344 research outputs found
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
Preventing implicit information flows by dynamic program analysis requires
coarse approximations that result in false positives, because a dynamic monitor
sees only the executed trace of the program. One widely deployed method is the
no-sensitive-upgrade check, which terminates a program whenever a variable's
taint is upgraded (made more sensitive) due to a control dependence on tainted
data. Although sound, this method is restrictive, e.g., it terminates the
program even if the upgraded variable is never used subsequently. To counter
this, Austin and Flanagan introduced the permissive-upgrade check, which allows
a variable upgrade due to control dependence, but marks the variable
"partially-leaked". The program is stopped later if it tries to use the
partially-leaked variable. Permissive-upgrade handles the dead-variable
assignment problem and remains sound. However, Austin and Flanagan develop
permissive-upgrade only for a two-point (low-high) security lattice and
indicate a generalization to pointwise products of such lattices. In this
paper, we develop a non-trivial and non-obvious generalization of
permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a
suitable notion of partial leaks that is both sound and permissive and in
developing a suitable definition of memory equivalence that allows an inductive
proof of soundness
Information Flow Control in WebKit's JavaScript Bytecode
Websites today routinely combine JavaScript from multiple sources, both
trusted and untrusted. Hence, JavaScript security is of paramount importance. A
specific interesting problem is information flow control (IFC) for JavaScript.
In this paper, we develop, formalize and implement a dynamic IFC mechanism for
the JavaScript engine of a production Web browser (specifically, Safari's
WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and
hence leverages years of industrial effort on optimizing both the source to
bytecode compiler and the bytecode interpreter. We track both explicit and
implicit flows and observe only moderate overhead. Working with bytecode
results in new challenges including the extensive use of unstructured control
flow in bytecode (which complicates lowering of program context taints),
unstructured exceptions (which complicate the matter further) and the need to
make IFC analysis permissive. We explain how we address these challenges,
formally model the JavaScript bytecode semantics and our instrumentation, prove
the standard property of termination-insensitive non-interference, and present
experimental results on an optimized prototype
Practical dynamic information flow control
Over the years, computer systems and applications have grown significantly complex while handling a plethora of private and sensitive user information. The complexity of these applications is often assisted by a set of (un)intentional bugs with both malicious and non-malicious intent leading to information leaks. Information flow control has been studied extensively as an approach to mitigate such information leaks. The technique works by enforcing the security property of non-interference using a specified set of security policies. A vast majority of existing work in this area is based on static analyses. However, some of the applications, especially on the Web, are developed using dynamic languages like JavaScript that make the static analyses techniques stale and ineffective. As a result, there has been a growing interest in recent years to develop dynamic information flow analysis techniques. In spite of the advances in the field, dynamic information flow analysis has not been at the helm of information flow security in dynamic settings like the Web; the prime reason being that the analysis techniques and the security property related to them (non-interference) either over-approximate or are too restrictive in most cases. Concretely, the analysis techniques gen- erate a lot of false positives, do not allow legitimate release of sensitive information, support only static and rigid security policies or are not general enough to be applied to real-world applications. This thesis focuses on improving the usability of dynamic information flow techniques by presenting mechanisms that can enhance the precision and permissiveness of the analyses. It begins by presenting a sound improvement and enhancement of the permissive-upgrade strategy, a strategy widely used to enforce dynamic information flow control, which improves the strategy’s permissiveness and makes it generic in applicability. The thesis, then, presents a sound and precise control scope analysis for handling complex features like