security type checking for mils-aadl specifications · security type checking for mils-aadl...
TRANSCRIPT
Security Type Checking forMILS-AADL Specifications
Kevin van der Pol, Thomas Noll
MILS Workshop Amsterdam – January 20, 2015
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 0/25
Security Type Checking for MILS-AADL Specifications
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 1/25
trusted untrusted
cryptocontroller
(confidential) (public)
I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security
Motivation
Motivation
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 2/25
trusted untrusted
cryptocontroller
(confidential) (public)
I Cryptographic controller [Rus92]
I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security
Motivation
Motivation
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 2/25
trusted untrusted
cryptocontroller
(confidential) (public)
I Cryptographic controller [Rus92]I Placed between trusted system and untrusted network
I Declassifies confidential informationI Goal: verify its security
Motivation
Motivation
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 2/25
trusted untrusted
cryptocontroller
(confidential) (public)
I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential information
I Goal: verify its security
Motivation
Motivation
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 2/25
trusted untrusted
cryptocontroller
(confidential) (public)
I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security
Motivation
Motivation
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 2/25
1 MILS-AADL specifications
2 Non-interference
3 Type checking
4 Conclusion
Table of Contents
Table of Contents
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 3/25
1 MILS-AADL specifications
2 Non-interference
3 Type checking
4 Conclusion
MILS-AADL specifications
Table of Contents
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 4/25
crypto controller
MILS-AADL specifications
Crypto controller
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 5/25
crypto controller
split merge
bypass
crypto
MILS-AADL specifications
Crypto controller
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 5/25
crypto controller
split merge
bypass
crypto
MILS-AADL specifications
Crypto controller
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 5/25
crypto controller
split merge
bypass
crypto
MILS-AADL specifications
Crypto controller
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 5/25
system cryptocontroller(
)
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 6/25
system cryptocontroller(
)
inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 6/25
system cryptocontroller(
)
inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))system split(. . . )system bypass(. . . )system merge(. . . )system crypto(
)
inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 6/25
system cryptocontroller(
)
inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))system split(. . . )system bypass(. . . )system merge(. . . )system crypto(
)connection (split.payload, crypto.inpayload)
...
connection (crypto.outpayload, merge.payload)
inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 6/25
system cryptocontroller(
)
inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))system split(. . . )system bypass(. . . )system merge(. . . )system crypto(
)connection (split.payload, crypto.inpayload)
...
connection (crypto.outpayload, merge.payload)
inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 6/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σ
Expression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ e
System S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)
Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)
Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)
Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ e
Mode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σ
Transition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
Case Grammar
Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σExpression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′
MILS-AADL specifications
Syntax
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 7/25
1 MILS-AADL specifications
2 Non-interference
3 Type checking
4 Conclusion
Non-interference
Table of Contents
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 8/25
I Lattice of confidentiality levels
I This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)
I Non-interference: low outputs not affected by high inputs
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
high
low
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
high
low
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
high
low
I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs
high
lowI When varying secret variables and ports, reachable values of public
variables and ports are indistinguishable
Non-interference
Non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 9/25
I Explicit data flow
I physical connection from high to low portsI low := high
I Implicit data flow
I data leak through control flowI if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Explicit data flowI physical connection from high to low ports
I low := highI Implicit data flow
I data leak through control flowI if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Explicit data flowI physical connection from high to low portsI low := high
I Implicit data flow
I data leak through control flowI if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Explicit data flowI physical connection from high to low portsI low := high
I Implicit data flow
I data leak through control flowI if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Explicit data flowI physical connection from high to low portsI low := high
I Implicit data flowI data leak through control flow
I if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Explicit data flowI physical connection from high to low portsI low := high
I Implicit data flowI data leak through control flowI if high then low := 1 else low := 2 endif
Non-interference
Unwanted data flows
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 10/25
I Abstract encryption function
I Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a set
I Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilities
I Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishable
I Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Abstract encryption functionI Encryption breaks traditional non-interference
I Public ciphertexts do depend on confidential contents!
I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one
I low1 := encrypt(v,k); low2 := low1
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 11/25
I Indistinguishability equivalence .= on ciphertexts [AHS08]
I safe usageI prevent implicit flow
I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]I Possibilistic non-interference
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 12/25
I Indistinguishability equivalence .= on ciphertexts [AHS08]
I safe usage
I prevent implicit flow
I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]I Possibilistic non-interference
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 12/25
I Indistinguishability equivalence .= on ciphertexts [AHS08]
I safe usageI prevent implicit flow
I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]I Possibilistic non-interference
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 12/25
I Indistinguishability equivalence .= on ciphertexts [AHS08]
I safe usageI prevent implicit flow
I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]
I Possibilistic non-interference
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 12/25
I Indistinguishability equivalence .= on ciphertexts [AHS08]
I safe usageI prevent implicit flow
I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]I Possibilistic non-interference
Non-interference
Possibilistic non-interference
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 12/25
oddsi
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
oddeven
Non-interference
Non-interference non-compositionality
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 13/25
oddsiso
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
si si soso
oddeven
Non-interference
Non-interference non-compositionality
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 13/25
oddsiso
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
si si soso
oddeven
oddsiso
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
si si soso
oddeven
Non-interference
Non-interference non-compositionality
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 13/25
oddsiso
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
si si soso
oddeven
oddsiso
sisi
si si soso
oddeven
even
sisi
si si soso
oddeven
sisi
si si soso
oddeven
sisi
si si soso
oddeven
Non-interference
Non-interference non-compositionality
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 13/25
non-determinism
e
e. . .
