![Page 1: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/1.jpg)
CS 5430Information-Flow Policies
Elisavet Kozyri
Spring 2019
![Page 2: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/2.jpg)
2
![Page 3: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/3.jpg)
Restrictions on data
• Confidentiality
– Who is trusted with information.
• Integrity
– Who trusts the information.
• Depends on trusting past writers.
3
![Page 4: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/4.jpg)
Problem: Given restrictions on inputs, what are the restrictions on outputs?
4
ProgramInputs Outputs
?
?
![Page 5: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/5.jpg)
1st solution
5
ProgramInputs Outputs
• Manual assignment of restrictions to output data.• Does not scale to rich data ecosystems.
![Page 6: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/6.jpg)
2nd solution
6
Inputs Outputs
⊏
• Can be automated.• Independent of the program code.• Produces conservative restrictions.
Program
![Page 7: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/7.jpg)
3rd solution: Information Flow Control
7
ProgramInputs Outputs
?
?
• Program analysis to deduce information flows from inputs to outputs.
![Page 8: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/8.jpg)
Information Flow Control
8
ProgramInputs Outputs
• Program analysis to deduce information flows from inputs to outputs.
• Restrictions are propagated along the flow.• More permissive than 2nd solution.
⊏
![Page 9: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/9.jpg)
When does a program cause a flow?
9
𝑥 ≔ 𝑦 mod 2
𝑥 ≔ 𝑦 ∗ 0
𝑦 flows to 𝑥
Flow is not always
transitive!
𝑧 ≔ 𝑦 + 2; 𝑥 ≔ 𝑧
no flow
𝑧 ≔ 𝑦 + 2; 𝑥 ≔ 𝑧 − 𝑦
![Page 10: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/10.jpg)
When does a program cause a flow?
10
if 𝑦 > 0 then 𝑥 ≔ 1 else 𝑥 ≔ 2
if 𝑦 > 0 then 𝑥 ≔ 0 else 𝑥 ≔ 0
if 𝑦 > 0 then 𝑥 ≔ 1; 𝑥 ≔ 0else 𝑥 ≔ 2; 𝑥 ≔ 0
![Page 11: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/11.jpg)
When does a program cause a flow?
11
while 𝑦 > 0 do x ≔ x + 1; y ≔ y − 1 end
while 𝑦 > 0 do C end; 𝑥 ≔ 1
?
![Page 12: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/12.jpg)
Information Flow Control
12
ProgramInputs Outputs
• Program analysis to deduce information flows from inputs to outputs.
• Restrictions are propagated along the flow.
⊏
![Page 13: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/13.jpg)
Information Flow (IF) Policies
• An IF policy specifies restrictions on the associated data, and on all its derived data.
• IF policy for confidentiality:
– Value 𝑣 and all its derived values are allowed to be read at most by Alice.
13
![Page 14: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/14.jpg)
Information Flow (IF) Policies
• An IF policy specifies restrictions on the associated data, and on all its derived data.
• IF policy for confidentiality:
– Value 𝑣 and all its derived values are allowed to be read at most by Alice.
– Equivalently, 𝑣 is allowed to flow only to Alice.
14
![Page 15: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/15.jpg)
Labels to represent IF policies
Examples for confidentiality:
• Classifications
– Unclassified (U), Confidential (C), Secret (S), Top Secret (TS)
– Low confidentiality (L), High confidentiality (H)
• Sets of principals:
– {Alice, Bob}, {Alice}, {Bob}, {}
15
![Page 16: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/16.jpg)
Information flow labels
• They form a lattice 𝐿,⊑ with join operation ⊔.
• For ℓ, ℓ’∈ 𝐿, if ℓ ⊑ ℓ’, then:
ℓ’ is at least as restrictive as ℓ, and thus,
information flow from ℓ to ℓ’ is allowed.
16
{}
{Alice} {Bob}
{Alice,Bob}
H
L
⊑
![Page 17: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/17.jpg)
Is a flow allowed?
17
H
L
⊑
ProgramInputs Outputs
L
L
![Page 18: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/18.jpg)
Is a flow allowed?
18
H
L
⊑
ProgramInputs Outputs
L
H
![Page 19: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/19.jpg)
Is a flow allowed?
19
H
L
⊑
ProgramInputs Outputs
H
L
![Page 20: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/20.jpg)
Is a flow allowed?
20
H
L
⊑
ProgramInputs Outputs
H
L L H⊔
![Page 21: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/21.jpg)
Operator ⊔ for combining labels
• For each ℓ and ℓ’, there should exist label ℓ⊔ℓ’, such that:
– ℓ ⊑ ℓ⊔ℓ’ , ℓ’ ⊑ ℓ⊔ℓ’, and
– if ℓ ⊑ ℓ’’ and ℓ’ ⊑ ℓ’’, then ℓ⊔ℓ’ ⊑ ℓ’’.
• ℓ⊔ℓ’ is called the join of ℓ and ℓ’.
• Examples: L ⊔ L= L, H ⊔ H= H, L ⊔ H= H
21
H
L
⊑
![Page 22: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/22.jpg)
Is a flow allowed?
22
H
L
⊑
ProgramInputs Outputs
H
L L H⊔
![Page 23: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/23.jpg)
Is a flow allowed?
23
H
L
⊑
ProgramInputs Outputs
H
L H
![Page 24: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/24.jpg)
Given
• a lattice {L, H}, ⊑ of labels,
• a program 𝐶, and
• labels on program inputs and outputs,
are all the flows from inputs to outputs that are caused by executing 𝐶 allowed?
24
Is a flow allowed?
![Page 25: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/25.jpg)
Noninterference (NI)[Goguen and Meseguer 1982]
Noninterference for a program 𝐶:
• Different H inputs, keeping L inputs fixed, should not cause different L outputs.
