Static semantics of secret channelabstractions

Marco Giunti

Imperial College, May 15 2014

Abstractions for message-passing

• We study the secret channel abstraction for concurrent systemscommunicating through message-passing (MP)

• We are interested in showing that the high-level abstraction canbe represented in a standard π-calculus by means of static typing

• Plan:

1. A language for secret message-passing

2. A type system for the π-calculus featuring static and dynamicscope for channels

3. A semantics-preserving translation (API) of the language intothe typed π-calculus

Dynamic scope vs Security

• One of the main features of the π-calculus is dynamic scope forchannels

• Sending a restricted channels to the context allows to enlarge itsscope

(ν h)(h〈CreditCard〉 | h(x).p〈h〉)

Dynamic scope vs Security• One of the main features of the π-calculus is dynamic scope for

channels

• Sending a restricted channels to the context allows to enlarge itsscope

(ν h)(h〈CreditCard〉 | h(x).p〈h〉)

• Two main security issues in disclosing restricted channels:

1. Reasoning on the knowledge of the context is complex

2. Cryptographic implementations of programs in open networkssuffer from the “forward secrecy problem”

net〈{CreditCard}h+〉 | net(y).decrypt y as{x}h− in net〈{h+, h−}p+〉

Hide and New in the pi calculus

• Based on this motivation in [GPV12] we introduced the secretπ-calculus

• Conservative extension of the (untyped) π-calculus obtained byadding an hide construct:

[hideh][h〈CreditCard〉 | h(x).p〈h〉] h cannot be extruded

• Aim is confidentiality, obtained by restricting the access of theobject of communication

• Standard channels are accessible by the context:

(newh)(h〈CreditCard〉 | h(x).p〈h〉) h can be extruded

This talk: An API for secure MP

• We show that the hide construct can be translated in a typedπ-calculus enjoying a standard semantics

• Guideline: the source language must be “untyped’’, the securitytype abstractions are inferred during the compilation

• Motivation: we want to make available the secret channel macrowithout burdening programmers with the security mechanism

• Soundness result: if a source program is (compiled andtype-)checked then the context cannot receive a channelprotected by hide during the computation

Source language: basic types

• We consider basic types of the form below

D ::= (E,E) | bool E ::= ?D | !D

• End point ?D: unbounded input use to receive values of type D

• End point !D: unbounded output use to send values of type D

• Basic types allow to avoid runtime errors of the form:

x〈true〉 | x(y).y(z)

Source language: basic types

• We consider basic types of the form below

D ::= (E,E) | bool E ::= ?D | !D

• End point ?D: unbounded input use to receive values of type D

• End point !D: unbounded output use to send values of type D

• Basic types allow to avoid runtime errors of the form:

x〈true〉 | x(y).y(z)

• In the source language we decorate fresh variables with basictypes (simplifies translation, but it could be obtained by typeinference

Source language: processes

• The source language features two operators for creating channels

M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M

• Channels created with new can be sent to the context

• Channels created with hide are only available locally

Source language: processes

• The source language features two operators for creating channels

M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M

• Channels created with new can be sent to the context

• Channels created with hide are only available locally

• Example: a program sending a dynamic channel

(new y : (?bool, !bool))(x〈y〉) | x(z).(z〈true〉 | z(u).ifu then0 else0)

Source language: processes

• The source language features two operators for creating channels

M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M

• Channels created with new can be sent to the context

• Channels created with hide are only available locally

• Example: a program sending a standard channel

(new y : (?bool, !bool))(x〈y〉) | x(z).(z〈true〉 | z(u).ifu then0 else0)

• Example: a program sending a secret channel

[hide y : (?bool, !bool)][x〈y〉 | x(z)]

Target language: typed pi calculus

• Pi calculus types have the syntax:

T ::= (S, S) | bool S ::= m ?T | m !T

m ::= dyn | st

• We compile source programs into typed pi calculus processes

P ::= x〈v〉.P | x(y ÷B).P | · · · | (ν x : T )P

• The input process is decorated with set of blocked types

• Dynamic semantics unaffected, blocked set used by typing system

x〈v〉.P | x(y ÷B).Q→ P | Q{v/x}

Toy example and translation

• Take a source program forwarding a channel protected by hide

M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)

D = (?Ds, !Ds) Ds = (?bool, !bool)

Toy example and translation

• Take a source program forwarding a channel protected by hide

M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)

D = (?Ds, !Ds) Ds = (?bool, !bool)

• The translation of M1 is:

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)

T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)

Td = (dyn ?bool, dyn !bool)