unstructured control flow and exceptions in higher-order languages. Although non-interference is a desired property for enforcing information flow control, there are program instances that require legitimate release of some parts of the secret data to provide the required functionality. Towards this end, this thesis develops a sound approach to bound information leaks dynamically while allowing information release in accordance to a pre-specified budget. The thesis concludes by applying these techniques to an information flow control-enabled Web browser and explores a policy specification mechanism that allows flexible and useful information flow policies to be specified for Web applications.Seit Jahren werden Computersysteme und -Anwendungen immer komplexer und verarbeiten eine Unmenge private und sensible Daten. Die Komplexität der Anwendungen trägt neben der Existenz von (un)gewollt eingefügten Software Fehlern zur Weitergabe dieser sensiblen Informationen bei. Information Flow Control (IFC, zu Deutsch Informations-Fluss-Analyse) Mechanismen sind Gegenstand intensiver Forschung um diesem Problem entgegen zu wirken. Grundsätzlich basieren diese Ansätze auf der Anwendung von vordefinierten Sicherheitsregeln, die die Unbeeinflussbarkeit (engl. non-interference) garantieren. Der überwiegende Teil dieser Techniken nutzt statische Analyse zur Erzeugung der Regeln. Dem gegenüber steht die Tatsache, dass Anwendun- gen, insbesondere im Bereich Web-Anwendungen, in dynamischen Sprachen wie JavaScript entwickelt werden, wodurch rein statische Analysen unzureichend sind. Dynamische Methoden auf der anderen Seite approximieren das Verhalten einer Anwendung und können daher die grundlegende non-interference nicht garantieren. Sie tendieren dazu besonders restriktive Regeln zu erzeugen, wodurch auch der rechtmäßige Zugriff auf Information verweigert wird. Beide Ansätze sind daher nicht zur Anwendung auf Systeme in der realen Welt geeignet. Das Ziel dieser Arbeit besteht darin die Benutzbarkeit von dynamischen IFC Mechanismen zu verbessern indem Techniken entwickelt werden, die die Genauigkeit und Toleranz steigern. Die Arbeit präsentiert eine korrekte (engl. ’sound’) Erweiterung der permissive-upgrade Strategie (eine Standardstrategie für dynamische IFC), die die Toleranz der Strategie verbessert und sie weithin anwendbar macht. Darüber hinaus präsentiere ich eine neue dynamische IFC Analyse, die auch komplexe Funktionen, wie unstruktierte Kontrollflüsse und Exceptions in Hochsprachen, abbildet. Obwohl Unbeeinflussbarkeit eine wünschenswerte Eigenschaft ist, gibt es Anwendungen, die rechtmäßigen Zugang zu sensiblen Daten benötigen um ihre Funktion zu erfüllen. Um dies zu ermöglichen präsentiert diese Arbeit einen Ansatz, der die ungewollte Weitergabe von Information quantifiziert und anhand eines vordefinierten Grenzwertes freigibt. Diese Techniken wurden in einen Web-Browser integriert, welcher es erlaubt die Definition von flexiblen und nützlichen Informations-flussregeln für Web Anwendungen umzusetzen.RS3 - DF
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
A Taxonomy of Information Flow Monitors
International audienceWe propose a rigorous comparison of information flow monitors with respect to two dimensions: soundness and transparency. For soundness, we notice that the standard information flow security definition called Termination-Insensitive Noninterference (TINI) allows the presence of termination channels, however it does not describe whether the termination channel was present in the original program, or it was added by a monitor. We propose a stronger notion of noninterference, that we call Termination-Aware Noninterference (TANI), that captures this fact, and thus allows us to better evaluate the security guarantees of different monitors. We further investigate TANI, and state its formal relations to other soundness guarantees of information flow monitors. For transparency, we identify different notions from the literature that aim at comparing the behaviour of monitors. We notice that one common notion used in the literature is not adequate since it identifies as better a monitor that accepts insecure executions, and hence may augment the knowledge of the attacker. To discriminate between monitors' behaviours on secure and insecure executions, we factorized two notions that we call true and false transparency. These notions allow us to compare monitors that were deemed to be incomparable in the past. We analyse five widely explored information flow monitors: no-sensitive-upgrade (NSU), permissive-upgrade (PU), hybrid monitor (HM), secure multi-execution (SME), and multiple facets (MF)
What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)?
