Beyond Over-Protection: A Targeted Approach to Spectre Mitigation and Performance Optimization

Since the advent of Spectre attacks, researchers and practitioners have developed a range of hardware and software measures to counter transient execution attacks. A prime example of such mitigation is speculative load hardening in LLVM, which protects against leaks by tracking the speculation state and masking values during misspeculation. LLVM relies on static analysis to harden programs using slh that often results in over-protection, which incurs performance overhead. We extended an existing side-channel model validation framework, Scam-V, to check the vulnerability of programs to Spectre-PHT attacks and optimize the protection of programs using the slh approach. We illustrate the efficacy of Scam-V by first demonstrating that it can automatically identify Spectre vulnerabilities in real programs, e.g., fragments of crypto-libraries. We then develop an optimization mechanism that validates the necessity of slh hardening w.r.t. the target platform. Our experiments showed that hardening introduced by LLVM in most cases could be significantly improved when the underlying microarchitecture properties are considered.Comment: The paper will appear in ACM AsiaCCS 202

A Case Study in Information Flow Refinement for Low Level Systems

In this work we employ information-flow-aware refinement to study security properties of a separation kernel. We focus on refinements that support changes in data representation and semantics, including the addition of state variables that may induce new observational power or side channels. We leverage an epistemic approach to ignorance-preserving refinement where an abstract model is used as a specification of a system's permitted information flows that may include the declassification of secret information. The core idea is to require that refinement steps must not induce observer knowledge that is not already available in the abstract model. In particular, we show that a simple key manager may cause information leakage via a refinement that includes cache and timing information. Finally, we show that deploying standard countermeasures against cache-based timing channels regains ignorance preservation

Confluence via strong normalisation in an algebraic \lambda-calculus with rewriting

The linear-algebraic lambda-calculus and the algebraic lambda-calculus are untyped lambda-calculi extended with arbitrary linear combinations of terms. The former presents the axioms of linear algebra in the form of a rewrite system, while the latter uses equalities. When given by rewrites, algebraic lambda-calculi are not confluent unless further restrictions are added. We provide a type system for the linear-algebraic lambda-calculus enforcing strong normalisation, which gives back confluence. The type system allows an abstract interpretation in System F.Comment: In Proceedings LSFA 2011, arXiv:1203.542

Securing concurrent programs with dynamic information-flow control

The work presented in this thesis focusses on dealing with timingcovert channels in dynamic information-flow control systems,particularly for the LIO library in Haskell.Timing channels are dangerous in the presence ofconcurrency. Therefore, we start with the design, formalisation andimplementation of a concurrent version of LIO which is secure againstthem. More specifically, we remove leaks due to non-terminatingbehaviour of programs (termination covert channel) and leaks producedby forcing certain interleavings of threads, as a result of affectingtheir timing behaviour (internal timing covert channel). The keyinsight is to decouple computations so that threads observing thetiming or termination behaviour of other threads are required to be atthe same confidentiality level. This work only deals with internaltiming that can be exploited through language-level operations. Wealso mitigate leaks that result from the precise measurement of thetiming of observable events (external timingcovert channel), e.g. by using a stopwatch.Timing channels can also be exploited through hardware-based sharedresources, such as the processor cache. This thesis presents acache-based attack on LIO that relies on timing perturbations to leaksensitive information through internal timing. To address thisproblem, we modify the Haskell runtime to support instruction-basedscheduling, a scheduling strategy that is indifferent to suchperturbations from underlying hardware components, such as the cache,TLB, and CPU buses. We show this scheduler is secure againstcache-based internal timing attacks for applications using a singleCPU. Additionally, we provide a purely language-based implementationof the instruction-based strategy for LIO, by means of a library. Weleverage the notion of resumptions, a restricted form ofcontinuations, to control the interleaving of threads, forcing eachthread to yield after every LIO operation. Due to the flexibility ofthis approach, we are able to support parallel computation in thelibrary, a novel feature in information-flow control tools.Finally, we present a new manifestation of internal timing in Haskell,by exploiting lazy evaluation to encode sensitive information astiming perturbations. We illustrate our claim with a concrete attackon LIO that relies on memoisation of shared thunks to leakinformation. We also propose a countermeasure based on restricting theimplicit sharing of values

Securing concurrent programs with dynamic information-flow control

The work presented in this thesis focusses on dealing with timingcovert channels in dynamic information-flow control systems,particularly for the LIO library in Haskell.Timing channels are dangerous in the presence ofconcurrency. Therefore, we start with the design, formalisation andimplementation of a concurrent version of LIO which is secure againstthem. More specifically, we remove leaks due to non-terminatingbehaviour of programs (termination covert channel) and leaks producedby forcing certain interleavings of threads, as a result of affectingtheir timing behaviour (internal timing covert channel). The keyinsight is to decouple computations so that threads observing thetiming or termination behaviour of other threads are required to be atthe same confidentiality level. This work only deals with internaltiming that can be exploited through language-level operations. Wealso mitigate leaks that result from the precise measurement of thetiming of observable events (external timingcovert channel), e.g. by using a stopwatch.Timing channels can also be exploited through hardware-based sharedresources, such as the processor cache. This thesis presents acache-based attack on LIO that relies on timing perturbations to leaksensitive information through internal timing. To address thisproblem, we modify the Haskell runtime to support instruction-basedscheduling, a scheduling strategy that is indifferent to suchperturbations from underlying hardware components, such as the cache,TLB, and CPU buses. We show this scheduler is secure againstcache-based internal timing attacks for applications using a singleCPU. Additionally, we provide a purely language-based implementationof the instruction-based strategy for LIO, by means of a library. Weleverage the notion of resumptions, a restricted form ofcontinuations, to control the interleaving of threads, forcing eachthread to yield after every LIO operation. Due to the flexibility ofthis approach, we are able to support parallel computation in thelibrary, a novel feature in information-flow control tools.Finally, we present a new manifestation of internal timing in Haskell,by exploiting lazy evaluation to encode sensitive information astiming perturbations. We illustrate our claim with a concrete attackon LIO that relies on memoisation of shared thunks to leakinformation. We also propose a countermeasure based on restricting theimplicit sharing of values

