18 research outputs found
Statically checking confidentiality via dynamic labels
This paper presents a new approach for verifying confidentiality
for programs, based on abstract interpretation. The
framework is formally developed and proved correct in the
theorem prover PVS. We use dynamic labeling functions
to abstractly interpret a simple programming language via
modification of security levels of variables. Our approach
is sound and compositional and results in an algorithm for
statically checking confidentiality
Timing Aware Information Flow Security for a JavaCard-like Bytecode
AbstractCommon protection mechanisms fail to provide end-to-end security; programs with legitimate access to secret information are not prevented from leaking this to the world. Information-flow aware analyses track the flow of information through the program to prevent such leakages, but often ignore information flows through covert channels even though they pose a serious threat. A typical covert channel is to use the timing of certain events to carry information. We present a timing-aware information-flow type system for a low-level language similar to a non-trivial subset of a sequential Java bytecode. The type system is parameterized over the time model of the instructions of the language and over the algorithm enforcing low-observational equivalence, used in the prevention of implicit and timing flows
Output-sensitive Information flow analysis
Part 1: Full PapersInternational audienceConstant-time programming is a countermeasure to prevent cache based attacks where programs should not perform memory accesses that depend on secrets. In some cases this policy can be safely relaxed if one can prove that the program does not leak more information than the public outputs of the computation. We propose a novel approach for verifying constant-time programming based on a new information flow property, called output-sensitive non-interference. Noninterference states that a public observer cannot learn anything about the private data. Since real systems need to intentionally declassify some information, this property is too strong in practice. In order to take into account public outputs we proceed as follows: instead of using complex explicit declassification policies, we partition variables in three sets: input, output and leakage variables. Then, we propose a typing system to statically check that leakage variables do not leak more information about the secret inputs than the public normal output. The novelty of our approach is that we track the dependence of leakage variables with respect not only to the initial values of input variables (as in classical approaches for noninterference), but taking also into account the final values of output variables. We adapted this approach to LLVM IR and we developed a prototype to verify LLVM implementations
Verificación estática de confidencialidad en un sistema de múltiples niveles de seguridad basado en Java bytecode
Debido al incremento en la cantidad e importancia de la información manejada por sistemas informáticos, también se incrementa la importancia de controlar la difusión de información privada de los usuarios. Los mecanismos de control del acceso y las técnicas criptográficas aseguran que la información sólo es accedida por entidades autorizadas, pero resultan insuficientes puesto que una vez que la información es accedida no existe control sobre su distribución.
Extender el sistema de tipos de un lenguaje de programación agregando niveles de seguridad permite analizar estáticamente, antes de su ejecución, cómo un programa accede y utiliza la información confidencial. El creciente uso de código móvil –software obtenido de la red y ejecutado localmente, generalmente en Java bytecode– resalta la importancia de aplicar estos análisis de confidencialidad a lenguajes de bajo nivel.
En este proyecto desarrollaremos un sistema de tipos para Java bytecode extendido con información de seguridad e implementaremos un chequeador de tipos que verifique la confidencialidad de la información local accedida por código móvil. También estudiaremos la desclasificación controlada de información, a fin de incluir en nuestro análisis a programas que inevitablemente revelan información confidencial, por ejemplo, al responder negativamente ante una contraseña inválida.Eje: Nuevas Tecnologías en desarrollo de Sistemas de SoftwareRed de Universidades con Carreras en Informática (RedUNCI
Formalizing non-interference for a simple bytecode language in Coq
In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof
Output-sensitive Information flow analysis
Constant-time programming is a countermeasure to prevent cache based attacks
where programs should not perform memory accesses that depend on secrets. In
some cases this policy can be safely relaxed if one can prove that the program
does not leak more information than the public outputs of the computation. We
propose a novel approach for verifying constant-time programming based on a new
information flow property, called output-sensitive noninterference.
Noninterference states that a public observer cannot learn anything about the
private data. Since real systems need to intentionally declassify some
information, this property is too strong in practice. In order to take into
account public outputs we proceed as follows: instead of using complex explicit
declassification policies, we partition variables in three sets: input, output
and leakage variables. Then, we propose a typing system to statically check
that leakage variables do not leak more information about the secret inputs
than the public normal output. The novelty of our approach is that we track the
dependence of leakage variables with respect not only to the initial values of
input variables (as in classical approaches for noninterference), but taking
also into account the final values of output variables. We adapted this
approach to LLVM IR and we developed a prototype to verify LLVM
implementations