untrusted hosts and confidentiality: secure program partitioning steve zdancewic lantian zheng...

Untrusted Hosts and Confidentiality:

Secure Program Partitioning

Steve ZdancewicLantian Zheng • Nathaniel Nystrom • Andrew

Myers

Cornell University

2

Protecting Confidential Data

• Programs manipulate valuable data– web-based e-mail, shopping, financial planning– B2B transactions, military information

systems,...

• Important Features– Confidentiality is crucial– Distribution is unavoidable– Heterogeneous trust

• Challenges– Complex policies– Complex software– Correct use of access control & cryptography

A

C

B

"Alice trusts A & C""Bob trusts B & C"

3

Tools for Security• Automatic tools

– Check the use of enforcement mechanisms– Increase confidence in security

• Language-based tools– Raise the level of abstraction– Consider information flow through entire

system (program)

• Use the security policy to guide distribution

4


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms

Host 1 Host 2 Host 3runtime

5


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


Describes the computation

and the principals' security policies.

6


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


Verifies that the program

obeys the security policies.

7


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


Describes the trust

relationships between

principals and hosts.

8


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


Partitions the data and computation among hosts, so

thatpolicies are

obeyed.

9


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


Performs dynamic

access control checks and

encrypts communication

.

10

Security Assurance• Goal: Resulting distributed program

performs the same computation as the source and also satisfies the security policies.

• Guarantee: Principal P's security policy is violated only if a host that P trusts fails or is subverted.

• Example: A

C

B

"Alice trusts A & C""Bob trusts B & C"

If B fails, Alice's policy is obeyed, Bob's policy may be violated.

11


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


12

Confidentiality Policies in Jif

• Confidentiality labels: int{Alice} a; "a is Alice's private int"

• Integrity labels: int{?Alice} a; "Alice must trust a"

• Combined labels: int{Alice, ?Alice} a; (Both constraints)int{Alice} a1, a2;

int{Bob} b;

// Insecurea1 = b;b = a1;

// Securea1 = a2;

13

Policy Operations in Jif• Declassification:

int{Alice} a; declassify(a to Bob);

• Endorse: int{?Bob} b; endorse(b by Alice);

• But (!) Alice must trust the integrity of decision to perform the policy operation.– Compiler guarantees the integrity

"type-cast int{Alice} to int{Bob}"

14

Example: Oblivious Transfer

int m1;int m2;

Alice Bobrequest(n)

• Alice has two integers: m1 and m2. • Alice's Policy:"Bob gets to choose exactly one of m1 and m2."• Bob's Policy:"Alice doesn't get to know which item I request."• Classic Result: "Impossible to solve using 2 principals, with perfect security."

answer(mn)

15

Oblivious Transfer (Java)

int m1, m2; // Alice's databoolean accessed;int n, ans; // Bob's data

n = choose(); // Bob's choice

if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2;}

16

int{Alice} m1, m2; // Alice's databoolean accessed;int{Bob} n, ans; // Bob's data


if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2;}

Adding Confidentiality Labels

Verification Fails

17

int{Alice} m1, m2; // Alice's databoolean accessed;int{Bob} n, ans; // Bob's data


if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}

Using Declassification

Verification Fails

18

Integrity Constraintsint{Alice} m1, m2; // Alice's databoolean{?Alice} accessed;int{Bob} n, ans; // Bob's data


if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}

Verification Fails

19

Using Endorsementint{Alice} m1, m2; // Alice's databoolean{?Alice} accessed;int{Bob} n, ans; // Bob's data


if (!accessed) { // Transfer accessed = true; if (endorse(n by Alice) == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}

20


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


21

Trust Configurations• Labels describe the trust relationship

between principals and the available hosts.

• Confidentiality: Host A:{Alice}"Alice trusts host A not to leak her confidential data."

• Integrity: Host A:{?Alice}"Alice trusts host A not to corrupt her high-integrity data."

int{Alice} m1; m1 can be sent to Aint{Bob} n; n cannot be sent to A

22

Two-Host Configuration

A B

{Alice, ?Alice} {Bob, ?Bob}

23

Splitter output: No Solution!

A B

{Alice, ?Alice} {Bob, ?Bob}

Can't find a host for the expression:

endorse(n by Alice)

It requires a host that has Alice's integrity yet can hold Bob's private data.

24

Splitter Output

A B

{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}

T

n = choose(); if (!accessed) { ...}

int m1, m2;bool accessed; int n, ans;

int choose() { ... return n;}

25

Splitter Output is Java

A B


T




Data and all of the code

except 'choose()' are located at T.

