Successfully reported this slideshow.

Stateful Declassification Policies for Event-Driven Programs

0

Share

1 of 47
1 of 47

Stateful Declassification Policies for Event-Driven Programs

0

Share

Download to read offline

Presentation given at CSF 2014 on the paper "Stateful Declassification Policies for Event-Driven Programs". In essence we present declassification for Secure Multi Execution (SME).

Presentation given at CSF 2014 on the paper "Stateful Declassification Policies for Event-Driven Programs". In essence we present declassification for Secure Multi Execution (SME).

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Stateful Declassification Policies for Event-Driven Programs

  1. 1. Stateful Declassification Policies for Event-Driven Programs M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk CSF 2014
  2. 2. Observation “The browser is the new OS” 2
  3. 3. But… browser security? 3 XSS
  4. 4. Firefox: no protection 4 Previous work(s) offer protection against this!
  5. 5. What are we protecting? 5 Event-driven (reactive) programs:  All inputs to the program are events  Output is produced using API calls
  6. 6. What are we protecting? 6 Event-driven (reactive) programs:  All inputs to the program are events  Output is produced using API calls Public outputPrivate input
  7. 7. Currently: Noninterference 7 𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′ Equal after high input removed low output identical  Security levels: H (private) and L (public)  Enforce using Secure Multi Execution (SME)  Secure  Precise
  8. 8. Implemented in FlowFox 8 With proper policy, attack is blocked! Keys pressed, but request blocked
  9. 9. The problem… 9 Noninterference is too strict! Examples:  Leak only occurrence of key presses?  Leak specific shortcut keys only?  Leak approximate location (mouse, GPS)?
  10. 10. Example: online slideshow 10 Uses arrow keys to navigate:  We need declassification support!
  11. 11. Our Contributions 11 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  12. 12. Policy specification  What does the policy define? “The info leaked public observers”  We consider two cases: 1. Leaking approximate information about one event 2. Leaking aggregate or statistical info over several events 12
  13. 13. Policy specification  How to formally specify both cases?  Using a functional, declarative program.  On each input, define the (new) public info. 13 Leaking over one event Leaking over several events (1) Event projection (2) Information release
  14. 14. 1. Event projection 14  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Nothing : Event not visible to low observers  ev n′ : Low observers can depend on (ev n′) Other events project to Nothing
  15. 15. 1. Event projection 15  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Generalizes security labels: Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛 High event: 𝜋 𝑒𝑣 𝑛 = Nothing  And separation of content and presence: Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0
  16. 16. 1. Event projection 16  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Must be idempotent to guarantee precision: 𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛) In line with the idea of removing sensitive info!
  17. 17. 2. Information release 17  Leaks info about multiple events (stateful): 𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′ , Unchanged | Release 𝑛′  𝑠, 𝑠′: old and new state  Release 𝑛′: low observers can depend on 𝑛′  Unchanged: no new info released
  18. 18. 2. Information release 18  Leaks info about multiple events (stateful): 𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′ , Unchanged | Release 𝑛′  Can specify type and initial value of the state: State :: Bool = False  Released value is put on a release channel  Enforcement mechanism can obtain latest released value
  19. 19. 2. Info release: example 19  Leak if shotcut key was used at least once  State :: Bool = False  Release function 𝑟:
  20. 20. Updated noninterference 20  Noninterference (old): 𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′  𝒟∗ 𝐼 = all info low observers can depend on according to policy 𝒟  Noninterference with declassification: 𝒟∗ 𝐼 = 𝒟∗ 𝐼′ → 𝑂 ≈ 𝐿 𝑂′ Equal according to policy 𝒟 Low outputs identical
  21. 21. Our Contributions 21 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  22. 22. Secure Multi Execution (SME) Runs a copy for each security level: Low HighHigh Low Program (H) Program (L) 22
  23. 23. SME Example: high input Low run KeyPress ‘e’ High run 23
  24. 24. SME Example: high input Low run KeyPress ‘e’ High run 24
  25. 25. SME Example: high input Low run KeyPress ‘e’ High run 25
  26. 26. SME Example: low input Low run High run MouseClick 10 26
  27. 27. SME Example: low input Low run High run MouseClick 10 27
  28. 28. SME Example: low input Low run High run MouseClick 10 28
  29. 29. SME Example: low input Low run High run MouseClick 10 29
  30. 30. SME Example: low input Low run High run MouseClick 10 30
  31. 31. Declassification in SME? 31 Projections generalize security labellings! Low HighHigh Low Program (H) Program (L)
  32. 32. Declassification in SME? 32 Low High Input Program (H) 𝜋 Program (L) Projections generalize security labellings!
  33. 33. Declassification in SME? 33 Information release? Low High Input Program (H) 𝜋 Program (L)
  34. 34. Declassification in SME? 34 Information release? Low High Input Program (H) 𝜋 Program (L) SME state
  35. 35. Declassification in SME? 35 Information release? Low High Input Program (H) 𝜋 ? Program (L) SME state
  36. 36. Access to release channel 36  Using annotations  Important remarks:  Annotations are seen as untrusted, security does not depend on them (hence attacker cannot abuse them).  Only used to assure precision!  Idea: browser vendor sets default policies, motivating programmers to use annotates.
  37. 37. Declassification in SME 37 Properties:  Security: OK!  Precision for projections: OK!  Full precision more tedious:  Program must run under expected policy  All leaks should happen through annotations  Projections are powerful!
  38. 38. Our Contributions 38 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  39. 39. Revealing Occurrence 39  Keylogger in chrome (no protection):
  40. 40. Revealing Occurrence 40  Keylogger in FlowFox (policy):
  41. 41. Revealing Occurrence 41  Keylogger in FlowFox (attack blocked):
  42. 42. Leak approximate info 42  Imagine mouse tracking software:
  43. 43. Leak approximate info 43  Imagine mouse tracking software:
  44. 44. Leak approximate info 44  Mouse tracking under FlowFox (policy):
  45. 45. Leak approximate info 45  Mouse tracking under FlowFox (high output):
  46. 46. Leak approximate info 46  Mouse tracking under FlowFox (low output):
  47. 47. Questions?

×