03411 Abstracts Collection -- Language Based Security

From October 5th to 10th 2003,the Dagstuhl Seminar 03411 ``Language Based security\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar are put together in this paper

On the Foundations of Practical Language-Based Security

Language-based information flow control (IFC) promises to provide programming languages and tools that make it easy for developers to write secure code. Traditionally,\ua0research in this field aims to build a variant on a programming language or system\ua0that lets developers write code that gives them strong guarantees beyond the potential\ua0memory- and type-safety guarantees of modern languages. However, two developments\ua0in the field challenge this paradigm. Firstly, backwards-compatible security enforcement\ua0without false alarms promises to retrofit security enforcement on code that was not written with the enforcement mechanism in mind. This has the potential to greatly increase\ua0the applicability of IFC enforcement to legacy and mobile code from untrusted sources.Secondly, library-based security, a technique by which IFC researchers provide a software\ua0library in an established language whose programming interface gives the same guarantees as a stand-alone IFC tool for developers to use promises to do away with specialized\ua0IFC languages. This technique also has the potential to increase the applicability of IFC\ua0enforcement as developers no longer need to adopt a whole new language to get securityguarantees.This thesis makes contributions to both these recent developments that come in two\ua0parts; the first part concerns enforcing secure information flow without introducing false\ua0alarms while the second part concerns the correctness of using libraries instead of fullyfledged IFC programming languages to write secure code.The first part of the thesis makes the following contributions:1. It unifies the existing literature, in the form of Secure Multi-Execution and MultipleFacets, on security enforcement without false alarms by introducing Faceted SecureMulti-Execution.2. It explores the unique optimisation challenges that appear in this setting. Specifically, mixing multi-execution and facets means that unnecessarily large facetedtrees give rise to unnecessary executions in multi-execution and vice verse. Thisthesis proposes optimisation strategies that can overcome this hurdle.3. It proves an exponential lower bound on black-box false-alarm-free enforcementand new possibility results for false-alarm-free enforcement of a variant of the noninterference security condition known as termination insensitive noninterference.4. It classifies the special cases of enforcement that is not subject to the aforementionedexponential lower bound. Specifically, this thesis shows how and why the choice ofsecurity lattice makes the difference between exponential, polynomial, and constantoverheads in multi-execution.In short, the first part of the thesis unifies the existing literature on false-alarm-freeIFC enforcement and presents a number of results on the performance of enforcementmechanisms of this kind.The second part of the thesis meanwhile makes the following contributions:1. It reduces the trusted computing base of security libraries by showing how to implement secure effects on top of an already secure core without incurring any newproof obligations.2. It shows how to simplify DCC, the core language in the literature, without losingexpressiveness.3. It proves that noninterference can be derived in a simple and straightforward wayfrom parametricity for both static and dynamic security libraries. This in turnreduces the conceptual gap between the kind of security libraries that are writtentoday and the proofs one can write to prove that the libraries ensure noninterference.In short, the second part of the thesis provides a new direction for thinking about thecorrectness of security libraries by both reducing the amount of trusted code and by introducing improved means of proving that a security library guarantees noninterference

From Formal Semantics to Verified Slicing : A Modular Framework with Applications in Language Based Security

This book presents a modular framework for slicing in the proof assistant Isabelle/HOL which is based on abstract control flow graphs. Building on such abstract structures renders the correctness results language-independent. To prove that they hold for a specific language, it remains to instantiate the framework with this language, which requires a formal semantics of this language in Isabelle/HOL. We show that formal semantics even for sophisticated high-level languages are realizable

More SPASS with Isabelle: superposition with hard sorts and configurable simplification

Sledgehammer for Isabelle/HOL integrates automatic theorem provers to discharge interactive proof obligations. This paper considers a tighter integration of the superposition prover SPASS to increase Sledgehammer’s success rate. The main enhancements are native support for hard sorts (simple types) in SPASS, simplification that honors the orientation of Isabelle simp rules, and a pair of clause-selection strategies targeted at large lemma libraries. The usefulness of this integration is confirmed by an evaluation on a vast benchmark suite and by a case study featuring a formalization of language-based security

Abstract interpretation-based approaches to Security - A Survey on Abstract Non-Interference and its Challenging Applications.

In this paper we provide a survey on the framework of abstract non-interference. In particular, we describe a general formalization of abstract non-interference by means of three dimensions (observation, protection and semantics) that can be instantiated in order to obtain well known or even new weakened non-interference properties. Then, we show that the notions of abstract non-interference introduced in language-based security are instances of this more general framework which allows to better understand the different components of a non-interference policy. Finally, we consider two challenging research fields concerning security where abstract non-interference seems a promising approach providing new perspectives and new solutions to open problems: Code injection and code obfuscation

The PER model of abstract non-interference

Abstract. In this paper, we study the relationship between two models of secure information flow: the PER model (which uses equivalence relations) and the abstract non-interference model (which uses upper closure operators). We embed the lattice of equivalence relations into the lattice of closures, re-interpreting abstract non-interference over the lattice of equivalence relations. For narrow abstract non-interference, we show non-interference it is strictly less general. The relational presentation of abstract non-interference leads to a simplified construction of the most concrete harmless attacker. Moreover, the PER model of abstract noninterference allows us to derive unconstrained attacker models, which do not necessarily either observe all public information or ignore all private information. Finally, we show how abstract domain completeness can be used for enforcing the PER model of abstract non-interference

The Transitivity of Trust Problem in the Interaction of Android Applications

Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for the end users while data may still leave the mobile phone through other applications. Instead, the information flow needs to be policed for the composite system of applications in a transparent and usable manner. In this paper, we propose to employ static analysis based on the software architecture and focused data flow analysis to scalably detect information flows between components. Specifically, we aim to reveal transitivity of trust problems in multi-component mobile platforms. We demonstrate the feasibility of our approach with Android applications, although the generalization of the analysis to similar composition-based architectures, such as Service-oriented Architecture, can also be explored in the future

Preface

Overview of the contents of "Foundations of Software Science and Computational Structures: Selected papers from FOSSACS 2005