A short survey talk on "Language-Based Information-Flow Security", based on Sabelfeld and Myers’ 2003 survey, and others.
Abstract:
Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies.
Semantics-based models are suitable for describing end-to-end policies such as noninterference and its extensions.
The talk is a survey based on the article by Sabelfeld et. al. from 2003, and others.
The goal of the talk is to introduce the general idea of semantics-based security, discuss the computability-theoretic aspect, and show different security goals to which this model is applicable.
---
IMPRS Research Seminar presentation.
Max Planck Institute for Informatics
Saarbruecken
Germany
Computer Science - Saarland
DSPy a system for AI to Write Prompts and Do Fine Tuning
Language-Based Information-Flow Security
1. 1/16
Introduction Volpano, Rice Conclusion
Language-Based Information-Flow Security
Akram El-Korashy1
1Max Planck Institute for Informatics
December 14, 2015
IMPRS Research Seminar.
Based on Sabelfeld and Myers’ 2003 survey, and others.
2. 2/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmented
with “levels” for variable types that distinguish public
variables from secret variables, where public and secret here
are in the real-world sense, not the programming encapsulation
sense.
1
The idea was first introduced by Volpano et. al.’s “A Sound Type System
for Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in
1995.
3. 2/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Assumption about programming language
Security-augmented types 1
Assume we have a programming language that is augmented
with “levels” for variable types that distinguish public
variables from secret variables, where public and secret here
are in the real-world sense, not the programming encapsulation
sense.
Goal is to enforce e.g., confidentiality
We want the programming language’s type system to reject
precisely the programs that leak secrets.
1
The idea was first introduced by Volpano et. al.’s “A Sound Type System
for Secure Flow Analysis” in 1996, and Ørbaek’s “Trust in the λ-calculus” in
1995.
4. 3/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Quiz
Does this program/process leak the secret?
Data: “s” //secret
Result: Run forever and output infinite tokens
initialize x := 4;
while true do
initialize y := 0, mask := 11111111b;
while y < x do
if is_prime(y) and is_prime(x - y) then
reset mask;
end
update y := y + 1
end
output bitwise_and(mask, s);
update x := x + 2
end
5. 3/16
Introduction Volpano, Rice Conclusion
Information-Flow motivational example
Quiz - with security types
Does this program/process leak the secret?
Data: s //secret
Result: Run forever and output infinite tokens
initialize x := 4;
while true do
initialize y := 0, mask := 11111111b;
while y < x do
if is_prime(y) and is_prime(x - y) then
reset mask;
end
update y := y + 1
end
output bitwise_and(mask, s);
update x := x + 2
end
6. 4/16
Introduction Volpano, Rice Conclusion
What is the use of augmented types?
Why Types?
Robin Milner’s slogan
Well-typed programs cannot “go wrong”.
Figure: c www.britannica.com - c Computer Laboratory, University of Cambridge.
7. 4/16
Introduction Volpano, Rice Conclusion
What is the use of augmented types?
Why Types?
Robin Milner’s slogan
Well-typed programs cannot “go wrong”.
Figure: c www.britannica.com - c Computer Laboratory, University of Cambridge.
Build type semantics that incorporate security goals into the definition of type
safety. Informally, e.g., insecure programs shouldn’t be allowed to compile
successfully!
8. 5/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
What are the rules that Volpano’s type system would enforce?
The hope is.. whatever rules we have, we can make a very
precise judgement on programs being secure or insecure.
//This program is secure. It never leaks any secret information.
Data: s //secret, x
Result: Compute magical count
initialize c1, c2, i := 0, 0, 0;
update s := s × x;
while i < s do
if s - (4 × i) = 1 or s - (4 × i) = 3 then
c1 := 1;
end
if s - (2 × i) = 0 then
c2 := 1;
end
update i :=i + 1
end
output c1 + c2;
9. 6/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Rules prohibit two kinds of flow
Explicit Flow
Implicit Flow
10. 6/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Rules prohibit two kinds of flow
Explicit Flow
public_var := secret_value
Implicit Flow
if secret_expression then public_var := some_value...
while secret_expression do public_var := some_value...
11. 7/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
More formally.. Typing rules for expressions..
Figure: Typing rules for secure information flow [Volpano1996]
12. 8/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
and typing rules for commands..
Figure: Typing rules for secure information flow [Volpano1996]
13. 9/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Provably sound
On the footprints of Milner..
