192 research outputs found
Verifying and Synthesizing Constant-Resource Implementations with Types
We propose a novel type system for verifying that programs correctly
implement constant-resource behavior. Our type system extends recent work on
automatic amortized resource analysis (AARA), a set of techniques that
automatically derive provable upper bounds on the resource consumption of
programs. We devise new techniques that build on the potential method to
achieve compositionality, precision, and automation.
A strict global requirement that a program always maintains constant resource
usage is too restrictive for most practical applications. It is sufficient to
require that the program's resource behavior remain constant with respect to an
attacker who is only allowed to observe part of the program's state and
behavior. To account for this, our type system incorporates information flow
tracking into its resource analysis. This allows our system to certify programs
that need to violate the constant-time requirement in certain cases, as long as
doing so does not leak confidential information to attackers. We formalize this
guarantee by defining a new notion of resource-aware noninterference, and prove
that our system enforces it.
Finally, we show how our type inference algorithm can be used to synthesize a
constant-time implementation from one that cannot be verified as secure,
effectively repairing insecure programs automatically. We also show how a
second novel AARA system that computes lower bounds on resource usage can be
used to derive quantitative bounds on the amount of information that a program
leaks through its resource use. We implemented each of these systems in
Resource Aware ML, and show that it can be applied to verify constant-time
behavior in a number of applications including encryption and decryption
routines, database queries, and other resource-aware functionality.Comment: 30, IEEE S&P 201
Information flow analysis for mobile code in dynamic security environments
With the growing amount of data handled by Internet-enabled
mobile devices, the task of preventing software from leaking
confidential information is becoming increasingly important. At
the same time, mobile applications are typically executed on
different devices whose users have varying requirements for the
privacy of their data. Users should be able to define their
personal information security settings, and they should get a
reliable assurance that the installed software respects these
settings. Language-based information flow security focuses on
the analysis of programs to determine information flows among
accessed data resources of different security levels, and to
verify and formally certify that these flows follow a given
policy. In the mobile code scenario, however, both the dynamic
aspect of the security environment and the fact that mobile
software is distributed as bytecode pose a challenge for existing
static analysis approaches. This thesis presents a
language-based mechanism to certify information flow security in
the presence of dynamic environments. An object-oriented
high-level language as well as a bytecode language are equipped
with facilities to inspect user-defined information flow security
settings at runtime. This way, the software developer can create
privacy-aware programs that can adapt their behaviour to
arbitrary security environments, a property that is formalized as
"universal noninterference". This property is statically
verified by an information flow type system that uses restrictive
forms of dependent types to judge abstractly on the concrete
security policy that is effective at runtime. To verify compiled
bytecode programs, a low-level version of the type system is
presented that works on an intermediate code representation in
which the original program structure is partially restored.
Rigorous soundness proofs and a type-preserving compilation
enable the generation of certified bytecode programs in the style
of proof-carrying code. To show the practical feasibility of the
approach, the system is implemented and demonstrated on a
concrete application scenario, where personal data are sent from
a mobile device to a server on the Internet
Principled Flow Tracking in IoT and Low-Level Applications
Significant fractions of our lives are spent digitally, connected to and dependent on Internet-based applications, be it through the Web, mobile, or IoT. All such applications have access to and are entrusted with private user data, such as location, photos, browsing habits, private feed from social networks, or bank details.In this thesis, we focus on IoT and Web(Assembly) apps. We demonstrate IoT apps to be vulnerable to attacks by malicious app makers who are able to bypass the sandboxing mechanisms enforced by the platform to stealthy exfiltrate user data. We further give examples of carefully crafted WebAssembly code abusing the semantics to leak user data.We are interested in applying language-based technologies to ensure application security due to the formal guarantees they provide. Such technologies analyze the underlying program and track how the information flows in an application, with the goal of either statically proving its security, or preventing insecurities from happening at runtime. As such, for protecting against the attacks on IoT apps, we develop both static and dynamic methods, while for securing WebAssembly apps we describe a hybrid approach, combining both.While language-based technologies provide strong security guarantees, they are still to see a widespread adoption outside the academic community where they emerged.In this direction, we outline six design principles to assist the developer in choosing the right security characterization and enforcement mechanism for their system.We further investigate the relative expressiveness of two static enforcement mechanisms which pursue fine- and coarse-grained approaches for tracking the flow of sensitive information in a system.\ua0Finally, we provide the developer with an automatic method for reducing the manual burden associated with some of the language-based enforcements
03411 Abstracts Collection -- Language Based Security
From October 5th to 10th 2003,the Dagstuhl Seminar 03411
``Language Based security\u27\u27 was held
in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar are put together in this paper
Securing Cross-App Interactions in IoT Platforms
IoT platforms enable users connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computation on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This paper proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The frame- work generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies in the context security and safety of IoT apps. To demonstrate the usefulness of our framework, we define static mechanisms for enforcing cross- app security and safety, and prove them sound with respect to our semantic conditions. Finally, we leverage real-world apps to validate the practical benefits of our policy framework
STATIC ENFORCEMENT OF TERMINATION-SENSITIVE NONINTERFERENCE USING THE C++ TEMPLATE TYPE SYSTEM
A side channel is an observable attribute of program execution other than explicit communication, e.g., power usage, execution time, or page fault patterns. A side-channel attack occurs when a malicious adversary observes program secrets through a side channel. This dissertation introduces Covert C++, a library which uses template metaprogramming to superimpose a security-type system on top of C++’s existing type system. Covert C++ enforces an information-flow policy that prevents secret data from influencing program control flow and memory access patterns, thus obviating side-channel leaks. Formally, Covert C++ can facilitate an extended definition of the classical noninterference property, broadened to also cover the dynamic execution property of memory-trace obliviousness. This solution does not require any modifications to the compiler, linker, or C++ standard.
To verify that these security properties can be preserved by the compiler (i.e., by compiler optimizations), this dissertation introduces the Noninterference Verification Tool (NVT). The NVT employs a novel dynamic analysis technique which combines input fuzzing with dynamic memory tracing. Specifically, the NVT detects when secret data influences a program’s memory trace, i.e., the sequence of instruction fetches and data accesses. Moreover, the NVT signals when a program leaks secret data to a publicly-observable storage channel. The Covert C++ library and the NVT are two components of the broader Covert C++ toolchain. The toolchain also provides a collection of refactoring tools to interactively transform legacy C or C++ code into Covert C++ code. Finally, the dissertation introduces libOblivious, a library to facilitate high-performance memory-trace oblivious computation with Covert C++
Deductive verification of cryptographic software
We apply state-of-the art deductive verification tools to check security-relevant properties of cryptographic software, including safety, absence of error propagation, and correctness with respect to reference implementations. We also develop techniques to help us in our task, focusing on methods oriented towards increased levels of automation, in scenarios where there are clear obvious limits to such automation. These techniques allow us to integrate automatic proof tools with an interactive proof assistant, where the latter is used off-line to prove once-and-for-all fundamental lemmas about properties of programs. The techniques developed have independent interest for practical deductive verification in general.Fundação para a Ciência e a Tecnologia (FCT
- …