Developer Data Modeling Mistakes: From Postgres to NoSQL
Static-talk
1. Static semantics of secret channel
abstractions
Marco Giunti
Imperial College, May 15 2014
2. Abstractions for message-passing
• We study the secret channel abstraction for concurrent systems
communicating through message-passing (MP)
• We are interested in showing that the high-level abstraction can
be represented in a standard π-calculus by means of static typing
• Plan:
1. A language for secret message-passing
2. A type system for the π-calculus featuring static and dynamic
scope for channels
3. A semantics-preserving translation (API) of the language into
the typed π-calculus
3. Dynamic scope vs Security
• One of the main features of the π-calculus is dynamic scope for
channels
• Sending a restricted channels to the context allows to enlarge its
scope
(ν h)(h CreditCard | h(x).p h )
4. Dynamic scope vs Security
• One of the main features of the π-calculus is dynamic scope for
channels
• Sending a restricted channels to the context allows to enlarge its
scope
(ν h)(h CreditCard | h(x).p h )
• Two main security issues in disclosing restricted channels:
1. Reasoning on the knowledge of the context is complex
2. Cryptographic implementations of programs in open networks
suffer from the “forward secrecy problem”
net {CreditCard}h+ | net(y).decrypt y as{x}h−in net {h+
, h−
}p+
5. Hide and New in the pi calculus
• Based on this motivation in [GPV12] we introduced the secret
π-calculus
• Conservative extension of the (untyped) π-calculus obtained by
adding an hide construct:
[hide h][h CreditCard | h(x).p h ] h cannot be extruded
• Aim is confidentiality, obtained by restricting the access of the
object of communication
• Standard channels are accessible by the context:
(new h)(h CreditCard | h(x).p h ) h can be extruded
6. This talk: An API for secure MP
• We show that the hide construct can be translated in a typed
π-calculus enjoying a standard semantics
• Guideline: the source language must be “untyped’’, the security
type abstractions are inferred during the compilation
• Motivation: we want to make available the secret channel macro
without burdening programmers with the security mechanism
• Soundness result: if a source program is (compiled and
type-)checked then the context cannot receive a channel
protected by hide during the computation
7. Source language: basic types
• We consider basic types of the form below
D ::= (E, E) | bool E ::= ?D | !D
• End point ?D: unbounded input use to receive values of type D
• End point !D: unbounded output use to send values of type D
• Basic types allow to avoid runtime errors of the form:
x true | x(y).y(z)
8. Source language: basic types
• We consider basic types of the form below
D ::= (E, E) | bool E ::= ?D | !D
• End point ?D: unbounded input use to receive values of type D
• End point !D: unbounded output use to send values of type D
• Basic types allow to avoid runtime errors of the form:
x true | x(y).y(z)
• In the source language we decorate fresh variables with basic
types (simplifies translation, but it could be obtained by type
inference
9. Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x v .M | M | N | if v then M else N |
!M | 0 | (new x: D)M | [hide x: D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
10. Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x v .M | M | N | if v then M else N |
!M | 0 | (new x: D)M | [hide x: D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
• Example: a program sending a dynamic channel
(new y: (?bool, !bool))(x y ) | x(z).(z true | z(u).if u then 0 else 0)
11. Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x v .M | M | N | if v then M else N |
!M | 0 | (new x: D)M | [hide x: D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
• Example: a program sending a standard channel
(new y: (?bool, !bool))(x y ) | x(z).(z true | z(u).if u then 0 else 0)
• Example: a program sending a secret channel
[hide y: (?bool, !bool)][x y | x(z)]
12. Target language: typed pi calculus
• Pi calculus types have the syntax:
T ::= (S, S) | bool S ::= m ?T | m !T
m ::= dyn | st
• We compile source programs into typed pi calculus processes
P ::= x v .P | x(y ÷ B).P | · · · | (ν x: T)P
• The input process is decorated with set of blocked types
• Dynamic semantics unaffected, blocked set used by typing system
x v .P | x(y ÷ B).Q → P | Q{v/x}
13. Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (new x: D)[hide y: Ds][x y | x(w).z1 w ] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
14. Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (new x: D)[hide y: Ds][x y | x(w).z1 w ] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
• The translation of M1 is:
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z1 w ) | z2(u)
T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)
Td = (dyn ?bool, dyn !bool)
15. Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (new x: D)[hide y: Ds][x y | x(w).z1 w ] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
