Compositional and Scheduler-Independent Information Flow Security

Software pervades our society deeper with every year. This trend makes software security more and more important. For instance, software systems running critical infrastructures like power plants must withstand criminal or even terrorist attacks, but also smartphone apps used by consumers in their daily routine are usually expected to operate securely. In particular, before entrusting a program with confidential information (such as, e.g., image or audio data recorded by a smartphone), one wants to be sure that the program is trustworthy and does not leak the secrets to untrusted sinks (such as, e.g., an untrusted server on the Internet). Information flow properties characterize such confidentiality requirements by restricting the flow of confidential information, and an information flow analysis permits to check that a program respects those restrictions. The problem of information flow in multi-threaded programs is particularly challenging, because information flows can originate in subtle ways from the interplay between threads. Moreover, the existence of such information flows depends on the scheduler, which might not even be known when analyzing a program. To obtain high assurance that no leak is overlooked in an information flow analysis, formally well-founded analyses provide a rigorous solution. Such analyses are proven sound with respect to formal information flow properties that specify precisely what restrictions on information flow mean. In this thesis, we develop two novel information flow properties for multi-threaded programs, FSI-security and SIFUM-security. These properties are scheduler-independent, i.e., they characterize secure information flow for different schedulers simultaneously. Moreover, they are compositional, i.e., they permit to break down the analysis of a multi-threaded program to single threads. For both properties we develop a security analysis based on a security type system that is proven sound with respect to the property. Compared to existing scheduler-independent information flow properties, FSI-security is less restrictive. In particular, FSI-security is the first scheduler-independent information flow property that permits programs with nondeterministic behavior and programs whose control flow depends on secrets. The security analysis based on SIFUM-security is the first provably sound flow-sensitive information flow analysis for multi-threaded programs in the form of a security type system. Flow-sensitivity results in increased analysis precision by taking the order of program statements into account. The key in our development of SIFUM-security and the corresponding flow-sensitive analysis for multi-threaded programs was to adopt assumption-guarantee style reasoning to information flow security. We integrate FSI-security and SIFUM-security into the novel property FSIFUM-security, and we integrate the security analyses for FSI- and SIFUM-security into a security analysis for FSIFUM-security. Thereby, FSIFUM-security and the corresponding analysis inherit the advantages of both FSI- and SIFUM-security. In addition to developing novel type-based information flow analyses we also explore information flow analysis for multi-threaded programs with program dependence graphs (PDGs) which is used successfully to analyze sequential programs. To this end, we develop a formal connection between PDG-based and type-based information flow analysis for sequential programs. We exploit the connection to transfer concepts from our type-based analysis for multi-threaded programs to PDGs, resulting in a provably sound PDG-based information flow analysis for multi-threaded programs. Beyond this, we also use the connection to transfer concepts from PDGs to type systems and to precisely compare the precision of a type-based and a PDG-based information flow analysis. Our results provide foundations for more precise and more widely applicable information flow analysis for multi-threaded programs, and we hope that they contribute to a more wide-spread certification of information flow security for concurrent programs

Statically checking confidentiality via dynamic labels

This paper presents a new approach for verifying confidentiality for programs, based on abstract interpretation. The framework is formally developed and proved correct in the theorem prover PVS. We use dynamic labeling functions to abstractly interpret a simple programming language via modification of security levels of variables. Our approach is sound and compositional and results in an algorithm for statically checking confidentiality

Complexity and Unwinding for Intransitive Noninterference

The paper considers several definitions of information flow security for intransitive policies from the point of view of the complexity of verifying whether a finite-state system is secure. The results are as follows. Checking (i) P-security (Goguen and Meseguer), (ii) IP-security (Haigh and Young), and (iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security (van der Meyden) is undecidable, as is checking ITO-security (van der Meyden). The most important ingredients in the proofs of the PTIME upper bounds are new characterizations of the respective security notions, which also lead to new unwinding proof techniques that are shown to be sound and complete for these notions of security, and enable the algorithms to return simple counter-examples demonstrating insecurity. Our results for IP-security improve a previous doubly exponential bound of Hadj-Alouane et al

Formal Verification of Security Protocol Implementations: A Survey

Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac

Application of an Ultrasonic Sensor to Monitor Soil Erosion and Deposition

While erosion and deposition are naturally occurring processes, these processes can be accelerated by human influences. The acceleration of erosion causes damage to human assets and costs billions of dollars to mitigate. Monitoring erosion at high resolutions can provide researchers and managers the data necessary to help manage erosion. Current erosion monitoring methods tend to be invasive to the area, record low frequency measurements, have a narrow spatial range of measurement, or are very expensive. There is a need for an affordable monitoring system capable of monitoring erosion and deposition non-invasively at a high resolution. The objectives of this research were to (1) design and construct a non-invasive sediment monitoring system (SMS) using an ultrasonic sensor capable of monitoring erosion and deposition continuously, (2) test the system in the lab and field, (3) and determine the applications and limitations of the system. The ultrasonic sensor measures the time of reflectance of sound waves to calculate the distance to the area non-invasively. The SMS was tested in the lab to determine the extent to which the soil type, slope, surface topography, change in distance and vegetation impact the SMS’s ultrasonic sensor’s measurement. It was found that the soil type, slope and surface topography had little effect on the measurement, but the change in distance of the measurement and the introduction of vegetation impacted the measurement. The error in measurement increased as the sensing distance increased, and vegetation interferes with the measurement. In the field during high flows, as erosion and deposition occur, the changes in distance were determined in near real-time, allowing for the calculation of erosion and deposition quantities. The system was deployed to monitor deposition on sandy streambanks in the Nebraska Sandhills and erosion on a streambank and field plot in Lincoln, Nebraska. The system was proven successful in measuring sediment change during high flow events but yielded some error; ±1.06 mm in controlled lab settings and ±10.79 mm when subjected to environmental factors such as temperature, relative humidity and wind. Advisors: Aaron Mittelstet and Nancy Shan

Actor-network procedures: Modeling multi-factor authentication, device pairing, social interactions

As computation spreads from computers to networks of computers, and migrates into cyberspace, it ceases to be globally programmable, but it remains programmable indirectly: network computations cannot be controlled, but they can be steered by local constraints on network nodes. The tasks of "programming" global behaviors through local constraints belong to the area of security. The "program particles" that assure that a system of local interactions leads towards some desired global goals are called security protocols. As computation spreads beyond cyberspace, into physical and social spaces, new security tasks and problems arise. As networks are extended by physical sensors and controllers, including the humans, and interlaced with social networks, the engineering concepts and techniques of computer security blend with the social processes of security. These new connectors for computational and social software require a new "discipline of programming" of global behaviors through local constraints. Since the new discipline seems to be emerging from a combination of established models of security protocols with older methods of procedural programming, we use the name procedures for these new connectors, that generalize protocols. In the present paper we propose actor-networks as a formal model of computation in heterogenous networks of computers, humans and their devices; and we introduce Procedure Derivation Logic (PDL) as a framework for reasoning about security in actor-networks. On the way, we survey the guiding ideas of Protocol Derivation Logic (also PDL) that evolved through our work in security in last 10 years. Both formalisms are geared towards graphic reasoning and tool support. We illustrate their workings by analysing a popular form of two-factor authentication, and a multi-channel device pairing procedure, devised for this occasion.Comment: 32 pages, 12 figures, 3 tables; journal submission; extended references, added discussio