If a program 𝐶 satisfies NI, then all flows from inputs to outputs are allowed.
25
![Page 26: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/26.jpg)
Noninterference: Example
26
ℎ′ ≔ ℎ + 𝑙;𝑙′ ≔ 𝑙 + 2
ℎ ℎ′
𝑙 𝑙′
H H
L L
![Page 27: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/27.jpg)
Noninterference: Example
27
1
2
3
4
3
2
5
4
ℎℎ′ ≔ ℎ + 𝑙;𝑙′ ≔ 𝑙 + 2
𝑙
ℎ′
𝑙′
ℎℎ′ ≔ ℎ + 𝑙;𝑙′ ≔ 𝑙 + 2
𝑙
ℎ′
𝑙′
The program satisfies noninterference!
H H
H H
L L
L L
![Page 28: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/28.jpg)
Noninterference: Example
28
ℎℎ′ ≔ ℎ + 𝑙;𝑙′ ≔ 𝑙 + 2
𝑙
ℎ′
𝑙′
The program causes only allowed flows!
H H
L L
H
L
⊑
![Page 29: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/29.jpg)
Noninterference: Example
29
1
2
3
6
ℎ
𝑙′
𝑙′ ≔ ℎ ∗ 2
ℎ
𝑙′
𝑙′ ≔ ℎ ∗ 2
The program does not satisfy noninterference!
H
H
L
L
![Page 30: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/30.jpg)
Noninterference (NI)
• Consider a program 𝐶.
• Variables in the program can model inputs and outputs.
• Consider two memories 𝑀1 and 𝑀2, such that
– they agree on values of variables tagged with L:
– 𝑀1 =L 𝑀2.
30
𝑀1 and 𝑀2 may not agree on values of variables tagged with H.
![Page 31: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/31.jpg)
Noninterference
• Consider a program 𝐶.• Variables in the program can model inputs and outputs.• Consider two memories 𝑀1 and 𝑀2, such that
– they agree on values of variables tagged with L:– 𝑀1 =L 𝑀2.
• 𝐶(𝑀𝑖) are the observations produced by executing 𝐶 to termination on initial memory 𝑀𝑖 .– Observations are assignments to variables that are modeling
outputs.
• For NI to hold, observations tagged with L should be the same, even if H inputs might differ:– 𝐶 𝑀1 =L 𝐶 𝑀2 .
31
![Page 32: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/32.jpg)
Noninterference formalized
∀𝑀1, 𝑀2: if 𝑀1 =L 𝑀2, then 𝐶 𝑀1 =L 𝐶 𝑀2 .
32
For a program 𝐶 and a mapping from variables to labels in L, H :
![Page 33: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/33.jpg)
Threat model
• Up until now an attacker could only observe outputs tagged with L.
• What if the attacker can also sense nontermination?
33
![Page 34: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/34.jpg)
Termination sensitive noninterference
34
2
4
9
ℎ
𝑙′
while ℎ > 5 doskip;
𝑙′ ≔ 4
while ℎ > 5 doskip;
𝑙′ ≔ 4
ℎ
𝑙′
H
H
L
L
![Page 35: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/35.jpg)
Termination sensitive noninterference
∀𝑀1, 𝑀2:
• If
–𝑀1 =L 𝑀2,
• then
– 𝑪 terminates on 𝑴𝟏 iff 𝑪 terminates on 𝑴𝟐, and
– 𝐶 𝑀1 =L 𝐶 𝑀2 .
35
![Page 36: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/36.jpg)
Covert channels[Lampson 1973, Sabelfeld and Myers 2003]
• Termination channel is a covert channel :– not intended for information transfer, yet exploitable for
that purpose.
• Other covert channels:– timing, heat emission, metadata.
• Information flow control can address covert channels:– treat covert channels as program outputs.
• Variations of noninterference can proscribe flows to covert channels.
36
![Page 37: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/37.jpg)
Threat model
• What if the attacker can also measure execution time?
37
![Page 38: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/38.jpg)
Timing channel
38
1
4
ℎ
𝑙′
if ℎ > 0 then ℎ′ ≔ 3; ℎ′ ≔ 3
elseℎ′≔ 3
𝑙′ ≔ 4
H
L
3ℎ′H
0
4
ℎ
𝑙′
if ℎ > 0 then ℎ′ ≔ 3; ℎ′ ≔ 3
elseℎ′≔ 3
𝑙′ ≔ 4
H
L
3ℎ′H
![Page 39: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/39.jpg)
Timing channel: cache attack
39
0
4
ℎ
𝑙′
if ℎ > 0 then ℎ3 ≔ ℎ1
elseℎ3 ≔ ℎ2
ℎ′ ≔ ℎ1 ∗ 0;𝑙′ ≔ 4
H
L
0ℎ′H
1
4
ℎ
𝑙′
H
L
0ℎ′Hif ℎ > 0 then
ℎ3 ≔ ℎ1elseℎ3 ≔ ℎ2
ℎ′ ≔ ℎ1 ∗ 0;𝑙′ ≔ 4
Assume ℎ1, ℎ2, ℎ3 are high memory addresses that can be cached.
![Page 40: CS 5430 Information-Flow Policies · 3rd solution: Information Flow Control 7 ... Information Flow Control 8 Program Inputs Outputs •Program analysis to deduce information flows](https://reader030.vdocuments.site/reader030/viewer/2022041012/5ec0843bb95dbf01a2684a41/html5/thumbnails/40.jpg)
The stronger the threat model the more covert channels need to be considered, to prevent information leaking to attackers.
How can we ensure that a program causes only allowed flows and no leaks?
40