. . .
Non-interference
Restrictions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 14/25
non-determinism branching on secrets
e
e. . .
. . .
. . .
. . .
s
¬s
e1
e2
Non-interference
Restrictions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 14/25
non-determinism branching on secrets
secret-Zeno
e
e. . .
. . .
. . .
. . .
s
¬s
e1
e2
Non-interference
Restrictions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 14/25
non-determinism branching on secrets
secret-Zeno
e
e. . .
. . .
. . .
. . .
s
¬s
e1
e2
public output from
. . .
secret region
s e
Non-interference
Restrictions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 14/25
1 MILS-AADL specifications
2 Non-interference
3 Type checking
4 Conclusion
Type checking
Table of Contents
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 15/25
I T : local variables and data ports→ declared type
I Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality level
I Type rules in context of TI Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of T
I Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition
Theorem
If the system is typable, it is non-interfering
Type checking
Type checking
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 16/25
Case Type rule
Basic types T ` n : int L T ` b : bool L
Variable T (x) = τ
T ` x : τ
OperatorT ` e1 : t1 σ1 T ` e2 : t2 σ2 ⊕ : t1 × t2 → t
T ` e1 ⊕ e2 : t (σ1 t σ2)
EncryptionT ` e1 : τ T ` e2 : key L
T ` encrypt(e1, e2) : enc τ L
DecryptionT ` e1 : enc τ σ T ` e2 : key H
T ` decrypt(e1, e2) : τσ
Type checking
Types of expressions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 17/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Type of encrypt(inpayload,k)?
T (inpayload) = int H
T ` inpayload : int H
T (k) = key L
T ` k : key L
T ` encrypt(inpayload,k) : enc int H L
Type checking
Types of expressions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 18/25
I If τe <: τx, assignment x:=e is validI Traditional type safetyI Confidentiality restriction
Case Subtype rule
Basic types σ v σ′int σ <: int σ′
σ v σ′bool σ <: bool σ′
key σ <: key σ
Encryption τ <: τ ′ σ v σ′enc τ σ <: enc τ ′ σ′
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 19/25
I If τe <: τx, assignment x:=e is validI Traditional type safetyI Confidentiality restriction
Case Subtype rule
Basic types σ v σ′int σ <: int σ′
σ v σ′bool σ <: bool σ′
key σ <: key σ
Encryption τ <: τ ′ σ v σ′enc τ σ <: enc τ ′ σ′
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 19/25
I If τe <: τx, assignment x:=e is validI Traditional type safetyI Confidentiality restriction
Case Subtype rule
Basic types σ v σ′int σ <: int σ′
σ v σ′bool σ <: bool σ′
key σ <: key σ
Encryption τ <: τ ′ σ v σ′enc τ σ <: enc τ ′ σ′
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 19/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is outpayload:=encrypt(inpayload,k) valid?
(let τ abbreviate enc int H L)
T (outpayload) = τ
T ` outpayload : τ
(Before)T ` encrypt(inpayload,k) : τ τ <: τ
T ` outpayload:=encrypt(inpayload,k) : τ
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 20/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is outpayload:=encrypt(inpayload,k) valid?(let τ abbreviate enc int H L)
T (outpayload) = τ
T ` outpayload : τ
(Before)T ` encrypt(inpayload,k) : τ τ <: τ
T ` outpayload:=encrypt(inpayload,k) : τ
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 20/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is outpayload:=encrypt(inpayload,k) valid?(let τ abbreviate enc int H L)
T (outpayload) = τ
T ` outpayload : τ
(Before)T ` encrypt(inpayload,k) : τ τ <: τ
T ` outpayload:=encrypt(inpayload,k) : τ
Type checking
Subtyping
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 20/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typed
I No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typedI No public outputs from secret region (mode)
I Guard or event high→ transition highI No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition high
I No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
Case Type rule
Transition
T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)
T ` m -[ p when g then x := e ]->m′ : σ
I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)
Type checking
Type of transitions
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 21/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?
I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: X
I No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): X
I Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: X
I No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typed
I crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
system crypto(
)
inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m
I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X
I All subsystems and connections trivially well typedI crypto system is non-interfering
Type checking
Example
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 22/25
1 MILS-AADL specifications
2 Non-interference
3 Type checking
4 Conclusion
Conclusion
Table of Contents
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 23/25
I AADL variant with cryptographic primitives
I Automatic verification for possibilistic non-interferenceI Future work: soundness proof, implementation, type inference
Conclusion
Conclusion
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 24/25
I AADL variant with cryptographic primitivesI Automatic verification for possibilistic non-interference
I Future work: soundness proof, implementation, type inference
Conclusion
Conclusion
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 24/25
I AADL variant with cryptographic primitivesI Automatic verification for possibilistic non-interferenceI Future work: soundness proof, implementation, type inference
Conclusion
Conclusion
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 24/25
Aslan Askarov, Daniel Hedin, and Andrei Sabelfeld,Cryptographically-masked flows, Theor. Comput. Sci. 402 (2008),no. 2-3, 82–101.
Peeter Laud, On the computational soundness of cryptographicallymasked flows, Proceedings of the 35th ACM SIGPLAN-SIGACTSymposium on Principles of Programming Languages, POPL 2008,San Francisco, California, USA, January 7-12, 2008, 2008,pp. 337–348.
John Rushby, Noninterference, transitivity, and channel-controlsecurity policies, Tech. Report SRI-CSL-92-2, Computer ScienceLaboratory, SRI International, Menlo Park, CA, December 1992.
Bibliography
Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 25/25