static-talk
TRANSCRIPT
Abstractions for message-passing
• We study the secret channel abstraction for concurrent systemscommunicating through message-passing (MP)
• We are interested in showing that the high-level abstraction canbe represented in a standard π-calculus by means of static typing
• Plan:
1. A language for secret message-passing
2. A type system for the π-calculus featuring static and dynamicscope for channels
3. A semantics-preserving translation (API) of the language intothe typed π-calculus
Dynamic scope vs Security
• One of the main features of the π-calculus is dynamic scope forchannels
• Sending a restricted channels to the context allows to enlarge itsscope
(ν h)(h〈CreditCard〉 | h(x).p〈h〉)
Dynamic scope vs Security• One of the main features of the π-calculus is dynamic scope for
channels
• Sending a restricted channels to the context allows to enlarge itsscope
(ν h)(h〈CreditCard〉 | h(x).p〈h〉)
• Two main security issues in disclosing restricted channels:
1. Reasoning on the knowledge of the context is complex
2. Cryptographic implementations of programs in open networkssuffer from the “forward secrecy problem”
net〈{CreditCard}h+〉 | net(y).decrypt y as{x}h− in net〈{h+, h−}p+〉
Hide and New in the pi calculus
• Based on this motivation in [GPV12] we introduced the secretπ-calculus
• Conservative extension of the (untyped) π-calculus obtained byadding an hide construct:
[hideh][h〈CreditCard〉 | h(x).p〈h〉] h cannot be extruded
• Aim is confidentiality, obtained by restricting the access of theobject of communication
• Standard channels are accessible by the context:
(newh)(h〈CreditCard〉 | h(x).p〈h〉) h can be extruded
This talk: An API for secure MP
• We show that the hide construct can be translated in a typedπ-calculus enjoying a standard semantics
• Guideline: the source language must be “untyped’’, the securitytype abstractions are inferred during the compilation
• Motivation: we want to make available the secret channel macrowithout burdening programmers with the security mechanism
• Soundness result: if a source program is (compiled andtype-)checked then the context cannot receive a channelprotected by hide during the computation
Source language: basic types
• We consider basic types of the form below
D ::= (E,E) | bool E ::= ?D | !D
• End point ?D: unbounded input use to receive values of type D
• End point !D: unbounded output use to send values of type D
• Basic types allow to avoid runtime errors of the form:
x〈true〉 | x(y).y(z)
Source language: basic types
• We consider basic types of the form below
D ::= (E,E) | bool E ::= ?D | !D
• End point ?D: unbounded input use to receive values of type D
• End point !D: unbounded output use to send values of type D
• Basic types allow to avoid runtime errors of the form:
x〈true〉 | x(y).y(z)
• In the source language we decorate fresh variables with basictypes (simplifies translation, but it could be obtained by typeinference
Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
• Example: a program sending a dynamic channel
(new y : (?bool, !bool))(x〈y〉) | x(z).(z〈true〉 | z(u).ifu then0 else0)
Source language: processes
• The source language features two operators for creating channels
M ::= x(y).M | x〈v〉.M | M | N | if v thenM elseN |!M | 0 | (newx : D)M | [hidex : D]M
• Channels created with new can be sent to the context
• Channels created with hide are only available locally
• Example: a program sending a standard channel
(new y : (?bool, !bool))(x〈y〉) | x(z).(z〈true〉 | z(u).ifu then0 else0)
• Example: a program sending a secret channel
[hide y : (?bool, !bool)][x〈y〉 | x(z)]
Target language: typed pi calculus
• Pi calculus types have the syntax:
T ::= (S, S) | bool S ::= m ?T | m !T
m ::= dyn | st
• We compile source programs into typed pi calculus processes
P ::= x〈v〉.P | x(y ÷B).P | · · · | (ν x : T )P
• The input process is decorated with set of blocked types
• Dynamic semantics unaffected, blocked set used by typing system
x〈v〉.P | x(y ÷B).Q→ P | Q{v/x}
Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
• The translation of M1 is:
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)
T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)
Td = (dyn ?bool, dyn !bool)
Toy example and translation
• Take a source program forwarding a channel protected by hide
M1 = (newx : D)[hide y : Ds][x〈y〉 | x(w).z1〈w〉] | z2(u)
D = (?Ds, !Ds) Ds = (?bool, !bool)
• The translation of M1 is:
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)
T = (dyn ?Td, dyn !Td) Ts = (st ?bool, st !bool)
Td = (dyn ?bool, dyn !bool)
• We type-check the program by upcasting the payload of x
Pi calculus: Type upcast in output
• We consider typing rules of the form
Γ ` P . ∆ (dom(∆) = dom(Γ)
• ∆ on the right of the . symbol is a return environment producedby the type system that convey the actual use of channels
Pi calculus: Type upcast in output
• We consider typing rules of the form
Γ ` P . ∆ (dom(∆) = dom(Γ)
• ∆ on the right of the . symbol is a return environment producedby the type system that convey the actual use of channels
• E.g. typing rule to upcast of the payload of x to static:
x : (dyn ?Ts, dyn !Ts), y : Ts ` 0 . x : (dyn ?Ts, dyn !Ts), y : Tsx : T, y : Ts ` x〈y〉 . x : (dyn ?Ts, dyn !Ts), y : Ts
T = (dyn?Td, dyn!Td) Ts = (st?bool, st!bool) Td = (dyn?bool, dyn!bool)
Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function ] in ≡
x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )
(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static
Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function ] in ≡
x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )
(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static
• To avoid clashes we register identifiers for types: T = (S1, S2)i
• Typing rules for input disallow to receive blocked types
Blocked types in struct. congr.