Toy example and translation

• Take a source program forwarding a channel protected by hide

M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)

D = (?Ds, !Ds) Ds = (?bool, !bool)

• The translation of M1 is:

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)

T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)

Td = (dyn ?bool, dyn !bool)

• We type-check the program by upcasting the payload of x

Pi calculus: Type upcast in output

• We consider typing rules of the form

Γ ` P . ∆ (dom(∆) = dom(Γ)

• ∆ on the right of the . symbol is a return environment producedby the type system that convey the actual use of channels

Pi calculus: Type upcast in output

• We consider typing rules of the form

Γ ` P . ∆ (dom(∆) = dom(Γ)

• ∆ on the right of the . symbol is a return environment producedby the type system that convey the actual use of channels

• E.g. typing rule to upcast of the payload of x to static:

x : (dyn ?Ts, dyn !Ts), y : Ts ` 0 . x : (dyn ?Ts, dyn !Ts), y : Tsx : T, y : Ts ` x〈y〉 . x : (dyn ?Ts, dyn !Ts), y : Ts

T = (dyn?Td, dyn!Td) Ts = (st?bool, st!bool) Td = (dyn?bool, dyn!bool)

Blocked types in struct. congr.

• Scope of π-calculus channels can be opened through axioms ≡

• We account for this by abstracting block function ] in ≡

x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )

(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static

Blocked types in struct. congr.

• Scope of π-calculus channels can be opened through axioms ≡

• We account for this by abstracting block function ] in ≡

x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )

(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static

• To avoid clashes we register identifiers for types: T = (S1, S2)i

• Typing rules for input disallow to receive blocked types

Blocked types in struct. congr.

• Scope of π-calculus channels can be opened through axioms ≡

• We account for this by abstracting block function ] in ≡x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )

(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static

• To avoid clashes we register identifiers for types: T = (S1, S2)i

• Typing rules for input disallow to receive blocked types

• Example: forbidden upcast

x : (dyn ?T , dyn !T )∀, z : (dyn ?Ts, dyn !Ts)∀ 6` x(y ÷ Ts).z〈y〉 . ∆

T = (dyn ?Td, dyn !Td)∀ Td = (dyn ?b, dyn !b)∀ Ts = (st ?b, st !b)1

Type-bulletting to the rescue

• To rule out attackers leaking a static channel we bullet the returntype of the output channel

z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)

• Type identifiers allow to avoid clashes

Type-bulletting to the rescue

• To rule out attackers leaking a static channel we bullet the returntype of the output channel

z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)

• Type identifiers allow to avoid clashes

• Composition with inputs z2 allowed only if z1 6= z2:

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)

Γ, z1 : (dyn ?Td, dyn !Td) ` [[M1]] . Γ, z1 : (•, dyn !Ts)

Type-bulletting to the rescue

• To rule out attackers leaking a static channel we bullet the returntype of the output channel

z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)

• Type identifiers allow to avoid clashes

• Composition with inputs z2 allowed only if z1 6= z2:

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)

Γ, z1 : (dyn ?Td, dyn !Td) ` [[M1]] . Γ, z1 : (•, dyn !Ts) (z1 6= z2)

• How? Exploit return environments!

Composing return environments

• Return contexts allow to rule out processes of the form

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)

Composing return environments

• Return contexts allow to rule out processes of the form

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)

• As seen, the left thread produces the return context z : (•, dyn !Ts)

Composing return environments

• Return contexts allow to rule out processes of the form

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)

• As seen, the left thread produces the return context z : (•, dyn !Ts)

• Parallel composition allowed if partial binary operation ⊗ overreturn contexts is defined:

Γ ` P1 . ∆1 Γ ` P2 . ∆2

Γ ` P1 | P2 . ∆1 ⊗∆2

Composing return environments

• Return contexts allow to rule out processes of the form

[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)

• As seen, the left thread produces the return context z : (•, dyn !Ts)

• Parallel composition allowed if partial binary operation ⊗ overreturn contexts is defined:

Γ ` P1 . ∆1 Γ ` P2 . ∆2

Γ ` P1 | P2 . ∆1 ⊗∆2

• Process above rejected: ⊗ operator only allows to compose thebullet with an end point not using the input (noted end)

• ⊗ S is undefined

Ruling out aliasing attacks

• Consider the variant below specified in the source language:

M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)

[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)

D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1

Ruling out aliasing attacks

• Consider the variant below specified in the source language:

M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)

[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)

D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1

• The rule for output enforces the type of x to do not change

p : Tp, x : T ` 0 . p : Tp, x : T

p : Tp, x : T ` p〈x〉 . p : Tp, x : T

Ruling out aliasing attacks

• Consider the variant below specified in the source language:

M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)

[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)

D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1

• The rule for output enforces the type of x to do not change

p : Tp, x : T ` 0 . p : Tp, x : T

p : Tp, x : T ` p〈x〉 . p : Tp, x : T

• Type checking fails because the context uses x at different type

Γ 6` [[M2]] . ∆

Ruling out aliasing attacks

• Consider the variant below specified in the source language:

M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)

[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)

D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1

• The rule for output enforces the type of x to do not change

p : Tp, x : T ` 0 . p : Tp, x : T

p : Tp, x : T ` p〈x〉 . p : Tp, x : T

• Process M3 = (newx : D)(p〈x〉.[hide y : Ds][x〈y〉]) also rejected

Γ 6` [[M3]] . ∆

Type system results

• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).

Type system results

• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).

• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or

x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined

Type system results

• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).

• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or

x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined

• Soundness: none of the following cases happen:

Q = (ν y : (st ?T , st !T )n)(x〈y〉.Q1 | Q2) | x(z ÷B).Q3

Type system results

• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).

• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or

x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined

• Soundness: none of the following cases happen:

Q = (ν y : (st ?T , st !T )n)(x〈y〉.Q1 | Q2) | x(z ÷B).Q3

Q = (ν y : (st?T , st!T )n)(x〈y〉.Q1 | Q2 | x(z÷B∪(st?T , st!T )n).Q3)

A semantics-preserving encoding

• The mapping[[·]] from the source language to typed π is:

[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E,E)]] = ([[E]], [[E]])∀

[[[hidex : (?D, !D)]M ]]Γ = (ν x : T )[[M ]]Γ,x : T T = (st [[?D]], st [[!D]])n

[[(newx : (?D, !D))M ]] = (ν x : T )[[M ]]Γ T = (dyn[[?D]], dyn[[!D]])∀

[[x(y : B).M ]]Γ = x(y : [[B]]Γ).[[M ]]Γ

A semantics-preserving encoding• The mapping[[·]] from the source language to typed π is:

[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E,E)]] = ([[E]], [[E]])∀

[[[hidex : (?D, !D)]M ]]Γ = (ν x : T )[[M ]]Γ,x : T T = (st [[?D]], st [[!D]])n

[[(newx : (?D, !D))M ]] = (ν x : T )[[M ]]Γ T = (dyn[[?D]], dyn[[!D]])∀

[[x(y : B).M ]]Γ = x(y : [[B]]Γ).[[M ]]Γ

• Operational correspondence: secret π semantics:

x〈v〉.M | x(y ÷ B).N →M | N{v/y} (v 6∈ B)

• Assume Γ,Γ1 ` [[M ]]Γ . ∆ with Γ weakly-balanced and P � Γ.

1 If M →M ′ then [[M ]]Γ → [[M ′]]Γ′

2 If [[M ]]Γ → Q then M →M ′ and [[M ′]]Γ′ = Q

Discussion

• Aim of this work: shift middleware support for secret channels(cf. [GPV12]) to software support transparently

• Motivation is different for approaches that require programmers tomanage the security type abstractions

• Example: π-calculus with groups (CGG05)

Γ 6` (new p : U)(P | (newG)(newx : G[])(p〈x〉))

• Ill-typed since type U of public channel p ignores secret type G

• This work: infer “group” types and send secrets on “untyped” chan

Γ ` [[(new p : (?D, !D))(p′(y) | [hidex : D](p〈x〉))]] . ∆ (p′ 6= p)

Discussion

• Structure of types leads to several extensions

• Read/write only modalities: (end,m !T ), subtyping

• Linear and session types: (linm ?T.S1, lin m!T.S2), Si behaviourof continuation

• Algorithmic type-checking: return contexts allow refined analysis

• Typed behavioural equivalences to reason on processes

Thanks!

[CGG05 ] L. Cardelli, G. Ghelli, A.D. Gordon: Secrecy and groupcreation. Inf. Comput. (2005)

[G14 ] M. Giunti. Static semantics of secret channel abstractions(2014), tinyurl.com/n14-report

[GPV12 ] M. Giunti, C. Palamidessi, F. Valencia. Hide and New in thePi-Calculus. EXPRESS/SOS (2012)

[GV13 ] M. Giunti, V. Vasconcelos. Linearity, session types and the picalculus. Math. Struc. Comp. Sci., in press (2013)

[BG07 ] M. Bugliesi, M. Giunti.: Secure implementations of typedchannel abstractions. POPL (2007)