Stateful Declassification Policies
for Event-Driven Programs
M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk
CSF 2014

Observation
“The browser is the new OS”
2

But… browser security?
3
XSS

Firefox: no protection
4
Previous work(s) offer protection against this!

What are we protecting?
5
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced using API calls

What are we protecting?
6
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced using API calls
Public outputPrivate input

Currently: Noninterference
7
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
Equal after high
input removed
low output identical
 Security levels: H (private) and L (public)
 Enforce using Secure Multi Execution (SME)
 Secure
 Precise

Implemented in FlowFox
8
With proper policy, attack is blocked!
Keys pressed, but request blocked

The problem…
9
Noninterference is too strict!
Examples:
 Leak only occurrence of key presses?
 Leak specific shortcut keys only?
 Leak approximate location (mouse, GPS)?

Example: online slideshow
10
Uses arrow keys to navigate:
 We need declassification support!

Our Contributions
11
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

Policy specification
 What does the policy define?
“The info leaked public observers”
 We consider two cases:
1. Leaking approximate information about one event
2. Leaking aggregate or statistical info over several events
12

Policy specification
 How to formally specify both cases?
 Using a functional, declarative program.
 On each input, define the (new) public info.
13
Leaking over one event Leaking over several events
(1) Event projection (2) Information release

1. Event projection
14
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Nothing : Event not visible to low observers
 ev n′ : Low observers can depend on (ev n′)
Other events project to Nothing

1. Event projection
15
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Generalizes security labels:
Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛
High event: 𝜋 𝑒𝑣 𝑛 = Nothing
 And separation of content and presence:
Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0

1. Event projection
16
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Must be idempotent to guarantee precision:
𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛)
In line with the idea of removing sensitive info!

2. Information release
17
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 𝑠, 𝑠′: old and new state
 Release 𝑛′: low observers can depend on 𝑛′
 Unchanged: no new info released

2. Information release
18
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 Can specify type and initial value of the state:
State :: Bool = False
 Released value is put on a release channel
 Enforcement mechanism can obtain latest released value

2. Info release: example
19
 Leak if shotcut key was used at least once
 State :: Bool = False
 Release function 𝑟:

Updated noninterference
20
 Noninterference (old):
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
 𝒟∗
𝐼 = all info low observers can depend
on according to policy 𝒟
 Noninterference with declassification:
𝒟∗
𝐼 = 𝒟∗
𝐼′
→ 𝑂 ≈ 𝐿 𝑂′
Equal according to policy 𝒟 Low outputs identical

Our Contributions
21
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

Secure Multi Execution (SME)
Runs a copy for each security level:
Low
HighHigh
Low
Program (H)
Program (L)
22

SME Example: high input
Low run
KeyPress ‘e’
High run
23

SME Example: high input
Low run
KeyPress ‘e’
High run
24

SME Example: high input
Low run
KeyPress ‘e’
High run
25

SME Example: low input
Low run
High run
MouseClick 10
26

SME Example: low input
Low run
High run
MouseClick 10
27

SME Example: low input
Low run
High run
MouseClick 10
28

SME Example: low input
Low run
High run
MouseClick 10
29

SME Example: low input
Low run
High run
MouseClick 10
30

Declassification in SME?
31
Projections generalize security labellings!
Low
HighHigh
Low
Program (H)
Program (L)

Declassification in SME?
32
Low
High
Input
Program (H)
𝜋
Program (L)
Projections generalize security labellings!

Declassification in SME?
33
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)

Declassification in SME?
34
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)
SME state

Declassification in SME?
35
Information release?
Low
High
Input
Program (H)
𝜋
?
Program (L)
SME state

Access to release channel
36
 Using annotations
 Important remarks:
 Annotations are seen as untrusted, security does not
depend on them (hence attacker cannot abuse them).
 Only used to assure precision!
 Idea: browser vendor sets default policies,
motivating programmers to use annotates.

Declassification in SME
37
Properties:
 Security: OK!
 Precision for projections: OK!
 Full precision more tedious:
 Program must run under expected policy
 All leaks should happen through annotations
 Projections are powerful!

Our Contributions
38
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

Revealing Occurrence
39
 Keylogger in chrome (no protection):

Revealing Occurrence
40
 Keylogger in FlowFox (policy):

Revealing Occurrence
41
 Keylogger in FlowFox (attack blocked):

Leak approximate info
42
 Imagine mouse tracking software:

Leak approximate info
43
 Imagine mouse tracking software:

Leak approximate info
44
 Mouse tracking under FlowFox (policy):

Leak approximate info
45
 Mouse tracking under FlowFox (high output):

Leak approximate info
46
 Mouse tracking under FlowFox (low output):

Questions?