• Scope of π-calculus channels can be opened through axioms ≡
• We account for this by abstracting block function ] in ≡x(y ÷B).P ] T = x(y ÷B ∪ {T}).(P ] T )
(ν y : T )(P ) | Q ≡ (ν y : T )(P | Q ] T ) T static
• To avoid clashes we register identifiers for types: T = (S1, S2)i
• Typing rules for input disallow to receive blocked types
• Example: forbidden upcast
x : (dyn ?T , dyn !T )∀, z : (dyn ?Ts, dyn !Ts)∀ 6` x(y ÷ Ts).z〈y〉 . ∆
T = (dyn ?Td, dyn !Td)∀ Td = (dyn ?b, dyn !b)∀ Ts = (st ?b, st !b)1
Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the returntype of the output channel
z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the returntype of the output channel
z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
• Composition with inputs z2 allowed only if z1 6= z2:
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)
Γ, z1 : (dyn ?Td, dyn !Td) ` [[M1]] . Γ, z1 : (•, dyn !Ts)
Type-bulletting to the rescue
• To rule out attackers leaking a static channel we bullet the returntype of the output channel
z1 : (dyn ?Td, dyn !Td) ` (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉).z1 : (•, dyn !Ts)
• Type identifiers allow to avoid clashes
• Composition with inputs z2 allowed only if z1 6= z2:
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z1〈w〉) | z2(u)
Γ, z1 : (dyn ?Td, dyn !Td) ` [[M1]] . Γ, z1 : (•, dyn !Ts) (z1 6= z2)
• How? Exploit return environments!
Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)
Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
• Parallel composition allowed if partial binary operation ⊗ overreturn contexts is defined:
Γ ` P1 . ∆1 Γ ` P2 . ∆2
Γ ` P1 | P2 . ∆1 ⊗∆2
Composing return environments
• Return contexts allow to rule out processes of the form
[[M1]] = (ν x : T, y : Ts)(x〈y〉 | x(w).z〈w〉) | z(u)
• As seen, the left thread produces the return context z : (•, dyn !Ts)
• Parallel composition allowed if partial binary operation ⊗ overreturn contexts is defined:
Γ ` P1 . ∆1 Γ ` P2 . ∆2
Γ ` P1 | P2 . ∆1 ⊗∆2
• Process above rejected: ⊗ operator only allows to compose thebullet with an end point not using the input (noted end)
• ⊗ S is undefined
Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)
[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)
[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p : Tp, x : T ` 0 . p : Tp, x : T
p : Tp, x : T ` p〈x〉 . p : Tp, x : T
Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)
[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p : Tp, x : T ` 0 . p : Tp, x : T
p : Tp, x : T ` p〈x〉 . p : Tp, x : T
• Type checking fails because the context uses x at different type
Γ 6` [[M2]] . ∆
Ruling out aliasing attacks
• Consider the variant below specified in the source language:
M2 = (newx : D)(p〈x〉 | [hide y : Ds][x〈y〉] | p(u).u(z)
[[M2]] = (ν x : T )(p〈x〉 | (ν y : Ts)[x〈y〉] | p(u).u(z)
D = (?Ds, !Ds) Ds = (?b, !b) T = (dyn ?Td, dyn !Td)∀ Ts = (st ?b, st !b)1
• The rule for output enforces the type of x to do not change
p : Tp, x : T ` 0 . p : Tp, x : T
p : Tp, x : T ` p〈x〉 . p : Tp, x : T
• Process M3 = (newx : D)(p〈x〉.[hide y : Ds][x〈y〉]) also rejected
Γ 6` [[M3]] . ∆
Type system results
• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).
