A progress-sensitive flow-sensitive inlined information-flow control monitor (extended version)

We present a novel progress-sensitive, flow-sensitive hybrid information-flow control monitor for an imperative interactive language. Progress-sensitive information-flow control is a strong information security guarantee which ensures that a program's progress (or lack of) does not leak information. Flow-sensitivity means that this strong security guarantee is enforced fairly precisely: our monitor tracks information flow per variable and per program point. We illustrate our approach on an imperative interactive language. Our hybrid monitor is inlined: source programs are translated, by a type-based analysis, into a target language that supports dynamic security levels. A key benefit of this is that the resulting monitored program is amenable to standard optimization techniques such as partial evaluation. One of the distinguishing features of our hybrid monitor is that it uses sets of levels to track the different possible security types of variables. This feature allows us to distinguish outputs that never leak information from those that may leak information.Engineering and Applied Science

Retrofitting privacy controls to stock Android

Android ist nicht nur das beliebteste Betriebssystem für mobile Endgeräte, sondern auch ein ein attraktives Ziel für Angreifer. Um diesen zu begegnen, nutzt Androids Sicherheitskonzept App-Isolation und Zugangskontrolle zu kritischen Systemressourcen. Nutzer haben dabei aber nur wenige Optionen, App-Berechtigungen gemäß ihrer Bedürfnisse einzuschränken, sondern die Entwickler entscheiden über zu gewährende Berechtigungen. Androids Sicherheitsmodell kann zudem nicht durch Dritte angepasst werden, so dass Nutzer zum Schutz ihrer Privatsphäre auf die Gerätehersteller angewiesen sind. Diese Dissertation präsentiert einen Ansatz, Android mit umfassenden Privatsphäreeinstellungen nachzurüsten. Dabei geht es konkret um Techniken, die ohne Modifikationen des Betriebssystems oder Zugriff auf Root-Rechte auf regulären Android-Geräten eingesetzt werden können. Der erste Teil dieser Arbeit etabliert Techniken zur Durchsetzung von Sicherheitsrichtlinien für Apps mithilfe von inlined reference monitors. Dieser Ansatz wird durch eine neue Technik für dynamic method hook injection in Androids Java VM erweitert. Schließlich wird ein System eingeführt, das prozessbasierte privilege separation nutzt, um eine virtualisierte App-Umgebung zu schaffen, um auch komplexe Sicherheitsrichtlinien durchzusetzen. Eine systematische Evaluation unseres Ansatzes konnte seine praktische Anwendbarkeit nachweisen und mehr als eine Million Downloads unserer Lösung zeigen den Bedarf an praxisgerechten Werkzeugen zum Schutz der Privatsphäre.Android is the most popular operating system for mobile devices, making it a prime target for attackers. To counter these, Android’s security concept uses app isolation and access control to critical system resources. However, Android gives users only limited options to restrict app permissions according to their privacy preferences but instead lets developers dictate the permissions users must grant. Moreover, Android’s security model is not designed to be customizable by third-party developers, forcing users to rely on device manufacturers to address their privacy concerns. This thesis presents a line of work that retrofits comprehensive privacy controls to the Android OS to put the user back in charge of their device. It focuses on developing techniques that can be deployed to stock Android devices without firmware modifications or root privileges. The first part of this dissertation establishes fundamental policy enforcement on thirdparty apps using inlined reference monitors to enhance Android’s permission system. This approach is then refined by introducing a novel technique for dynamic method hook injection on Android’s Java VM. Finally, we present a system that leverages process-based privilege separation to provide a virtualized application environment that supports the enforcement of complex security policies. A systematic evaluation of our approach demonstrates its practical applicability, and over one million downloads of our solution confirm user demand for privacy-enhancing tools

ADsafety: Type-Based Verification of JavaScript Sandboxing

Web sites routinely incorporate JavaScript programs from several sources into a single page. These sources must be protected from one another, which requires robust sandboxing. The many entry-points of sandboxes and the subtleties of JavaScript demand robust verification of the actual sandbox source. We use a novel type system for JavaScript to encode and verify sandboxing properties. The resulting verifier is lightweight and efficient, and operates on actual source. We demonstrate the effectiveness of our technique by applying it to ADsafe, which revealed several bugs and other weaknesses.Comment: in Proceedings of the USENIX Security Symposium (2011

