Foundations for Parallel Information Flow Control Runtime Systems

Vassena, Marco; Soeller, Gary; Amidon, Peter; Chan, M.; Renner, John W.; Stefan, Deian

doi:10.1007/978-3-030-17138-4_1

Cited by 15 publications

(9 citation statements)

References 65 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The goal of their work is securing the execution platform of LIO [33], a dynamic information flow control library for Haskell. Similar to our work, Vassena et al [38] consider a setting in which an attacker can obtain the current global time as a natural number counting execution steps, and (unlike our model) the current size of the heap. They design a system for hierarchically managing space and time resources with some amount of burden on the programmer: a parent thread has to manually kill their child thread to reclaim resources.…”

Section: Securing Runtimesmentioning

confidence: 94%

See 1 more Smart Citation

Static Enforcement of Security in Runtime Systems

Pedersen

Askarov

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Underneath every modern programming language is a runtime environment (RTE) that handles features such as automatic memory management and thread scheduling. In the information-flow control (IFC) literature, the RTE is often part of the trusted computing base (TCB), and there has been little focus on applying IFC to the implementation of the RTE itself. In this paper we address this problem by designing an IFC language, Zee, for implementing secure RTEs, thereby removing the RTE from the TCB. We implement Zee and design and implement secure versions of garbage collectors and thread schedulers using Zee. We also prove that a faithful calculus of Zee satisfies a strong variant of timing-sensitive noninterference.

show abstract

Section: Securing Runtimesmentioning

confidence: 94%

“…Vassena et al [38] present a new foundation for a dynamic information flow control parallel runtime system. The goal of their work is securing the execution platform of LIO [33], a dynamic information flow control library for Haskell.…”

Section: Securing Runtimesmentioning

confidence: 99%

Static Enforcement of Security in Runtime Systems

Pedersen

Askarov

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…There is a significant body of work on embedding IFC in Haskell [3,17,22,27,38,41,43,48,[50][51][52]. Most of which falls into the category of "monadic" IFC libraries in which the code that is subject to IFC enforcement is written using a specialized interface exported by the library.…”

Section: Implementations Of Ifc In Haskellmentioning

confidence: 99%

Multi-Execution Lattices Fast and Slow

Algehed¹,

Flanagan²

2021

Preprint

View full text Add to dashboard Cite

Methods for automatically, soundly, and precisely guaranteeing the noninterference security policy are predominantly based on multi-execution. All other methods are either based on undecidable theorem proving or suffer from false alarms. The multi-execution mechanisms, meanwhile, work by isolating security levels during program execution and running multiple copies of the target program, once for each security level with carefully tailored inputs that ensure both soundness and precision. When security levels are hierarchically organised in a lattice, this may lead to an exponential number of executions of the target program as the number of possible ways of combining security levels grows. In this paper we study how the lattice structure for security levels influences the runtime overhead of multi-execution. We additionally show how to use Galois connections to gain speedups in multi-execution by switching from lattices with high overhead to lattices with low overhead. Additionally, we give an empirical evaluation that corroborates our analysis and shows how Galois connections have potential to speed up multi-execution. REVIEW OF THE MULTI-EXECUTION FRAMEWORKA (join semi-)lattice L is a set L with a transitive, reflexive, and antisymmetric order ⊑ that has a least element ⊥ and is such that any two elements ℓ, ∈ L have a least upper bound ℓ ⊔ ∈ L. For a finite subset ⊆ L we write for the least upper bound of all elements in . For example, the two-point lattice has L = {L, H}, L denotes public information and H denotes secret information. Public information can flow to secret information so ⊑ is the smallest reflexive relation such that L ⊑ H. Finally, this means that L ⊔ L = L and ℓ ⊔ = H if either ℓ or is H.Following Algehed and Flanagan [2] we consider batch-job programs from labeled sets to labeled sets and let , , range over partial recursive functions from P ( × L) to P ( × L) for some set of inputs and outputs . This is a convenient formalism, as it allows us to succinctly state the core definitions that allow us to reason about multi-execution. The following definitions (from [2]) are sufficient to precisely define Noninterference.Definition 2.1. Assume ℓ ∈ L and , ⊆ × L for some , define the projection of at ℓ as (we write the pair ( , ) as ):We say that and are ℓ-equivalent, meaning they look the same to an observer at level ℓ, written ∼ ℓ , if and only if their ℓprojections are the same:The projection ↓ ℓ of at ℓ is precisely all the information in that is visible to ℓ. Likewise, this means that if two sets and look the same to ℓ, then they are ℓ-equivalent. The definition of noninterference meanwhile is that is noninterfering if it does not reveal more about its inputs than what one can know by looking at the input. In other words, if two inputs and differ only in values that are secret to an observer at level ℓ, they are ℓ-equivalent, then ( ) and ( ) should also be ℓ-equivalent.Definition 2.2 (Noninterference). We say that program : P ( × L) → P ( × L) is noninterfering if it preserves ℓ-equivalence....

show abstract

“…Other than the above approach, the majority of the mechanisms found in the literature to prevent timing leaks in concurrent programs are based on either (i) developing a sound typing rules to enforce secure-flow properties in concurrent programming languages [19], [21]; (ii) performing source transformation to balance the time variation or eliminate the timing channel [18], [20], [34]; or (iii) developing a run-time monitor to identify potentially dangerous executions that could leak information [14], [35], [36].…”

Section: Related Workmentioning

confidence: 99%

“…Then, output 'acdb' arising due to concurrent executions of T 1 and T 2 reveal the value of h as 0. There have been a few efforts aiming to prevent timing leaks in concurrent or multi-threaded programs [14], [15], [16], [17], [18], [19], [20], [21] but majorly have sidestepped the issue that arise due to output statements.…”

Section: Introductionmentioning

confidence: 99%

An Axiomatic Approach to Detect Information Leaks in Concurrent Programs

Ghosal

Shyamasundar

2021

Preprint

View full text Add to dashboard Cite

Realizing flow security in a concurrent environment is extremely challenging, primarily due to non-deterministic nature of execution. The difficulty is further exacerbated from a security angle if sequential threads disclose control locations through publicly observable statements like print, sleep, delay, etc. Such observations lead to internal and external timing attacks. Inspired by previous works that use classical Hoare style proof systems for establishing correctness of distributed (real-time) programs, in this paper, we describe a method for finding information leaks in concurrent programs through the introduction of leaky assertions at observable program points. Specifying leaky assertions akin to classic assertions, we demonstrate how information leaks can be detected in a concurrent context. To our knowledge, this is the first such work that enables integration of different notions of non-interference used in functional and security context. While the approach is sound and relatively complete in the classic sense, it enables the use of algorithmic techniques that enable programmers to come up with leaky assertions that enable checking for information leaks in sensitive applications.

show abstract

Foundations for Parallel Information Flow Control Runtime Systems

Cited by 15 publications

References 65 publications

Static Enforcement of Security in Runtime Systems

Static Enforcement of Security in Runtime Systems

Multi-Execution Lattices Fast and Slow

An Axiomatic Approach to Detect Information Leaks in Concurrent Programs

Contact Info

Product

Resources

About