Securing Applications by Information Flow Tracking

Musard Balliu

About Me● As of January 2018, Assistant Professor at EECS/TCS● 2014 - 2017: PostDoc at Chalmers● 2009 - 2014: Ph.D. at KTH

Research Interests: End-to-End Software Security

Computer Security

Software Engineering

Programming Languages

Formal Methods

End-to-End Security

ProblemMalicious or buggy code is a real threat: Flashlight, CVS/pharmacy

ProblemMalicious or buggy code is a real threat: Spectre, WannaCry, Heartbleed, ...

Trends in software market:

● Quick time-to-market● Business model rooted on cost-free services, and financed by ads (Facebook, Youtube)● Legacy code still there● Security as add-on, not yet part of the software development lifecycle● Platform independence, extensibility, mobile executable content

These trends become opportunities for attackers

● Easy to distribute worms, viruses, exploits, ransomware● Write an attack once and run it everywhere● Trusted and Untrusted apps execute in the same environment

Mission impossible: Keep the trends without compromising security

Goal: End-to-End Security

Private inputs cannot be inferred by attacker’s observation of public outputs.

A Password Meter

Confidentiality: Standard Security MechanismsAccess Control: regulate who can access what information

+ Prevents unauthorized release of information- ...but the password meter must access the password

Firewall and Antivirus Scanning: + Reject a “black list” of known attacks- ...but does not prevent unknown attacks

Cryptography: secure the communication channel - Endpoints of communication may leak data

Sandboxing: good for low level events, e.g., no network send after reading a file - ... but the password meter must have access to the network

Information Flow Security

Private inputs cannot be inferred by attacker’s observation of public outputs.

A Password Meter

Background: Information Flow Control● Track information propagation within the program. This can be subtle!● Not just about explicit flows:

● Also about implicit flows:

● Ensures end-to-end security

● Many flavours: covert channels, timing, …

● Enforcement: Static, Dynamic, Hybrid, Multi-execution

public = secret

if secret == 0 then public = 0 else public = 1

Taint Tracking

Information Flow Control

Building Web Apps

A plethora of languages, frameworks and libraries

Securing Web Apps Is Harder ● SQL injection, XSS, information disclosure● Most attacks occur at boundaries● Policies: SOP, CSP, CORS, ...

Use Case: Location Based Service

Searching for nearby restaurants without revealing my exact location

What Can Possibly Go Wrong

Exact location can be leaked out to different tiers

Browser Application Server Database

JavaScript/HTML F# .NET SQL

…

Homogeneous Meta-Programming with JSLINQ

JSLINQ: Architecture and Workflow

JSLINQ: Architecture and Workflow

JSLINQ: Architecture and Workflow

Homogeneous Meta-Programming with JSLINQ

● JSLINQ: A step forward toward end-to-end security● Still does not handle JavaScript Web developer libraries

Formal Framework

Formal Results for JSLINQ core

❑ Core of F# language with references and quotations (no object-oriented features)

❑ Records and list comprehensions to model databases❑ Polymorphic security labels for confidentiality/integrity ❑ Security type system❑ Proof of noninterference and declassification

From Typing Rule to Code

Case Studies

Research Vision: Pushing the boundary on both sidesEngineering Secure Systems Securing Existing Systems

+ Ultimately the way to go+ Provides strong security guarantees- Scalability vs Precision issues despite

recent advances in verification

My work● Reasoning about security● Building secure OO applications● Secure Embedded Virtualization● Web Application Security● Database-Application Security● Privacy in Social Networks

+ Raises the security bar+ Uncover new attacks in existing systems+ Applies to complex languages, e.g. JS- Bug finding technique

My work● Hardening Android App security by

facelifted values ● Taint tracking policies ● Soundness vs Precision: making

information-flow analysis practical● Reconciling DAC and IFC ● Client-side DOM-based XSS

Research Tracks

❑ Internet-of-Things Devices❖ Attacks and fixes for IoT platforms❖ Send me an email with my current location❖ When I arrive home, turn on my oven to 100 degrees❑ Hyper-property testing❖ Testing framework for noninterference❖ Property-based testing for self composition❑ Concolic execution for string constraints❑ WebAssembly❑ Program repair for security ❑Taint tracking for software architectures

Final words

❑ KTH Security Seminar series

❖ Coming up soon!

❖ Brings together researchers across EECS departments and industry

❑ I am looking for a PhD student

❖ Working on end-to-end security

❖ Interested? Drop me a line: musard@kth.se