Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Stateful Declassification Policies
for Event-Driven Programs
M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk
CS...
Observation
“The browser is the new OS”
2
But… browser security?
3
XSS
Firefox: no protection
4
Previous work(s) offer protection against this!
What are we protecting?
5
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced us...
What are we protecting?
6
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced us...
Currently: Noninterference
7
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
Equal after high
input removed
low output identical
 Security levels: H ...
Implemented in FlowFox
8
With proper policy, attack is blocked!
Keys pressed, but request blocked
The problem…
9
Noninterference is too strict!
Examples:
 Leak only occurrence of key presses?
 Leak specific shortcut ke...
Example: online slideshow
10
Uses arrow keys to navigate:
 We need declassification support!
Our Contributions
11
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in F...
Policy specification
 What does the policy define?
“The info leaked public observers”
 We consider two cases:
1. Leaking...
Policy specification
 How to formally specify both cases?
 Using a functional, declarative program.
 On each input, def...
1. Event projection
14
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Nothing : Event not visib...
1. Event projection
15
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Generalizes security labe...
1. Event projection
16
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Must be idempotent to gua...
2. Information release
17
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 𝑠, 𝑠′: ...
2. Information release
18
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 Can spe...
2. Info release: example
19
 Leak if shotcut key was used at least once
 State :: Bool = False
 Release function 𝑟:
Updated noninterference
20
 Noninterference (old):
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
 𝒟∗
𝐼 = all info low observers can depend
on acco...
Our Contributions
21
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in F...
Secure Multi Execution (SME)
Runs a copy for each security level:
Low
HighHigh
Low
Program (H)
Program (L)
22
SME Example: high input
Low run
KeyPress ‘e’
High run
23
SME Example: high input
Low run
KeyPress ‘e’
High run
24
SME Example: high input
Low run
KeyPress ‘e’
High run
25
SME Example: low input
Low run
High run
MouseClick 10
26
SME Example: low input
Low run
High run
MouseClick 10
27
SME Example: low input
Low run
High run
MouseClick 10
28
SME Example: low input
Low run
High run
MouseClick 10
29
SME Example: low input
Low run
High run
MouseClick 10
30
Declassification in SME?
31
Projections generalize security labellings!
Low
HighHigh
Low
Program (H)
Program (L)
Declassification in SME?
32
Low
High
Input
Program (H)
𝜋
Program (L)
Projections generalize security labellings!
Declassification in SME?
33
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)
Declassification in SME?
34
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)
SME state
Declassification in SME?
35
Information release?
Low
High
Input
Program (H)
𝜋
?
Program (L)
SME state
Access to release channel
36
 Using annotations
 Important remarks:
 Annotations are seen as untrusted, security does n...
Declassification in SME
37
Properties:
 Security: OK!
 Precision for projections: OK!
 Full precision more tedious:
 P...
Our Contributions
38
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in F...
Revealing Occurrence
39
 Keylogger in chrome (no protection):
Revealing Occurrence
40
 Keylogger in FlowFox (policy):
Revealing Occurrence
41
 Keylogger in FlowFox (attack blocked):
Leak approximate info
42
 Imagine mouse tracking software:
Leak approximate info
43
 Imagine mouse tracking software:
Leak approximate info
44
 Mouse tracking under FlowFox (policy):
Leak approximate info
45
 Mouse tracking under FlowFox (high output):
Leak approximate info
46
 Mouse tracking under FlowFox (low output):
Questions?
Upcoming SlideShare
Loading in …5
×

Stateful Declassification Policies for Event-Driven Programs

672 views

Published on

Presentation given at CSF 2014 on the paper "Stateful Declassification Policies for Event-Driven Programs". In essence we present declassification for Secure Multi Execution (SME).

