First-Order Logic for Flow-Limited Authorization

We present the Flow-Limited Authorization First-Order Logic (FLAFOL), a logic for reasoning about authorization decisions in the presence of information-flow policies. We formalize the FLAFOL proof system, characterize its proof-theoretic properties, and develop its security guarantees. In particular, FLAFOL is the first logic to provide a non-interference guarantee while supporting all connectives of first-order logic. Furthermore, this guarantee is the first to combine the notions of non-interference from both authorization logic and information-flow systems. All theorems in this paper are proven in Coq.Comment: Coq code can be found at https://github.com/FLAFOL/flafol-co

Cryptographically Secure Information Flow Control on Key-Value Stores

We present Clio, an information flow control (IFC) system that transparently incorporates cryptography to enforce confidentiality and integrity policies on untrusted storage. Clio insulates developers from explicitly manipulating keys and cryptographic primitives by leveraging the policy language of the IFC system to automatically use the appropriate keys and correct cryptographic operations. We prove that Clio is secure with a novel proof technique that is based on a proof style from cryptography together with standard programming languages results. We present a prototype Clio implementation and a case study that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201

On the Foundations of Practical Language-Based Security

Language-based information flow control (IFC) promises to provide programming languages and tools that make it easy for developers to write secure code. Traditionally,\ua0research in this field aims to build a variant on a programming language or system\ua0that lets developers write code that gives them strong guarantees beyond the potential\ua0memory- and type-safety guarantees of modern languages. However, two developments\ua0in the field challenge this paradigm. Firstly, backwards-compatible security enforcement\ua0without false alarms promises to retrofit security enforcement on code that was not written with the enforcement mechanism in mind. This has the potential to greatly increase\ua0the applicability of IFC enforcement to legacy and mobile code from untrusted sources.Secondly, library-based security, a technique by which IFC researchers provide a software\ua0library in an established language whose programming interface gives the same guarantees as a stand-alone IFC tool for developers to use promises to do away with specialized\ua0IFC languages. This technique also has the potential to increase the applicability of IFC\ua0enforcement as developers no longer need to adopt a whole new language to get securityguarantees.This thesis makes contributions to both these recent developments that come in two\ua0parts; the first part concerns enforcing secure information flow without introducing false\ua0alarms while the second part concerns the correctness of using libraries instead of fullyfledged IFC programming languages to write secure code.The first part of the thesis makes the following contributions:1. It unifies the existing literature, in the form of Secure Multi-Execution and MultipleFacets, on security enforcement without false alarms by introducing Faceted SecureMulti-Execution.2. It explores the unique optimisation challenges that appear in this setting. Specifically, mixing multi-execution and facets means that unnecessarily large facetedtrees give rise to unnecessary executions in multi-execution and vice verse. Thisthesis proposes optimisation strategies that can overcome this hurdle.3. It proves an exponential lower bound on black-box false-alarm-free enforcementand new possibility results for false-alarm-free enforcement of a variant of the noninterference security condition known as termination insensitive noninterference.4. It classifies the special cases of enforcement that is not subject to the aforementionedexponential lower bound. Specifically, this thesis shows how and why the choice ofsecurity lattice makes the difference between exponential, polynomial, and constantoverheads in multi-execution.In short, the first part of the thesis unifies the existing literature on false-alarm-freeIFC enforcement and presents a number of results on the performance of enforcementmechanisms of this kind.The second part of the thesis meanwhile makes the following contributions:1. It reduces the trusted computing base of security libraries by showing how to implement secure effects on top of an already secure core without incurring any newproof obligations.2. It shows how to simplify DCC, the core language in the literature, without losingexpressiveness.3. It proves that noninterference can be derived in a simple and straightforward wayfrom parametricity for both static and dynamic security libraries. This in turnreduces the conceptual gap between the kind of security libraries that are writtentoday and the proofs one can write to prove that the libraries ensure noninterference.In short, the second part of the thesis provides a new direction for thinking about thecorrectness of security libraries by both reducing the amount of trusted code and by introducing improved means of proving that a security library guarantees noninterference

LNCS.

Smart contracts are computer programs that are executed by a network of mutually distrusting agents, without the need of an external trusted authority. Smart contracts handle and transfer assets of considerable value (in the form of crypto-currency like Bitcoin). Hence, it is crucial that their implementation is bug-free. We identify the utility (or expected payoff) of interacting with such smart contracts as the basic and canonical quantitative property for such contracts. We present a framework for such quantitative analysis of smart contracts. Such a formal framework poses new and novel research challenges in programming languages, as it requires modeling of game-theoretic aspects to analyze incentives for deviation from honest behavior and modeling utilities which are not specified as standard temporal properties such as safety and termination. While game-theoretic incentives have been analyzed in the security community, their analysis has been restricted to the very special case of stateless games. However, to analyze smart contracts, stateful analysis is required as it must account for the different program states of the protocol. Our main contributions are as follows: we present (i)~a simplified programming language for smart contracts; (ii)~an automatic translation of the programs to state-based games; (iii)~an abstraction-refinement approach to solve such games; and (iv)~experimental results on real-world-inspired smart contracts

Nontransitive Policies Transpiled

Nontransitive Noninterference (NTNI) and Nontransitive Types (NTT) are a new security condition and enforcement for policies which, in contrast to Denning\u27s classical lattice model, assume no transitivity of the underlying flow relation. Nontransitive security policies are a natural fit for coarse-grained information-flow control where labels are specified at module rather than variable level of granularity.While the nontransitive and transitive policies pursue different goals and have different intuitions, this paper demonstrates that nontransitive noninterference can in fact be reduced to classical transitive noninterference. We develop a lattice encoding that establishes a precise relation between NTNI and classical noninterference. Our results make it possible to clearly position the new NTNI characterization with respect to the large body of work on noninterference. Further, we devise a lightweight program transformation that leverages standard flow-sensitive information-flow analyses to enforce nontransitive policies. We demonstrate several immediate benefits of our approach, both theoretical and practical. First, we improve the permissiveness over (while retaining the soundness of) the nonstandard NTT enforcement. Second, our results naturally generalize to a language with intermediate inputs and outputs. Finally, we demonstrate the practical benefits by utilizing state-of-the-art flow-sensitive tool JOANA to enforce nontransitive policies for Java programs