141 research outputs found
Scheduler-Independent Declassification
Abstract The controlled declassification of secrets has received much attention in research on information-flow security, though mostly for se-quential programming languages. In this article, we aim at guarantee-ing the security of concurrent programs. We propose the novel security property WHAT&WHERE that allows one to limit what information may be declassified where in a program. We show that our property provides adequate security guarantees independent of the scheduling al-gorithm (which is non-trivial due to the refinement paradox) and present a security type system that reliably enforces the property. In a second scheduler-independence result, we show that an earlier proposed security condition is adequate for the same range of schedulers. These are the first scheduler-independence results in the presence of declassification.
Plugging Side-Channel Leaks with Timing Information Flow Control
The cloud model's dependence on massive parallelism and resource sharing
exacerbates the security challenge of timing side-channels. Timing Information
Flow Control (TIFC) is a novel adaptation of IFC techniques that may offer a
way to reason about, and ultimately control, the flow of sensitive information
through systems via timing channels. With TIFC, objects such as files,
messages, and processes carry not just content labels describing the ownership
of the object's "bits," but also timing labels describing information contained
in timing events affecting the object, such as process creation/termination or
message reception. With two system design tools-deterministic execution and
pacing queues-TIFC enables the construction of "timing-hardened" cloud
infrastructure that permits statistical multiplexing, while aggregating and
rate-limiting timing information leakage between hosted computations.Comment: 5 pages, 3 figure
Shai: Enforcing Data-Specific Policies with Near-Zero Runtime Overhead
Data retrieval systems such as online search engines and online social
networks must comply with the privacy policies of personal and selectively
shared data items, regulatory policies regarding data retention and censorship,
and the provider's own policies regarding data use. Enforcing these policies is
difficult and error-prone. Systematic techniques to enforce policies are either
limited to type-based policies that apply uniformly to all data of the same
type, or incur significant runtime overhead.
This paper presents Shai, the first system that systematically enforces
data-specific policies with near-zero overhead in the common case. Shai's key
idea is to push as many policy checks as possible to an offline, ahead-of-time
analysis phase, often relying on predicted values of runtime parameters such as
the state of access control lists or connected users' attributes. Runtime
interception is used sparingly, only to verify these predictions and to make
any remaining policy checks. Our prototype implementation relies on efficient,
modern OS primitives for sandboxing and isolation. We present the design of
Shai and quantify its overheads on an experimental data indexing and search
pipeline based on the popular search engine Apache Lucene
Assumptions and guarantees for compositional noninterference
The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of top-level security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with shared resources. This pessimism leads to many intuitively secure threads being labelled as insecure. Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs. \ua9 2011 IEEE
Complexity Information Flow in a Multi-threaded Imperative Language
We propose a type system to analyze the time consumed by multi-threaded
imperative programs with a shared global memory, which delineates a class of
safe multi-threaded programs. We demonstrate that a safe multi-threaded program
runs in polynomial time if (i) it is strongly terminating wrt a
non-deterministic scheduling policy or (ii) it terminates wrt a deterministic
and quiet scheduling policy. As a consequence, we also characterize the set of
polynomial time functions. The type system presented is based on the
fundamental notion of data tiering, which is central in implicit computational
complexity. It regulates the information flow in a computation. This aspect is
interesting in that the type system bears a resemblance to typed based
information flow analysis and notions of non-interference. As far as we know,
this is the first characterization by a type system of polynomial time
multi-threaded programs
Principles of Security and Trust
This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems
Slicing of Concurrent Programs and its Application to Information Flow Control
This thesis presents a practical technique for information flow control for concurrent programs with threads and shared-memory communication. The technique guarantees confidentiality of information with respect to a reasonable attacker model and utilizes program dependence
graphs (PDGs), a language-independent representation of information flow in a program
A Cut Principle for Information Flow
We view a distributed system as a graph of active locations with
unidirectional channels between them, through which they pass messages. In this
context, the graph structure of a system constrains the propagation of
information through it.
Suppose a set of channels is a cut set between an information source and a
potential sink. We prove that, if there is no disclosure from the source to the
cut set, then there can be no disclosure to the sink. We introduce a new
formalization of partial disclosure, called *blur operators*, and show that the
same cut property is preserved for disclosure to within a blur operator. This
cut-blur property also implies a compositional principle, which ensures limited
disclosure for a class of systems that differ only beyond the cut.Comment: 31 page
Introducing Asynchronicity to Probabilistic Hyperproperties
Probabilistic hyperproperties express probabilistic relations between
different executions of systems with uncertain behavior. HyperPCTL allows to
formalize such properties, where quantification over probabilistic schedulers
resolves potential non-determinism. In this paper we propose an extension named
AHyperPCTL to additionally introduce asynchronicity between the observed
executions by quantifying over stutter-schedulers, which may randomly decide to
delay scheduler decisions by idling. To our knowledge, this is the first
asynchronous extension of a probabilistic branching-time hyperlogic. We show
that AHyperPCTL can express interesting information-flow security policies, and
propose a model checking algorithm for a decidable fragment.Comment: to be published in the Proceedings of QEST 202
- âŠ