Securing functional programs with floating-label information-flow control

The work presented in this thesis focuses on information-flow control systems for functional programs, particularly on the LIO library in Haskell. The thesis considers three main aspects in this area: timing covert channels, dynamic policies and enforcement mechanisms that improve precision of the analysis. Timing channels are dangerous in the presence of concurrency. We start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. In further work, we tackle leaks that result from hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO and proposes two solutions that rely on time-agnostic scheduling: the first one consists in a modification to the Haskell runtime and the other one is a purely language-based implementation. We also present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. Dynamic policies arise when the set of allowed flows of information is permitted to change as the program runs. Declassification can be viewed as a special case of dynamic policies. This thesis introduces an extension to LIO which supports dynamic policies and can encode well-known label formats such as the DLM and DC labels. Moreover, we also present the notion of restricted privileges, giving principals the ability to restrict the ways in which their authority can be used in the system, and supporting robust declassification. We also add flow-sensitivity to LIO, which consists in the ability for the security labels of references to mutate, depending on the sensitivity of what is stored in them. Finally, we introduce a hybrid enforcement which mixes static and dynamic analyses. In particular, we leverage advanced type system features in Haskell to give the programmer control over which parts of the program are dynamically checked and which parts are statically checked. The core of this library is a general technique for deferring checking of type-class constraints to runtime which is applicable to other domains beyond language-based security

Securing functional programs with floating-label information-flow control

The work presented in this thesis focuses on information-flow control systems for functional programs, particularly on the LIO library in Haskell. The thesis considers threemain aspects in this area: timing covert channels, dynamic policies andenforcement mechanisms that improve precision of the analysis.Timing channels are dangerous in the presence ofconcurrency. We start with the design, formalisation andimplementation of a concurrent version of LIO which is secure againstthem. More specifically, we remove leaks due to non-terminatingbehaviour of programs (termination covert channel) and leaks producedby forcing certain interleavings of threads, as a result of affectingtheir timing behaviour (internal timing covert channel). The keyinsight is to decouple computations so that threads observing thetiming or termination behaviour of other threads are required to be atthe same confidentiality level. This work only deals with internaltiming that can be exploited through language-level operations.We also mitigate leaks that result from the precise measurement of thetiming of observable events (external timing covert channel), e.g. byusing a stopwatch. In further work, we tackle leaks that result fromhardware-based shared resources, such as the processor cache. Thisthesis presents a cache-based attack on LIO and proposes two solutionsthat rely on time-agnostic scheduling: the first one consists in amodification to the Haskell runtime and the other one is a purelylanguage-based implementation. We also present a new manifestation ofinternal timing in Haskell, by exploiting lazy evaluation to encodesensitive information as timing perturbations.Dynamic policies arise when the set of allowed flows of information ispermitted to change as the program runs. Declassification can beviewed as a special case of dynamic policies. This thesis introducesan extension to LIO which supports dynamic policies and can encodewell-known label formats such as the DLM and DC labels. Moreover, wealso present the notion of restricted privileges, giving principalsthe ability to restrict the ways in which their authority can be usedin the system, and supporting robust declassification.We also add flow-sensitivity to LIO, whichconsists in the ability for the security labels of references tomutate, depending on the sensitivity of what is stored in them.Finally, we introduce a hybrid enforcement which mixes staticand dynamic analyses. In particular, we leverage advanced type systemfeatures in Haskell to give the programmer control over which parts ofthe program are dynamically checked and which parts are staticallychecked. The core of this library is a general technique for deferringchecking of type-class constraints to runtime which is applicable toother domains beyond language-based security

Aproximando los escalares de un lambda-cálculo algebraico mediante cotas inferiores

El lambda-cálculo algebraico es un cálculo no tipado en el que se pueden realizar combinaciones lineales de términos, con aplicaciones a la computación probabilística, la computación paralela y la computación cuántica. La reducción en este cálculo está dada por un sistema de reescritura sujeto a varias restricciones que garantizan su confluencia. Existen varios sistemas de tipos para este cálculo, cada uno de los cuales representa un paso más en la dirección a un cálculo algebraico tipado general. En este trabajo, se presenta un sistema de tipos para el lambda-cálculo algebraico que se basa en la idea de aproximar los escalares que aparecen en los términos mediante cotas inferiores, reflejando esta información en los tipos. Se demuestra que este cálculo tiene subject reduction y normalización fuerte, y como corolario se obtiene una forma más sencilla de demostrar la confluencia del sistema de reescritura, eliminando las restricciones a la reducción de la versión no tipada.Fil: Buiras, Pablo. Tesista del Departamento de Ciencias de la Computación. Facultad de Ciencias Exactas, Ingeniería y Agrimensura. Universidad Nacional de Rosario; Argentina

Dynamic enforcement of dynamic policies

LIO is a dynamic information-flow control system embedded in Haskell that uses a runtime monitor to enforce noninterference. The monitor is written as a library, requiring no changes to the runtime. We propose to extend LIO with a state component, allowing us to enforce not only noninterference but also information-flow policies that change while the program is running