An important problem in smart contract security is understanding the
likelihood and criticality of discovered, or potential, weaknesses in
contracts. In this paper we provide a summary of Ethereum smart contract audits
performed for 23 professional stakeholders, avoiding the common problem of
reporting issues mostly prevalent in low-quality contracts. These audits were
performed at a leading company in blockchain security, using both open-source
and proprietary tools, as well as human code analysis performed by professional
security engineers. We categorize 246 individual defects, making it possible to
compare the severity and frequency of different vulnerability types, compare
smart contract and non-smart contract flaws, and to estimate the efficacy of
automated vulnerability detection approaches
A Better Facet of Dynamic Information Flow Control
International audienceMultiple Facets (MF) is a dynamic enforcement mechanism which has proved to be a good fit for implementing information flow security for JavaScript. It relies on multi executing the program, once per each security level or view, to achieve soundness. By looking inside programs, MF encodes the views to reduce the number of needed multi-executions. In this work, we extend Multiple Facets in three directions. First, we propose a new version of MF for arbitrary lattices, called Gener-alised Multiple Facets, or GMF. GMF strictly generalizes MF, which was originally proposed for a specific lattice of principals. Second, we propose a new optimization on top of GMF that further reduces the number of executions. Third, we strengthen the security guarantees provided by Multiple Facets by proposing a termination sensitive version that eliminates covert channels due to termination
Service substitution : a behavioral approach based on Petri Nets
Service-Oriented Computing is an emerging computing paradigm that supports the modular design of (software) systems. Complex systems are designed by composing less complex systems, called services. Such a (complex) system is a distributed application often involving several cooperating enterprises. As a system usually changes over time, individual services will be substituted by other services. Substituting one service by another one should not affect the correctness of the overall system. Assuring correctness becomes particularly challenging, as the services rely on each other, and each of the involved enterprises only oversees a part of the overall system. In addition, services communicate asynchronously which makes the analysis even more difficult. For this reason, formal methods to support service substitution are indispensable. In this thesis, we study service substitution at the level of service models. Thereby we restrict ourselves to service behavior. As a formalism to model service behavior, we use Petri nets. The first contribution of this thesis is the definition of several substitutability criteria that are suitable in the context of Service-Oriented Computing. Substituting a service S by a service S0 should preserve some behavioral properties of the overall system. For each set of behavioral properties and a given service S, there exists a set of behaviorally compatible services for S. A substitutability criterion defines which of these behaviorally compatible services of S have to be preserved by S0. We relate our substitutability criteria to preorders and equivalences known from process theory. The second contribution of this thesis is to present, for each substitutability criterion, a procedure to decide whether a service S0 can substitute a service S. The decision requires the comparison of the in general infinite sets of behaviorally compatible services for the services S and S0. Hence, we extend existing work on an abstract representation of all behaviorally compatible services for a given service. For each notion of behavioral compatibility, we present an algorithmic solution to represent all behaviorally compatible services. Based on these representations, we can decide substitutability of a service S by a service S0. The third contribution of this thesis is a method to support the design of a service S0 that can substitute a service S according to a substitutability criterion. Our approach is to derive a service S0 from the service S by stepwise transformation. To this end, we present several transformation rules. Finally, we formalize and we extend the equivalence notion for services specified in the language WS-BPEL. That way, we demonstrate the applicability of our work
Nominal Abstraction
Recursive relational specifications are commonly used to describe the
computational structure of formal systems. Recent research in proof theory has
identified two features that facilitate direct, logic-based reasoning about
such descriptions: the interpretation of atomic judgments through recursive
definitions and an encoding of binding constructs via generic judgments.
However, logics encompassing these two features do not currently allow for the
definition of relations that embody dynamic aspects related to binding, a
capability needed in many reasoning tasks. We propose a new relation between
terms called nominal abstraction as a means for overcoming this deficiency. We
incorporate nominal abstraction into a rich logic also including definitions,
generic quantification, induction, and co-induction that we then prove to be
consistent. We present examples to show that this logic can provide elegant
treatments of binding contexts that appear in many proofs, such as those
establishing properties of typing calculi and of arbitrarily cascading
substitutions that play a role in reducibility arguments.Comment: To appear in the Journal of Information and Computatio
- …