All well-typed programs satisfy noninterference.
14. 9/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Provably sound
On the footprints of Milner..
All well-typed programs satisfy noninterference.
A program p guarantees noninterference means
For all pairs of variable states s1, s2,
IF s1 and s2 agree on public variables (but may differ on secret
ones),
THEN the states resulting from executing p on s1 and on s2
must also agree on public variables.
15. 10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
Completeness
All programs that satisfy noninterference are well-typed.
16. 10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
Completeness
All programs that satisfy noninterference are well-typed.
This program is judged as unsafe, although it is indeed
secure
(if s = 1 then x := 1 else x := 0); x := 0
17. 10/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Complete?
Completeness
All programs that satisfy noninterference are well-typed.
This program is judged as unsafe, although it is indeed
secure
(if s = 1 then x := 1 else x := 0); x := 0
Rice’s Theorem
Every non-trivial property of a computable partial function is
undecidable.
18. 11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?
Can we write a general program that decides this property
about pairs (P, I)?
19. 11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?
Can we write a general program that decides this property
about pairs (P, I)?
Yes, we can! This is not the halting problem.
20. 11/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 1
Does program P halt on input I within 100 steps?
Can we write a general program that decides this property
about pairs (P, I)?
Yes, we can! This is not the halting problem.
P is a program, i.e., a string. It is not a function.
A property of a computable function is only something that is
general to every program computing this function.
21. 12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Property of a partial function vs. property of a program
computing it.
We can write 3 different programs that compute the Fibonacci
function. The fact that one computes fib(n) in O(log n), O(n) or
O(2n) is irrelevant to the "properties of the Fibonacci function".
22. 12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Property of a partial function vs. property of a program
computing it.
We can write 3 different programs that compute the Fibonacci
function. The fact that one computes fib(n) in O(log n), O(n) or
O(2n) is irrelevant to the "properties of the Fibonacci function".
It’s a property of the program, not the mathematical function
that the program intends to represent!
23. 12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’s
restriction?
It is a property on the memories, so it is program specific, right?
24. 12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’s
restriction?
It is a property on the memories, so it is program specific, right?
Yes and no!
25. 12/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Computability theory refresher 2
Why then isn’t non-interference exempted from Rice’s
restriction?
It is a property on the memories, so it is program specific, right?
Yes and no!
No, because we consider all public variables to be relevant
output, so they all contribute to the value of the function that the
program computes!
26. 13/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yet
open-problems..
27. 13/16
Introduction Volpano, Rice Conclusion
Type system, operational semantics, how to detect a flow?
Moral is, we cannot be precise enough
If not because of undecidability, then at least because of yet
open-problems..
Answer to the Quiz: Goldbach’s conjecture
Data: s //secret
Result: Run forever and output infinite tokens
initialize x := 4;
while true do
initialize y := 0, mask := 11111111b;
while y < x do
if is_prime(y) and is_prime(x - y) then
reset mask;
end
update y := y + 1
end
output bitwise_and(mask, s);
update x := x + 2
end
28. 14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerful
methodology that can be used for soundness analysis.
29. 14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerful
methodology that can be used for soundness analysis.
Other type systems that trace global flows can give more
precise control-flow analysis [Clark et. al].
30. 14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerful
methodology that can be used for soundness analysis.
Other type systems that trace global flows can give more
precise control-flow analysis [Clark et. al].
Integrity of “sensitive” variables is a security goal
achievable by information-flow analysis in a way dual to
confidentiality.
31. 14/16
Introduction Volpano, Rice Conclusion
Remarks
Abstract interpretation [Cousot et. al] is a powerful
methodology that can be used for soundness analysis.
Other type systems that trace global flows can give more
precise control-flow analysis [Clark et. al].
Integrity of “sensitive” variables is a security goal
achievable by information-flow analysis in a way dual to
confidentiality.
Robust Declassification is a framework offering
relaxation to non-interference.
The intuition is “although the system may release information, an
attacker should have no control over what information is released”
[Myers et. al]
32. 15/16
Introduction Volpano, Rice Conclusion
Remarks
Personalized Differential Privacy is one area in which
semantics of the query language can be used to guarantee
interesting properties.
33. 15/16
Introduction Volpano, Rice Conclusion
Remarks
Personalized Differential Privacy is one area in which
semantics of the query language can be used to guarantee
interesting properties.
Jif is an implementation of a security-typed programming
language.