45 research outputs found
CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity
Information flow security ensures that the secret data manipulated by a
program does not influence its observable output. Proving information flow
security is especially challenging for concurrent programs, where operations on
secret data may influence the execution time of a thread and, thereby, the
interleaving between different threads. Such internal timing channels may
affect the observable outcome of a program even if an attacker does not observe
execution times. Existing verification techniques for information flow security
in concurrent programs attempt to prove that secret data does not influence the
relative timing of threads. However, these techniques are often restrictive
(for instance because they disallow branching on secret data) and make strong
assumptions about the execution platform (ignoring caching, processor
instructions with data-dependent runtime, and other common features that affect
execution time). In this paper, we present a novel verification technique for
secure information flow in concurrent programs that lifts these restrictions
and does not make any assumptions about timing behavior. The key idea is to
prove that all mutating operations performed on shared data commute, such that
different thread interleavings do not influence its final value. Crucially,
commutativity is required only for an abstraction of the shared data that
contains the information that will be leaked to a public output. Abstract
commutativity is satisfied by many more operations than standard commutativity,
which makes our technique widely applicable. We formalize our technique in
CommCSL, a relational concurrent separation logic with support for
commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We
implemented CommCSL in HyperViper, an automated verifier based on the Viper
verification infrastructure, and demonstrate its ability to verify challenging
examples
HasTEE: Programming Trusted Execution Environments with Haskell
Trusted Execution Environments (TEEs) are hardware-enforced memory isolation
units, emerging as a pivotal security solution for security-critical
applications. TEEs, like Intel SGX and ARM TrustZone, allow the isolation of
confidential code and data within an untrusted host environment, such as the
cloud and IoT. Despite strong security guarantees, TEE adoption has been
hindered by an awkward programming model. This model requires manual
application partitioning and the use of error-prone, memory-unsafe, and
potentially information-leaking low-level C/C++ libraries.
We address the above with \textit{HasTEE}, a domain-specific language (DSL)
embedded in Haskell for programming TEE applications. HasTEE includes a port of
the GHC runtime for the Intel-SGX TEE. HasTEE uses Haskell's type system to
automatically partition an application and to enforce \textit{Information Flow
Control} on confidential data. The DSL, being embedded in Haskell, allows for
the usage of higher-order functions, monads, and a restricted set of I/O
operations to write any standard Haskell application. Contrary to previous
work, HasTEE is lightweight, simple, and is provided as a \emph{simple security
library}; thus avoiding any GHC modifications. We show the applicability of
HasTEE by implementing case studies on federated learning, an encrypted
password wallet, and a differentially-private data clean room.Comment: To appear in Haskell Symposium 202
Complexity and Unwinding for Intransitive Noninterference
The paper considers several definitions of information flow security for
intransitive policies from the point of view of the complexity of verifying
whether a finite-state system is secure. The results are as follows. Checking
(i) P-security (Goguen and Meseguer), (ii) IP-security (Haigh and Young), and
(iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security
(van der Meyden) is undecidable, as is checking ITO-security (van der Meyden).