Type system results
• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).
• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or
x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined
Type system results
• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).
• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or
x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined
• Soundness: none of the following cases happen:
Q = (ν y : (st ?T , st !T )n)(x〈y〉.Q1 | Q2) | x(z ÷B).Q3
Type system results
• Let Γ be a map to balanced types of the form (dyn ?T , dyn !T )∀,Γ ` P . ∆, and P →∗ (ν ˜y : T )(Q | R).
• Error-freedom: Q is not of the form ifx thenQ1 elseQ2, or
x〈v〉.Q1 | x(y).Q2 and Q2{v/y} undefined
• Soundness: none of the following cases happen:
Q = (ν y : (st ?T , st !T )n)(x〈y〉.Q1 | Q2) | x(z ÷B).Q3
Q = (ν y : (st?T , st!T )n)(x〈y〉.Q1 | Q2 | x(z÷B∪(st?T , st!T )n).Q3)
A semantics-preserving encoding
• The mapping[[·]] from the source language to typed π is:
[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E,E)]] = ([[E]], [[E]])∀
[[[hidex : (?D, !D)]M ]]Γ = (ν x : T )[[M ]]Γ,x : T T = (st [[?D]], st [[!D]])n
[[(newx : (?D, !D))M ]] = (ν x : T )[[M ]]Γ T = (dyn[[?D]], dyn[[!D]])∀
[[x(y : B).M ]]Γ = x(y : [[B]]Γ).[[M ]]Γ
A semantics-preserving encoding• The mapping[[·]] from the source language to typed π is:
[[?D]] = dyn?[[D]] [[!D]] = dyn?[[D]] [[(E,E)]] = ([[E]], [[E]])∀
[[[hidex : (?D, !D)]M ]]Γ = (ν x : T )[[M ]]Γ,x : T T = (st [[?D]], st [[!D]])n
[[(newx : (?D, !D))M ]] = (ν x : T )[[M ]]Γ T = (dyn[[?D]], dyn[[!D]])∀
[[x(y : B).M ]]Γ = x(y : [[B]]Γ).[[M ]]Γ
• Operational correspondence: secret π semantics:
x〈v〉.M | x(y ÷ B).N →M | N{v/y} (v 6∈ B)
• Assume Γ,Γ1 ` [[M ]]Γ . ∆ with Γ weakly-balanced and P � Γ.
1 If M →M ′ then [[M ]]Γ → [[M ′]]Γ′
2 If [[M ]]Γ → Q then M →M ′ and [[M ′]]Γ′ = Q
Discussion
• Aim of this work: shift middleware support for secret channels(cf. [GPV12]) to software support transparently
• Motivation is different for approaches that require programmers tomanage the security type abstractions
• Example: π-calculus with groups (CGG05)
Γ 6` (new p : U)(P | (newG)(newx : G[])(p〈x〉))
• Ill-typed since type U of public channel p ignores secret type G
• This work: infer “group” types and send secrets on “untyped” chan
Γ ` [[(new p : (?D, !D))(p′(y) | [hidex : D](p〈x〉))]] . ∆ (p′ 6= p)
Discussion
• Structure of types leads to several extensions
• Read/write only modalities: (end,m !T ), subtyping
• Linear and session types: (linm ?T.S1, lin m!T.S2), Si behaviourof continuation
• Algorithmic type-checking: return contexts allow refined analysis
• Typed behavioural equivalences to reason on processes
Thanks!
[CGG05 ] L. Cardelli, G. Ghelli, A.D. Gordon: Secrecy and groupcreation. Inf. Comput. (2005)
[G14 ] M. Giunti. Static semantics of secret channel abstractions(2014), tinyurl.com/n14-report
[GPV12 ] M. Giunti, C. Palamidessi, F. Valencia. Hide and New in thePi-Calculus. EXPRESS/SOS (2012)
[GV13 ] M. Giunti, V. Vasconcelos. Linearity, session types and the picalculus. Math. Struc. Comp. Sci., in press (2013)
[BG07 ] M. Bugliesi, M. Giunti.: Secure implementations of typedchannel abstractions. POPL (2007)