Enforcing information-flow policies by combining static and dynamic analyses

Tableau d'honneur de la Faculté des études supérieures et postdoctorales, 2018-2019Le contrôle de flot d’information est une approche prometteuse permettant aux utilisateurs decontrôler comment une application utilise leurs informations confidentielles. Il reste toutefois plusieurs défis à relever avant que cette approche ne puisse être utilisée par le grand public. Plus spécifiquement, il faut que ce soit efficace, facile à utiliser, que ça introduise peu de surcharge à l’exécution, et que ça fonctionne sur des applications et langages réels. Les contributions présentées dans cette thèse nous rapprochent de ces buts. Nous montrons qu’une combinaison d’analyse statique et dynamique permet d’augmenter l’efficacité d’un mécanisme de contrôle de flot d’information tout en minimisant la surcharge introduite. Notre méthode consiste en trois étapes : (1) à l’aide d’analyse statique, vérifier que le programme ne contient pas de fuites d’information évidentes; (2) instrumenter l’application (c.-à-d., insérer des commandes) pour prévenir les fuites d’information confidentielles à l’exécution; (3) évaluer partiellement le programme pour diminuer l’impact de l’instrumentation sur le temps d’exécution. Pour aider les utilisateurs à identifier les applications qui sont les plus susceptibles de faire fuirde l’information confidentielle (c.à.d., les applications malicieuses), nous avons développé un outil de détection de maliciel pour Android. Il a une précision de 94% et prend moins d’une seconde pour effectuer son analyse.Pour permettre aux utilisateurs de prioriser l’utilisation de ressources pour protéger l’information provenant de certaines sources, nous introduisons le concept defading labels. Pour permettre aux chercheurs de développer plus facilement et rapidement des mécanismes de contrôle de flot d’informations fiables, nous avons développé un outil permettant de générer automatiquement la spécification d’un mécanisme à partir de la spécification d’un langage de programmation. Pour permettre aux chercheurs de plus facilement communiquer leurs preuves écrites en Coq, nous avons développé un outil permettant de générer des versions en langue naturelle de preuves Coq.Information-flow control is a promising approach that enables users to track and control how applications use their sensitive information. However, there are still many challenges to be addressed before it can be used by mainstream users. Namely, it needs to be effective, easy to use, lightweight, and support real applications and languages. The contributions presented in this thesis aim to bring us closer to these goals. We show that a combination of static and dynamic analysis can increase the overall effectiveness of information-flow control without introducing too much overhead. Our method consists of three steps: (1) using static analysis, we verify that the program does not contain anyobvious information leaks; (2) we instrument the program to prevent less obvious leaks from occurring at runtime; (3) we partially evaluate the program to minimize the instrumentation’simpact on execution time. We present a static-based malware detection tool for Android that allows users to easily identify the applications that are most likely to leak sensitive information (i.e., maliciousapplications). It boasts an accuracy of 94% and takes less than a second to perform its analysis. We introduce the concept of fading-labels, which allows information-flow control mechanisms to prioritize the usage of resources to track information from certain sources. We present a tool that can, given a programming language’s specification, generate information-flow control mechanism specifications. This should allow researchers to more easily develop information-flow control mechanisms. Finally, we present a tool that can generate natural-language versions of Coq proofs so that researchers may more easily communicate their Coq proofs

Static Analysis for Efficient Hybrid Information-Flow Control

Hybrid information-flow monitors use a combination of static analysis and dynamic mechanisms to provide precise strong information security guarantees. However, unlike purely static mechanisms for information security, hybrid information-flow monitors incur run-time overhead. We show how static analyses can be used to make hybrid information-flow monitors more efficient, in two ways. First, a simple static analysis can determine when it is sound for a monitor to stop tracking the security level of certain variables. This potentially reduces run-time overhead of the monitor, particularly in applications where sensitive (i.e., confidential or untrusted) data is infrequently introduced to the system. Second, we derive sufficient conditions for soundly incorporating a wide range of memory abstractions into information-flow monitors. This allows the selection of a memory abstraction that gives an appropriate tradeoff between efficiency and precision. It also facilitates the development of innovative and sound memory abstractions that use run-time security information maintained by the monitor. We present and prove our results by extending the information-flow monitor of Russo and Sabelfeld (2010). These results bring us closer to efficient, sound, and precise enforcement of information security.Engineering and Applied Science

A Type System for Expressive Security Policies

{\em Certified code} is a general mechanism for enforcing security properties. In this paradigm, untrusted agent code carries annotations that allow a host to verify its trustworthiness. Before running the agent, the host checks the annotations and proves that they imply the host's security policy. Despite the flexibility of this scheme, so far, compilers that generate proof-carrying code have focused on simple memory and control-flow safety rather than more general security properties. {\em Security automata} can enforce an expressive collection of security policies including access control policies and resource bounds policies. In this paper, we show how to take specifications in the form of security automata and automatically transform them into signatures for a typed lambda calculus that will enforce the corresponding safety property. Moreover, we describe how to instrument typed source language programs with security checks and typing annotations so that the resulting programs are provably secure and can be mechanically checked. This work provides a foundation for the process of automatically generating secure certified code in a type-theoretic framework