The most important ingredients in the proofs of the PTIME upper bounds are new
characterizations of the respective security notions, which also lead to new
unwinding proof techniques that are shown to be sound and complete for these
notions of security, and enable the algorithms to return simple
counter-examples demonstrating insecurity. Our results for IP-security improve
a previous doubly exponential bound of Hadj-Alouane et al
Beyond Over-Protection: A Targeted Approach to Spectre Mitigation and Performance Optimization
Since the advent of Spectre attacks, researchers and practitioners have
developed a range of hardware and software measures to counter transient
execution attacks. A prime example of such mitigation is speculative load
hardening in LLVM, which protects against leaks by tracking the speculation
state and masking values during misspeculation. LLVM relies on static analysis
to harden programs using slh that often results in over-protection, which
incurs performance overhead. We extended an existing side-channel model
validation framework, Scam-V, to check the vulnerability of programs to
Spectre-PHT attacks and optimize the protection of programs using the slh
approach. We illustrate the efficacy of Scam-V by first demonstrating that it
can automatically identify Spectre vulnerabilities in real programs, e.g.,
fragments of crypto-libraries. We then develop an optimization mechanism that
validates the necessity of slh hardening w.r.t. the target platform. Our
experiments showed that hardening introduced by LLVM in most cases could be
significantly improved when the underlying microarchitecture properties are
considered.Comment: The paper will appear in ACM AsiaCCS 202
Non-Interference with What-Declassification in Component-Based Systems
Component-based design is a method for modular design of systems. The structure of component-based systems follows specific rules and single components make assumptions on the environment that they run in. In this paper, we provide a noninterference property for component-based systems that allows for a precise specification of what-declassification of information and takes assumptions on the environment into consideration in order to allow a modular, precise and re-usable information-flow analysis. For precise analysis, components can be analyzed by separately analysing services provided by a component, and from our compositionality theorem non-interference of components follows
EDSL en Haskell para la programaci ́on segura respecto a la propiedad Delimited Release
La confidencialidad de la información manipulada por sistemas informáticos ha tomado mayor importancia con el uso creciente de aplicaciones a través de internet. Los mecanismos de seguridad tradicionales como control de acceso o criptografía no proveen protección punta a punta de los datos: funcionan eficientemente en limitar su acceso, pero no pueden hacer nada para evitar su propagación.
Para complementar estos mecanismos de seguridad, surgen las técnicas de control de flujo de información (IFC, Information-Flow Control), las cuales permiten establecer garantías sobre la confidencialidad e integridad de los datos. analizando cómo fluye la información dentro del programa.
En este contexto surgen políticas de confidencialidad que garantizan que la información confidencial no puede ser inferida a partir de los datos públicos. No-interferencia es un ejemplo de una política de seguridad. Lo interesante de esta propiedad es que puede ser chequeada de manera estática mediante un sistema de tipos, por lo tanto, cuando un programa tipa en ese sistema de tipos, significa que satisface la propiedad de seguridad. Para que los lenguajes de seguridad tengan utilidad práctica necesitamos mecanismos de desclasificación, en los cuales el flujo de información sea controlado y al mismo tiempo se permita liberar información confidencial a canales públicos, pero solo de manera permitida y controlada, la cual la propiedad de no-interferencia resulta ser demasiado restrictiva. Delimited Release es una propiedad de seguridad que garantiza que la desclasificación no puede ser usada para filtrar información de manera no deseada.
El objetivo de esta tesina es desarrollar un lenguaje de dominio específico embebido en Haskell para escribir
programas seguros respecto a la propiedad Delimited Release
Glass-Vault: A Generic Transparent Privacy-preserving Exposure Notification Analytics Platform
The highly transmissible COVID-19 disease is a serious threat
to people’s health and life. To automate tracing those who have been
in close physical contact with newly infected people and/or to analyse
tracing-related data, researchers have proposed various ad-hoc programs
that require being executed on users’ smartphones. Nevertheless, the existing solutions have two primary limitations: (1) lack of generality: for
each type of analytic task, a certain kind of data needs to be sent to an analyst; (2) lack of transparency: parties who provide data to an analyst are
not necessarily infected individuals; therefore, infected individuals’ data
can be shared with others (e.g., the analyst) without their fine-grained
and direct consent. In this work, we present Glass-Vault, a protocol that
addresses both limitations simultaneously. It allows an analyst to run
authorised programs over the collected data of infectious users, without
learning the input data. Glass-Vault relies on a new variant of generic
Functional Encryption that we propose in this work. This new variant,
called DD-Steel, offers these two additional properties: dynamic and decentralised. We illustrate the security of both Glass-Vault and DD-Steel
in the Universal Composability setting. Glass-Vault is the first UC-secure
protocol that allows analysing the data of Exposure Notification users in
a privacy-preserving manner. As a sample application, we indicate how
it can be used to generate “infection heatmaps”