• The translation of M1 is:
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z1 w ) | z2(u)
T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)
Td = (dyn ?bool, dyn !bool)
• We type-check the program by upcasting the payload of x
16. Pi calculus: Type upcast in output
• We consider typing rules of the form
Γ P ∆ (dom(∆) = dom(Γ)
• ∆ on the right of the symbol is a return environment produced
by the type system that convey the actual use of channels
17. Pi calculus: Type upcast in output
• We consider typing rules of the form
Γ P ∆ (dom(∆) = dom(Γ)
• ∆ on the right of the symbol is a return environment produced
by the type system that convey the actual use of channels
• E.g. typing rule to upcast of the payload of x to static:
x: (dyn ?Ts, dyn !Ts), y: Ts 0 x: (dyn ?Ts, dyn !Ts), y: Ts
x: T, y: Ts x y x: (dyn ?Ts, dyn !Ts), y: Ts
T = (dyn?Td, dyn!Td) Ts = (st?bool, st!bool) Td = (dyn?bool, dyn!bool)
18. Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function in ≡
x(y ÷ B).P T = x(y ÷ B ∪ {T}).(P T)
(ν y: T)(P) | Q ≡ (ν y: T)(P | Q T) T static
19. Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function in ≡
x(y ÷ B).P T = x(y ÷ B ∪ {T}).(P T)
(ν y: T)(P) | Q ≡ (ν y: T)(P | Q T) T static
• To avoid clashes we register identifiers for types: T = (S1, S2)i
• Typing rules for input disallow to receive blocked types
20. Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function in ≡
x(y ÷ B).P T = x(y ÷ B ∪ {T}).(P T)
(ν y: T)(P) | Q ≡ (ν y: T)(P | Q T) T static
• To avoid clashes we register identifiers for types: T = (S1, S2)i
• Typing rules for input disallow to receive blocked types
• Example: forbidden upcast
x: (dyn ?T, dyn !T)∀, z : (dyn ?Ts, dyn !Ts)∀ x(y ÷ Ts).z y ∆
T = (dyn ?Td, dyn !Td)∀ Td = (dyn ?b, dyn !b)∀ Ts = (st ?b, st !b)1
21. Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the return
type of the output channel
z1 : (dyn ?Td, dyn !Td) (ν x: T, y: Ts)(x y | x(w).z1 w )
z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
22. Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the return
type of the output channel
z1 : (dyn ?Td, dyn !Td) (ν x: T, y: Ts)(x y | x(w).z1 w )
z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
• Composition with inputs z2 allowed only if z1 = z2:
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z1 w ) | z2(u)
Γ, z1 : (dyn ?Td, dyn !Td) [[M1]] Γ, z1 : (•, dyn !Ts)
23. Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the return
type of the output channel
z1 : (dyn ?Td, dyn !Td) (ν x: T, y: Ts)(x y | x(w).z1 w )
z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
• Composition with inputs z2 allowed only if z1 = z2:
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z1 w ) | z2(u)
Γ, z1 : (dyn ?Td, dyn !Td) [[M1]] Γ, z1 : (•, dyn !Ts) (z1 = z2)
• How? Exploit return environments!
24. Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z w ) | z(u)
25. Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z w ) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
26. Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z w ) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
• Parallel composition allowed if partial binary operation ⊗ over
return contexts is defined:
Γ P1 ∆1 Γ P2 ∆2
Γ P1 | P2 ∆1 ⊗ ∆2
27. Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x: T, y: Ts)(x y | x(w).z w ) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
• Parallel composition allowed if partial binary operation ⊗ over
return contexts is defined:
Γ P1 ∆1 Γ P2 ∆2
Γ P1 | P2 ∆1 ⊗ ∆2
• Process above rejected: ⊗ operator only allows to compose the
bullet with an end point not using the input (noted end)
• ⊗ S is undefined
28. Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (new x: D)(p x | [hide y: Ds][x y ] | p(u).u(z)
[[M2]] = (ν x: T)(p x | (ν y: Ts)[x y ] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
29. Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (new x: D)(p x | [hide y: Ds][x y ] | p(u).u(z)
[[M2]] = (ν x: T)(p x | (ν y: Ts)[x y ] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p: Tp, x: T 0 p: Tp, x: T
p: Tp, x: T p x p: Tp, x: T
30. Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (new x: D)(p x | [hide y: Ds][x y ] | p(u).u(z)
[[M2]] = (ν x: T)(p x | (ν y: Ts)[x y ] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p: Tp, x: T 0 p: Tp, x: T
p: Tp, x: T p x p: Tp, x: T
• Type checking fails because the context uses x at different type
Γ [[M2]] ∆
31. Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (new x: D)(p x | [hide y: Ds][x y ] | p(u).u(z)
[[M2]] = (ν x: T)(p x | (ν y: Ts)[x y ] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p: Tp, x: T 0 p: Tp, x: T
p: Tp, x: T p x p: Tp, x: T
• Process M3 = (new x: D)(p x .[hide y: Ds][x y ]) also rejected
Γ [[M3]] ∆
32. Type system results
• Let Γ be a map to balanced types of the form (dyn ?T, dyn !T)∀,
Γ P ∆, and P →∗
(ν ˜y: T)(Q | R).
