality and integrity policies
12
Attacker power in the DLM For arbitrary principals p and q, need to
describe what p believes is the power of q
Define label Rp→q as least upper bound of labels that p believes q can read. ℓ ⊑ Rp→q if and only if q ∈ readers(p, ℓ)
Define label Wp←q as greatest lower bound of labels that p believes q can write. Wp←q ⊑ ℓ if and only if q ∈ writers(p, ℓ)
Rp→q
Wp←q
13
Robustness against all attackers
Defn: Command c has robustness against all attackers if:
for all principals p and q, c has robustness with respect to attacks by q with power Rp→q and Wp←q
14
Enforcement Enforcing robustness [Myers, Sabelfeld, Zdancewic 2004]
“If declassification gives attacker A info, then A can’t influence data to declassify, or decision to declassify.”
Enforcing robustness against all attackers “For all p and q,
if p believes declassification gives q info, then p believes q can’t influenced data to declassify, or decision to declassify.”
More formally: For all principals p and q, if ℓfrom ⋢ Rp→q and ℓto ⊑ Rp→q then Wp←q ⋢ pc and Wp←q ⋢ ℓfrom
Can’t use MSZ type system for all possible attackers Would require different type system for each p and q!
15
A sound unusable typing rule
Γ, pc ⊢ v := declassify(e, ℓfrom to ℓto)
Γ, pc ⊢ e:ℓfrom ℓto ⊔ pc ⊑ Γ(v)
∀p, q. if ℓfrom ⋢ Rp→q and ℓto ⊑ Rp→q then Wp←q ⋢ ℓfrom
∀p, q. if ℓfrom ⋢ Rp→q and ℓto ⊑ Rp→q then Wp←q ⋢ pc
For all principals p and q,
if ℓfrom ⋢ Rp→q and ℓto ⊑ Rp→q then
Wp←q ⋢ pc and Wp←q ⋢ ℓfrom
⇒
16
Sound typing rule
Γ, pc ⊢ v := declassify(e, ℓfrom to ℓto)
Γ, pc ⊢ e:ℓfrom ℓto ⊔ pc ⊑ Γ(v)
ℓfrom ⊑ ℓto ⊔ writersToReaders(pc)
ℓfrom ⊑ ℓto ⊔ writersToReaders(ℓfrom)
⇒
For all principals p, readers(p, ℓfrom) ⊇ readers(p, ℓto) ∩ writers(p, pc) and readers(p, ℓfrom) ⊇ readers(p, ℓto) ∩ writers(p, ℓfrom)
⇒
For all principals p and q,
if ℓfrom ⋢ Rp→q and ℓto ⊑ Rp→q then
Wp←q ⋢ pc and Wp←q ⋢ ℓfrom
• Conservatively converts writers of a label into readers.
• Used to compare integrity against confidentiality.
• ∀ℓ.∀p. writers(p, ℓ) ⊆ readers(p, writersToReaders(ℓ))
17
Conclusion Decentralized robustness = robustness + DLM Defined robustness against all attackers
Semantic security condition Generalizes robustness to arbitrary attackers Decentralized label model expresses attackers’ powers
Sound type system Implemented in Jif 3.0 Available at http://www.cs.cornell.edu/jif
Paper also considers downgrading integrity Qualified robustness [Myers, Sabelfeld, and Zdancewic 2004] is
generalized to qualified robustness against all attackers
Damien