26

Run-time Calls

A B


T




Resulting code links against the

runtime.

27

Security Assurance

A B


T



int choose() { ... return n;} Alice's policy is

enforced.

28

Network Overhead

A B


T




Nothing located at host

A!

29

Another Secure Solution

A B


T

goto(B);

int n'= get(n,B);if (n' == 1) set(ans, m1);else ...

int m1, m2;


bool accessed;

int n, ans;

n = choose();goto(T);

goto(A);

if (!accessed){ accessed=true; goto(T);}

30


Source CodePolicy

Trustinfo

Compiler

Splitter

subprograms


31

• Data TransferVal getField(Host h, ObjID o, Field f)Val setField(Host h, ObjID o, Field f, Val v)void forward(Host h, Frame f, Var vr, Val v)

• Control Transfervoid rgoto(Host h, Frame f, EntryPt e, Token t)void lgoto(Token t)void sync(Host h, Frame f, EntryPt e, Token t)

• Implementation– Performs access control checks– Encrypts network communication– Capability mechanism protects control transfers

Core Runtime Protocol

32

Control Transfer Integrity

{?Alice}(Trusted) (Less Trusted)

{?Alice}(Trusted)

... goto(B); ...

declassify(X)

... goto(A);

...declassify(Y)

Alice's privileged

code

33


{?Alice}(Trusted)

{?Alice}(Trusted)

... goto(B); ...

declassify(X)

... goto(A);

...declassify(Y)

(Less Trusted)

34


{?Alice}(Trusted)

{?Alice}(Trusted)

... goto(B); ...

declassify(X)

... goto(A);

...declassify(Y)

1. sync

2. rgoto

3. lgoto

T

T

T

T

(Less Trusted)

35


{?Alice}(Trusted)

{?Alice}(Trusted)

... goto(B); ...

declassify(X)

... goto(A);

...declassify(Y)

TT

(Less Trusted)

T

T

36

Capabilities Protocol

• Theorem: When trusted hosts follow the

protocol, there is at most one valid capability available to less trusted hosts.

Means that less trusted hosts have no choice about how privileges are restored to the computation.

37

Prototype: Jif/split• Jif/split: 7400 loc Runtime: 1700 loc• 4 small benchmarks:

– < 300 lines of code each– 2 hand implemented in Java using RMI

• Experimental results: (LAN setting)– Running time overhead vs. hand

implemented: 20% to 120%– Message count overhead vs. hand

implemented:-25% to 25%

– Costs seem reasonable– Need to try bigger programs

38

60

Source Code Policy

Trustinfo

Compiler

Splitter

subprograms



• Language-based Confidentiality Policies– Compiler splits a program among

heterogeneously trusted hosts.– Guided by security policies– Resulting distributed program satisfies the

policies

• Benefits:– End-to-end security– Decentralized– Automatic– Explicit Policies

39

http://www.cs.cornell.edu/jif

40

Oblivious Transfer Impossibility

"It is well known (and easy to see) that in a two-player scenario with noiseless communication,OT [Oblivious Transfer] ... with information-theoretic security is not possible, even if only passive cheating is assumed, and players are allowed infinite computing power."

– Damgård, Kilian, SlavailOn the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions, EUROCRYPTO '99

41

Access Control Checks

• Static constraints for read/write are compiled into access control checks

• Host A checks that {Alice} {Alice,?Alice,Bob}– verifies signature of S– checks that S {A, S}– if so, replies with m1

• setField requires integrity checks

t1 = getField(Alice, m1);

{Alice, ?Alice, Bob}

S

{Alice, ?Alice}

A

int{Alice, ?Alice} m1;get(m1)K(S)

42

Partitioning Jif Programs

• Solve a constraint system to determine possible hosts

• Use dynamic programming & heuristics to find an efficient solution

• Rewrite program, inserting calls to runtime system– data forwarding and control transfers

• Outputs: A collection of Java code fragments with host assignments

43

Static Constraints• Consider a field: int{Alice:;?:Alice} f;• Host H : confidentiality label C integrity label I• Constraints: {Alice:} C I {?:Alice}• Read-channels: Uses(f) C• Generalize to program statements• Constraints on declassify()

untrusted hosts and confidentiality: secure program partitioning steve zdancewic lantian zheng...

Documents

c b alice

alices policy

bobs policy

policy operations

distribution slide

a2 slide

c bob trusts b c slide

alice doesnt