33. Type system results
• Let Γ be a map to balanced types of the form (dyn ?T, dyn !T)∀,
Γ P ∆, and P →∗
(ν ˜y: T)(Q | R).
• Error-freedom: Q is not of the form if x then Q1 else Q2, or
x v .Q1 | x(y).Q2 and Q2{v/y} undefined
34. Type system results
• Let Γ be a map to balanced types of the form (dyn ?T, dyn !T)∀,
Γ P ∆, and P →∗
(ν ˜y: T)(Q | R).
• Error-freedom: Q is not of the form if x then Q1 else Q2, or
x v .Q1 | x(y).Q2 and Q2{v/y} undefined
• Soundness: none of the following cases happen:
Q = (ν y: (st ?T, st !T)n)(x y .Q1 | Q2) | x(z ÷ B).Q3
35. Type system results
• Let Γ be a map to balanced types of the form (dyn ?T, dyn !T)∀,
Γ P ∆, and P →∗
(ν ˜y: T)(Q | R).
• Error-freedom: Q is not of the form if x then Q1 else Q2, or
x v .Q1 | x(y).Q2 and Q2{v/y} undefined
• Soundness: none of the following cases happen:
Q = (ν y: (st ?T, st !T)n)(x y .Q1 | Q2) | x(z ÷ B).Q3
Q = (ν y: (st?T, st!T)n)(x y .Q1 | Q2 | x(z÷B∪(st?T, st!T)n).Q3)
36. A semantics-preserving encoding
• The mapping[[·]] from the source language to typed π is:
[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E, E)]] = ([[E]], [[E]])∀
[[[hide x: (?D, !D)]M]]Γ = (ν x: T)[[M]]Γ,x: T T = (st [[?D]], st [[!D]])n
[[(new x: (?D, !D))M]] = (ν x: T)[[M]]Γ T = (dyn[[?D]], dyn[[!D]])∀
[[x(y: B).M]]Γ = x(y: [[B]]Γ).[[M]]Γ
37. A semantics-preserving encoding
• The mapping[[·]] from the source language to typed π is:
[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E, E)]] = ([[E]], [[E]])∀
[[[hide x: (?D, !D)]M]]Γ = (ν x: T)[[M]]Γ,x: T T = (st [[?D]], st [[!D]])n
[[(new x: (?D, !D))M]] = (ν x: T)[[M]]Γ T = (dyn[[?D]], dyn[[!D]])∀
[[x(y: B).M]]Γ = x(y: [[B]]Γ).[[M]]Γ
• Operational correspondence: secret π semantics:
x v .M | x(y ÷ B).N → M | N{v/y} (v ∈ B)
• Assume Γ, Γ1 [[M]]Γ ∆ with Γ weakly-balanced and P Γ.
1 If M → M then [[M]]Γ → [[M ]]Γ
2 If [[M]]Γ → Q then M → M and [[M ]]Γ = Q
38. Discussion
• Aim of this work: shift middleware support for secret channels
(cf. [GPV12]) to software support transparently
• Motivation is different for approaches that require programmers to
manage the security type abstractions
• Example: π-calculus with groups (CGG05)
Γ (new p: U)(P | (new G)(new x: G[])(p x ))
• Ill-typed since type U of public channel p ignores secret type G
• This work: infer “group” types and send secrets on “untyped” chan
Γ [[(new p: (?D, !D))(p (y) | [hide x: D](p x ))]] ∆ (p = p)
39. Discussion
• Structure of types leads to several extensions
• Read/write only modalities: (end, m !T), subtyping
• Linear and session types: (lin m ?T.S1, lin m!T.S2), Si behaviour
of continuation
• Algorithmic type-checking: return contexts allow refined analysis
• Typed behavioural equivalences to reason on processes
40. Thanks!
[CGG05 ] L. Cardelli, G. Ghelli, A.D. Gordon: Secrecy and group
creation. Inf. Comput. (2005)
[G14 ] M. Giunti. Static semantics of secret channel abstractions
(2014), tinyurl.com/n14-report
[GPV12 ] M. Giunti, C. Palamidessi, F. Valencia. Hide and New in the
Pi-Calculus. EXPRESS/SOS (2012)
[GV13 ] M. Giunti, V. Vasconcelos. Linearity, session types and the pi
calculus. Math. Struc. Comp. Sci., in press (2013)
[BG07 ] M. Bugliesi, M. Giunti.: Secure implementations of typed
channel abstractions. POPL (2007)