An Information Flow Approach to Fault-Tolerant Security and Information Erasure

Sensitive information is a crucial asset for both individuals and companies. Since it is processed in a largely automated way, it is important that the computational infrastructures are equipped with methods for reasoning about and enforcing security policies. Information flow security has been proposed for this purpose in many contexts. This thesis explores the applicability of information flow security to two novel scenarios.The first part of the thesis reasons about the confidentiality of sensitive data when systems are disrupted by environmental noise. We formalize a family of information flow security properties for this context, and investigate two strategies to enforce them. The strategies differ in their nature (program transformation vs program analysis), in the assumption about the underlying hardware model (the amount of fault-tolerance provided by the system) and in the security property they guarantee.The second part of the thesis focuses on an important but less-studied aspect of security, namely information erasure. We want to make sure that programs dispose of sensitive data when it is no longer necessary. We reason about the problem from two perspectives. On the theoretical side we improve the information flow characterization of erasure by introducing a framework for expressing quantitative and conditional erasure policies. Also, we establish a model for the sensitive data provider, whose behavior determines whether erasure can be successfully performed or not. On the practical side we propose an enforcement mechanism (as a Python library) that allows programmers to enforce erasure policies with minor annotations of existing code

A user model for information erasure.

Hunt and Sands (ESOP\u2708) studied a notion of information erasure for systems which receive secrets intended for limited-time use. Erasure demands that once a secret has fulfilled its purpose the subsequent behaviour of the system should reveal no information about the erased data. In this paper we address a shortcoming in that work: for erasure to be possible the user who provides data must also play his part, but previously that role was only specified informally. Here we provide a formal model of the user and a collection of requirements called erasure friendliness. We prove that an erasure-friendly user can be composed with an erasing system (in the sense of Hunt and Sands) to obtain a combined system which is jointly erasing in an appropriate sense. In doing so we identify stronger requirements on the user than those informally described in the previous work

A user model for information erasure.

Hunt and Sands (ESOP\u2708) studied a notion of information erasure for systems which receive secrets intended for limited-time use. Erasure demands that once a secret has fulfilled its purpose the subsequent behaviour of the system should reveal no information about the erased data. In this paper we address a shortcoming in that work: for erasure to be possible the user who provides data must also play his part, but previously that role was only specified informally. Here we provide a formal model of the user and a collection of requirements called erasure friendliness. We prove that an erasure-friendly user can be composed with an erasing system (in the sense of Hunt and Sands) to obtain a combined system which is jointly erasing in an appropriate sense. In doing so we identify stronger requirements on the user than those informally described in the previous work

Fault-resilient non-interference

Environmental noise (e.g. heat, ionized particles, etc.) causes transient faults in hardware, which lead to corruption of stored values. Mission-critical devices require such faults to be mitigated by fault-tolerance - a combination of techniques that aim at preserving the functional behaviour of a system despite the disruptive effects of transient faults. Fault-tolerance typically has a high deployment cost - special hardware might be required to implement it - and provides weak statistical guarantees. It is also based on the assumption that faults are rare. In this paper, we consider scenarios where security, rather than functional correctness, is the main asset to be protected. Our main contribution is a theory for expressing confidentiality of data in the presence of transient faults. We show that the natural probabilistic definition of security in the presence of faults can be captured by a possibilistic definition. Furthermore, the possibilistic definition is implied by a known bisimulation-based property, called Strong Security. We illustrate the utility of these results for a simple RISC architecture for which only the code memory and program counter are assumed fault-tolerant. We present a type-directed compilation scheme that produces RISC code from a higher-level language for which Strong Security holds - i.e. well-typed programs compile to RISC code which is secure despite transient faults. In contrast with fault-tolerance solutions, our technique assumes relatively little special hardware, gives formal guarantees, and works in the presence of an active attacker who aggressively targets parts of a system and induces faults precisely

Fault-tolerant Non-interference

This paper is about ensuring security in unreliable systems. We study systems which are subject to transient faults – soft errors that cause stored values to be corrupted. The classic problem of fault tolerance is to modify a system so that it works despite a limited number of faults. We introduce a novel variant of this problem. Instead of demanding that the system works despite faults, we simply require that it remains secure: wrong answers may be given but secrets will not be revealed. We develop a software-based technique to achieve this fault tolerant non-interference property. The method is defined on a simple assembly language, and guarantees security for any assembly program provided as input. The security property is defined on top of a formal model that encompasses both the fault-prone machine and the faulty environment. A precise characterization of the class of programs for which the method guarantees transparency is provided

Implementing Erasure Policies Using Taint Analysis

Security or privacy-critical applications often require access to sensitive information in order to function. But in accordance with the principle of least privilege – or perhaps simply for legal compliance – such applications should not retain said information once it has served its purpose. In such scenarios, the timely disposal of data is known as an information erasure policy. This paper studies software-level information erasure policies for the data manipulated by programs. The paper presents a new approach to the enforcement of such policies. We adapt ideas from dynamic taint analysis to track how sensitive data sources propagate through a program and erase them on demand. The method is implemented for Python as a library, with no modifications to the runtime system. The library is easy to use, and allows programmers to indicate information-erasure policies with only minor modifications to their code

Mammalian glomus tumor: Contribution of nerve ultrasound

Glomus tumor is an enigmatic tumor derived from proliferation of the normal capsular\u2013neural glomus apparatus of the skin. This type of tumor is usually painful and may be solitary or multiple. Tenderness and cold hypersensitivity are other common symptoms with marked impairment of quality of life. It usually occurs in men from the fourth to the seventh decade. Localization of this tumor is highly variable, with major prevalence at subungual sites. The low frequency of glomus tumor and the heterogeneous presentation often delay diagnosis. An atypical anatomical site and the usually small size of the tumor may further complicate diagnosis. Nerve ultrasound (US) is considered an efficient tool for diagnosis of nerve diseases

Perioperative analgesia in the elderly

The administration of analgesic drugs in elderly patients should take into account age-related physiological changes, loss of efficiency of homeostatic mechanisms, and pharmacological interactions with chronic therapies. Underestimation of pain in patients with impaired cognition is often linked to difficulties in pain assessment. In the preoperative phase, it is essential to assess the physical status, cognitive reserve, and previous chronic pain conditions to plan effective analgesia. Furthermore, an accurate pharmacological history of the patient must be collected to establish any possible interaction with the whole perioperative analgesic plan. The use of analgesic drugs with different mechanisms of action for pain relief in the intraoperative phase is a crucial step to achieve adequate postoperative pain control in older adults. The combined multimodal and opioid-sparing strategy is strongly recommended to reduce side effects. The use of various adjuvants is also preferable. Moreover, the implementation of non-pharmacological approaches may lead to faster recovery. High-quality postoperative analgesia in older patients can be achieved only with a collaborative interdisciplinary team. The aim of this review is to highlight the perioperative pain management strategies in the elderly with a special focus on intraoperative pharmacological interventions