Verification of Confidentiality of Multi-threaded Programs

An introduction of Slalom project: motivation, plans and some result

Dynamic IFC Theorems for Free!

We show that noninterference and transparency, the key soundness theorems for dynamic IFC libraries, can be obtained "for free", as direct consequences of the more general parametricity theorem of type abstraction. This allows us to give very short soundness proofs for dynamic IFC libraries such as faceted values and LIO. Our proofs stay short even when fully mechanized for Agda implementations of the libraries in terms of type abstraction.Comment: CSF 2021 final versio

Information Security as Strategic (In)effectivity

Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary's ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference

A Cut Principle for Information Flow

We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.Comment: 31 page

On the Foundations of Practical Language-Based Security

Language-based information flow control (IFC) promises to provide programming languages and tools that make it easy for developers to write secure code. Traditionally,\ua0research in this field aims to build a variant on a programming language or system\ua0that lets developers write code that gives them strong guarantees beyond the potential\ua0memory- and type-safety guarantees of modern languages. However, two developments\ua0in the field challenge this paradigm. Firstly, backwards-compatible security enforcement\ua0without false alarms promises to retrofit security enforcement on code that was not written with the enforcement mechanism in mind. This has the potential to greatly increase\ua0the applicability of IFC enforcement to legacy and mobile code from untrusted sources.Secondly, library-based security, a technique by which IFC researchers provide a software\ua0library in an established language whose programming interface gives the same guarantees as a stand-alone IFC tool for developers to use promises to do away with specialized\ua0IFC languages. This technique also has the potential to increase the applicability of IFC\ua0enforcement as developers no longer need to adopt a whole new language to get securityguarantees.This thesis makes contributions to both these recent developments that come in two\ua0parts; the first part concerns enforcing secure information flow without introducing false\ua0alarms while the second part concerns the correctness of using libraries instead of fullyfledged IFC programming languages to write secure code.The first part of the thesis makes the following contributions:1. It unifies the existing literature, in the form of Secure Multi-Execution and MultipleFacets, on security enforcement without false alarms by introducing Faceted SecureMulti-Execution.2. It explores the unique optimisation challenges that appear in this setting. Specifically, mixing multi-execution and facets means that unnecessarily large facetedtrees give rise to unnecessary executions in multi-execution and vice verse. Thisthesis proposes optimisation strategies that can overcome this hurdle.3. It proves an exponential lower bound on black-box false-alarm-free enforcementand new possibility results for false-alarm-free enforcement of a variant of the noninterference security condition known as termination insensitive noninterference.4. It classifies the special cases of enforcement that is not subject to the aforementionedexponential lower bound. Specifically, this thesis shows how and why the choice ofsecurity lattice makes the difference between exponential, polynomial, and constantoverheads in multi-execution.In short, the first part of the thesis unifies the existing literature on false-alarm-freeIFC enforcement and presents a number of results on the performance of enforcementmechanisms of this kind.The second part of the thesis meanwhile makes the following contributions:1. It reduces the trusted computing base of security libraries by showing how to implement secure effects on top of an already secure core without incurring any newproof obligations.2. It shows how to simplify DCC, the core language in the literature, without losingexpressiveness.3. It proves that noninterference can be derived in a simple and straightforward wayfrom parametricity for both static and dynamic security libraries. This in turnreduces the conceptual gap between the kind of security libraries that are writtentoday and the proofs one can write to prove that the libraries ensure noninterference.In short, the second part of the thesis provides a new direction for thinking about thecorrectness of security libraries by both reducing the amount of trusted code and by introducing improved means of proving that a security library guarantees noninterference

Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis

Preventing implicit information flows by dynamic program analysis requires coarse approximations that result in false positives, because a dynamic monitor sees only the executed trace of the program. One widely deployed method is the no-sensitive-upgrade check, which terminates a program whenever a variable's taint is upgraded (made more sensitive) due to a control dependence on tainted data. Although sound, this method is restrictive, e.g., it terminates the program even if the upgraded variable is never used subsequently. To counter this, Austin and Flanagan introduced the permissive-upgrade check, which allows a variable upgrade due to control dependence, but marks the variable "partially-leaked". The program is stopped later if it tries to use the partially-leaked variable. Permissive-upgrade handles the dead-variable assignment problem and remains sound. However, Austin and Flanagan develop permissive-upgrade only for a two-point (low-high) security lattice and indicate a generalization to pointwise products of such lattices. In this paper, we develop a non-trivial and non-obvious generalization of permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a suitable notion of partial leaks that is both sound and permissive and in developing a suitable definition of memory equivalence that allows an inductive proof of soundness