steve zdancewic esop011 secure information flow and cps steve zdancewic joint work with andrew myers...
Post on 20-Dec-2015
221 views
TRANSCRIPT
![Page 1: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/1.jpg)
Steve Zdancewic ESOP01 1
Secure Information Flow and CPS
Steve Zdancewic Joint work with Andrew Myers
Cornell University
![Page 2: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/2.jpg)
Steve Zdancewic ESOP01 2
Valuable Data On-line
• Internet and Connectivity– banks/brokerage firms– e-mail services– applets, plugins, etc.– …
• Creates problem of protection
![Page 3: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/3.jpg)
Steve Zdancewic ESOP01 3
Protect It!
• Confidentiality– Data doesn't escape– Does my accounting software
transmit my private information?
• Integrity– Trustworthiness of data– Does my accounting software use
“bad” information to compute taxes?
![Page 4: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/4.jpg)
Steve Zdancewic ESOP01 4
Information Flow
• Policies on information• End-to-End
– Once data is released to a program, must ensure that policy is obeyed.
• Need static analysis
![Page 5: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/5.jpg)
Steve Zdancewic ESOP01 5
Security-Typed Languages
• Statically enforce security policies in an extended type system– Smith & Volpano [SVI96, SV98,...]
– Heintze & Riecke [HR98, ABHR99]
– Myers [ML97,My99,...]
– Sabelfeld & Sands [SS99, SS00]
– Pottier & Conchon [PC00,...]
![Page 6: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/6.jpg)
Steve Zdancewic ESOP01 6
Noninterference
"Low-security behavior of the program is not affected by any
high-security data."Goguen & Messeguer 1982
H1 L1
L2H2
H3 L1
L2H4
L
![Page 7: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/7.jpg)
Steve Zdancewic ESOP01 7
Our Goal
• Study information flow in rich language– Higher-order functions– State
• Noninterference proof
![Page 8: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/8.jpg)
Steve Zdancewic ESOP01 8
Continuation Passing Style
• Useful representation of low-level code – verify output of the compiler.
• Main complication: explicit control and interaction with effects
![Page 9: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/9.jpg)
Steve Zdancewic ESOP01 9
Outline
• Motivating Example• Problem with Naïve CPS translation• Ordered Linear Continuations• Wrap up
![Page 10: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/10.jpg)
Steve Zdancewic ESOP01 10
Security Types
• A lattice L of labels– order L H– join L H = H
• Types have labels: intH or boolL
![Page 11: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/11.jpg)
Steve Zdancewic ESOP01 11
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
![Page 12: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/12.jpg)
Steve Zdancewic ESOP01 12
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
pc:L
![Page 13: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/13.jpg)
Steve Zdancewic ESOP01 13
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
pc:H
pc:L
![Page 14: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/14.jpg)
Steve Zdancewic ESOP01 14
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
Example
pc:L
pc:H
![Page 15: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/15.jpg)
Steve Zdancewic ESOP01 15
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
pc:L
pc:H
pc:H
![Page 16: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/16.jpg)
Steve Zdancewic ESOP01 16
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3;
pc:L
pc:L
pc:H
pc:H
![Page 17: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/17.jpg)
Steve Zdancewic ESOP01 17
Example
if0 (x:intH){
y := 1; // y:intH
} else {
y := 2;
}
z := 3; // z:intL
pc:L
pc:H
pc:H
pc:L
![Page 18: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/18.jpg)
Steve Zdancewic ESOP01 18
PC Label
• Side-effects are bounded by PC label.
x := e
x:s ref e:r(p r) spc:p
![Page 19: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/19.jpg)
Steve Zdancewic ESOP01 19
What about functions?
• Effects inside a function must also be bounded by PC label.
f(e)
f:r
p rpc:p
e:
![Page 20: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/20.jpg)
Steve Zdancewic ESOP01 20
Naive CPS
let k = (). z := 3;
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
![Page 21: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/21.jpg)
Steve Zdancewic ESOP01 21
Naive CPS
let k = (). z := 3;
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
pc:H
![Page 22: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/22.jpg)
Steve Zdancewic ESOP01 22
Naive CPS
let k = (). z := 3; //z:intH
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
pc:H
pc:H
![Page 23: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/23.jpg)
Steve Zdancewic ESOP01 23
Linear Continuations
let k = (). z := 3; //z:intH
if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }
k is used linearly!
![Page 24: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/24.jpg)
Steve Zdancewic ESOP01 24
Main Idea
• Use linear continuations to express the control-flow properties of the source language via types
• But...not quite enough
![Page 25: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/25.jpg)
Steve Zdancewic ESOP01 25
Order of Evaluation
• Order the continuations are invoked is also important!
• Can observe the order via side effects
• So...ordered linear continuations
![Page 26: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/26.jpg)
Steve Zdancewic ESOP01 26
What Are They?
• Linear continuations: First-class postdominators of control flow graph
• Ordered linear continuations: Encode the control stack
![Page 27: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/27.jpg)
Steve Zdancewic ESOP01 27
Target CPS Language
• Includes regular continuations and ordered linear continuations
• Careful manipulation of context:
| kn,…,k1 [pc] e
Ordered list encodes stack
![Page 28: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/28.jpg)
Steve Zdancewic ESOP01 28
Noninterference
If x:H |[L] e : intL
v1,v2 : H (M,e{v1/x}) * (M1,n1)
(M,e{v2/x}) * (M2,n2)
Then M1 L M2 and n1 = n2
![Page 29: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/29.jpg)
Steve Zdancewic ESOP01 29
Results
• Formalize ordered linear continuations in the type system
• Prove that the CPS language enjoys noninterference– Proof hinges on ordering property– First proof for such a rich language
• Expressive enough as a target
![Page 30: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/30.jpg)
![Page 31: Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d445503460f94a2119f/html5/thumbnails/31.jpg)
Steve Zdancewic ESOP01 31
Other Connections
• Linearity of control also plays a role in security typed versions of -calculus. [Honda et. al.]
• Linear control is interesting in its own right