Language-Based Information-Flow Security

1/16
Introduction Volpano, Rice Conclusion
Language-Based Information-Flow Security
Akram El-Korashy1
1Max Planck Institute for Informatics
December 14, 2015
IMPRS Research Seminar.
Based on Sabelfeld and Myers’ 2003 survey, and others.

2/16
Information-Flow motivational example
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmented
with “levels” for variable types that distinguish public
variables from secret variables, where public and secret here
are in the real-world sense, not the programming encapsulation
sense.
1
The idea was ﬁrst introduced by Volpano et. al.’s “A Sound Type System
for Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in
1995.

2/16
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmented
with “levels” for variable types that distinguish public
variables from secret variables, where public and secret here
are in the real-world sense, not the programming encapsulation
sense.
Goal is to enforce e.g., conﬁdentiality
We want the programming language’s type system to reject
precisely the programs that leak secrets.
1
The idea was ﬁrst introduced by Volpano et. al.’s “A Sound Type System
for Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in
1995.

3/16
Quiz
Does this program/process leak the secret?
Data: “s” //secret
Result: Run forever and output inﬁnite tokens
initialize x := 4;
while true do
initialize y := 0, mask := 11111111b;
while y < x do
if is_prime(y) and is_prime(x - y) then
reset mask;
end
update y := y + 1
end
output bitwise_and(mask, s);
update x := x + 2
end

3/16
Quiz - with security types
Does this program/process leak the secret?
Data: s //secret
initialize x := 4;
while true do
while y < x do
reset mask;
end
update y := y + 1
end
update x := x + 2
end

4/16
What is the use of augmented types?
Why Types?
Robin Milner’s slogan
Well-typed programs cannot “go wrong”.
Figure: c www.britannica.com - c Computer Laboratory, University of Cambridge.

4/16
What is the use of augmented types?
Why Types?
Robin Milner’s slogan
Well-typed programs cannot “go wrong”.
Figure: c www.britannica.com - c Computer Laboratory, University of Cambridge.
Build type semantics that incorporate security goals into the deﬁnition of type
safety. Informally, e.g., insecure programs shouldn’t be allowed to compile
successfully!

5/16
Type system, operational semantics, how to detect a ﬂow?
What are the rules that Volpano’s type system would enforce?
The hope is.. whatever rules we have, we can make a very
precise judgement on programs being secure or insecure.
//This program is secure. It never leaks any secret information.
Data: s //secret, x
Result: Compute magical count
initialize c1, c2, i := 0, 0, 0;
update s := s × x;
while i < s do
if s - (4 × i) = 1 or s - (4 × i) = 3 then
c1 := 1;
end
if s - (2 × i) = 0 then
c2 := 1;
end
update i :=i + 1
end
output c1 + c2;

6/16
Rules prohibit two kinds of ﬂow
Explicit Flow
Implicit Flow

6/16
Rules prohibit two kinds of ﬂow
Explicit Flow
public_var := secret_value
Implicit Flow
if secret_expression then public_var := some_value...
while secret_expression do public_var := some_value...

7/16
More formally.. Typing rules for expressions..
Figure: Typing rules for secure information ﬂow [Volpano1996]

8/16
and typing rules for commands..
Figure: Typing rules for secure information ﬂow [Volpano1996]

9/16
Provably sound
On the footprints of Milner..
All well-typed programs satisfy noninterference.

9/16
Provably sound
On the footprints of Milner..
All well-typed programs satisfy noninterference.
A program p guarantees noninterference means
For all pairs of variable states s1, s2,
IF s1 and s2 agree on public variables (but may differ on secret
ones),
THEN the states resulting from executing p on s1 and on s2
must also agree on public variables.

10/16
Complete?
Completeness
All programs that satisfy noninterference are well-typed.

10/16
Complete?
Completeness
This program is judged as unsafe, although it is indeed
secure
(if s = 1 then x := 1 else x := 0); x := 0

10/16
Complete?
Completeness
This program is judged as unsafe, although it is indeed
secure
(if s = 1 then x := 1 else x := 0); x := 0
Rice’s Theorem
Every non-trivial property of a computable partial function is
undecidable.

11/16
Computability theory refresher 1
Does program P halt on input I within 100 steps?
Can we write a general program that decides this property
about pairs (P, I)?

11/16
about pairs (P, I)?
Yes, we can! This is not the halting problem.

11/16
about pairs (P, I)?
Yes, we can! This is not the halting problem.
P is a program, i.e., a string. It is not a function.
A property of a computable function is only something that is
general to every program computing this function.

12/16
Property of a partial function vs. property of a program
computing it.
We can write 3 different programs that compute the Fibonacci
function. The fact that one computes ﬁb(n) in O(log n), O(n) or
O(2n) is irrelevant to the "properties of the Fibonacci function".

12/16
Property of a partial function vs. property of a program
computing it.
We can write 3 different programs that compute the Fibonacci
function. The fact that one computes ﬁb(n) in O(log n), O(n) or
O(2n) is irrelevant to the "properties of the Fibonacci function".
It’s a property of the program, not the mathematical function
that the program intends to represent!

12/16
Why then isn’t non-interference exempted from Rice’s
restriction?
It is a property on the memories, so it is program speciﬁc, right?

12/16
restriction?
Yes and no!

12/16
restriction?
Yes and no!
No, because we consider all public variables to be relevant
output, so they all contribute to the value of the function that the
program computes!

13/16
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yet
open-problems..

13/16
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yet
open-problems..
Answer to the Quiz: Goldbach’s conjecture
Data: s //secret
initialize x := 4;
while true do
while y < x do
reset mask;
end
update y := y + 1
end
update x := x + 2
end

14/16
Remarks
Abstract interpretation [Cousot et. al] is a powerful
methodology that can be used for soundness analysis.

14/16
Remarks
Other type systems that trace global ﬂows can give more
precise control-ﬂow analysis [Clark et. al].

14/16
Remarks
Integrity of “sensitive” variables is a security goal
achievable by information-ﬂow analysis in a way dual to
conﬁdentiality.

14/16
Remarks
Integrity of “sensitive” variables is a security goal
achievable by information-flow analysis in a way dual to
confidentiality.
Robust Declassification is a framework offering
relaxation to non-interference.
The intuition is “although the system may release information, an
attacker should have no control over what information is released”
[Myers et. al]

15/16
Remarks
Personalized Differential Privacy is one area in which
semantics of the query language can be used to guarantee
interesting properties.

15/16
Remarks
Personalized Differential Privacy is one area in which
semantics of the query language can be used to guarantee
interesting properties.
Jif is an implementation of a security-typed programming
language.

16/16
Questions?
Thank you!

Language-Based Information-Flow Security

Recommended

Recommended

More Related Content

Similar to Language-Based Information-Flow Security

Similar to Language-Based Information-Flow Security (20)

Recently uploaded

Recently uploaded (20)

Language-Based Information-Flow Security