Published in: Education
  • Be the first to comment

  • Be the first to like this

Stateful Declassification Policies for Event-Driven Programs

  1. 1. Stateful Declassification Policies for Event-Driven Programs M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk CSF 2014
  2. 2. Observation “The browser is the new OS” 2
  3. 3. But… browser security? 3 XSS
  4. 4. Firefox: no protection 4 Previous work(s) offer protection against this!
  5. 5. What are we protecting? 5 Event-driven (reactive) programs:  All inputs to the program are events  Output is produced using API calls
  6. 6. What are we protecting? 6 Event-driven (reactive) programs:  All inputs to the program are events  Output is produced using API calls Public outputPrivate input
  7. 7. Currently: Noninterference 7 𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′ Equal after high input removed low output identical  Security levels: H (private) and L (public)  Enforce using Secure Multi Execution (SME)  Secure  Precise
  8. 8. Implemented in FlowFox 8 With proper policy, attack is blocked! Keys pressed, but request blocked
  9. 9. The problem… 9 Noninterference is too strict! Examples:  Leak only occurrence of key presses?  Leak specific shortcut keys only?  Leak approximate location (mouse, GPS)?
  10. 10. Example: online slideshow 10 Uses arrow keys to navigate:  We need declassification support!
  11. 11. Our Contributions 11 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  12. 12. Policy specification  What does the policy define? “The info leaked public observers”  We consider two cases: 1. Leaking approximate information about one event 2. Leaking aggregate or statistical info over several events 12
  13. 13. Policy specification  How to formally specify both cases?  Using a functional, declarative program.  On each input, define the (new) public info. 13 Leaking over one event Leaking over several events (1) Event projection (2) Information release
  14. 14. 1. Event projection 14  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Nothing : Event not visible to low observers  ev n′ : Low observers can depend on (ev n′) Other events project to Nothing
  15. 15. 1. Event projection 15  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Generalizes security labels: Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛 High event: 𝜋 𝑒𝑣 𝑛 = Nothing  And separation of content and presence: Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0
  16. 16. 1. Event projection 16  Leaks info about one event (stateless): π ev n = Nothing | Project n′  Must be idempotent to guarantee precision: 𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛) In line with the idea of removing sensitive info!
  17. 17. 2. Information release 17  Leaks info about multiple events (stateful): 𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′ , Unchanged | Release 𝑛′  𝑠, 𝑠′: old and new state  Release 𝑛′: low observers can depend on 𝑛′  Unchanged: no new info released
  18. 18. 2. Information release 18  Leaks info about multiple events (stateful): 𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′ , Unchanged | Release 𝑛′  Can specify type and initial value of the state: State :: Bool = False  Released value is put on a release channel  Enforcement mechanism can obtain latest released value
  19. 19. 2. Info release: example 19  Leak if shotcut key was used at least once  State :: Bool = False  Release function 𝑟:
  20. 20. Updated noninterference 20  Noninterference (old): 𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′  𝒟∗ 𝐼 = all info low observers can depend on according to policy 𝒟  Noninterference with declassification: 𝒟∗ 𝐼 = 𝒟∗ 𝐼′ → 𝑂 ≈ 𝐿 𝑂′ Equal according to policy 𝒟 Low outputs identical
  21. 21. Our Contributions 21 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  22. 22. Secure Multi Execution (SME) Runs a copy for each security level: Low HighHigh Low Program (H) Program (L) 22
  23. 23. SME Example: high input Low run KeyPress ‘e’ High run 23
  24. 24. SME Example: high input Low run KeyPress ‘e’ High run 24
  25. 25. SME Example: high input Low run KeyPress ‘e’ High run 25
  26. 26. SME Example: low input Low run High run MouseClick 10 26
  27. 27. SME Example: low input Low run High run MouseClick 10 27
  28. 28. SME Example: low input Low run High run MouseClick 10 28
  29. 29. SME Example: low input Low run High run MouseClick 10 29
  30. 30. SME Example: low input Low run High run MouseClick 10 30
  31. 31. Declassification in SME? 31 Projections generalize security labellings! Low HighHigh Low Program (H) Program (L)
  32. 32. Declassification in SME? 32 Low High Input Program (H) 𝜋 Program (L) Projections generalize security labellings!
  33. 33. Declassification in SME? 33 Information release? Low High Input Program (H) 𝜋 Program (L)
  34. 34. Declassification in SME? 34 Information release? Low High Input Program (H) 𝜋 Program (L) SME state
  35. 35. Declassification in SME? 35 Information release? Low High Input Program (H) 𝜋 ? Program (L) SME state
  36. 36. Access to release channel 36  Using annotations  Important remarks:  Annotations are seen as untrusted, security does not depend on them (hence attacker cannot abuse them).  Only used to assure precision!  Idea: browser vendor sets default policies, motivating programmers to use annotates.
  37. 37. Declassification in SME 37 Properties:  Security: OK!  Precision for projections: OK!  Full precision more tedious:  Program must run under expected policy  All leaks should happen through annotations  Projections are powerful!
  38. 38. Our Contributions 38 Declassification in untrusted programs  Policy specification  SME enforcement  Implementation in FlowFox
  39. 39. Revealing Occurrence 39  Keylogger in chrome (no protection):
  40. 40. Revealing Occurrence 40  Keylogger in FlowFox (policy):
  41. 41. Revealing Occurrence 41  Keylogger in FlowFox (attack blocked):
  42. 42. Leak approximate info 42  Imagine mouse tracking software:
  43. 43. Leak approximate info 43  Imagine mouse tracking software:
  44. 44. Leak approximate info 44  Mouse tracking under FlowFox (policy):
  45. 45. Leak approximate info 45  Mouse tracking under FlowFox (high output):
  46. 46. Leak approximate info 46  Mouse tracking under FlowFox (low output):
  47. 47. Questions?

×