IFC Inside: Retrofitting Languages with Dynamic Information Flow Control

Heule, Stefan; Stefan, Deian; Yang, Emily; Mitchell, John C.; Russo, Alejandro

doi:10.1007/978-3-662-46666-7_2

Cited by 16 publications

(21 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Rather, we remark that LIO relies on types only to distinguish terms that can be used to compose safe computations and those that cannot, as further discussed in Section 2.3. Indeed, LIO can be generalized to dynamically typed languages, as shown in Heule et al (2015).…”

Section: Base Calculus For Pure Termsmentioning

confidence: 99%

Flexible dynamic information flow control in the presence of exceptions

et al. 2017

Self Cite

View full text Add to dashboard Cite

We describe a new, dynamic, floating-label approach to language-based information flow control. A labeled IO monad, LIO, keeps track of a current label and permits restricted access to IO functionality. The current label floats to exceed the labels of all data observed and restricts what can be modified. Unlike other language-based work, LIO also bounds the current label with a current clearance that provides a form of discretionary access control. Computations may encapsulate and pass around the results of computations with different labels. In addition, the LIO monad offers a simple form of labeled mutable references and exception handling. We give precise semantics and prove confidentiality and integrity properties of a call-by-name λ -calculus and provide an implementation in Haskell. be set in advance to impose an upper bound on the floating current label within that region. This restricts data access, limits the amount of code that could manipulate sensitive data, and reduces opportunities to exploit covert channels. Additionally, we introduce an operator, toLabeled, that allows the result of a computation that would have raised the current label to be encapsulated within the Labeled type. Finally, we present combinators for working with labeled references, and exceptions. Thanks to the flexibility of dynamic checking, LIO implements an IFC mechanism that is more permissive than previous static approaches (Pottier & Simonet, 2002;Li & Zdancewic, 2010;Russo et al., 2008) but provides similar security guarantees ). Though purely language-based, LIO explores a new design point centered on floating labels that draw on past OS work (Zeldovich et al., 2006).The main features of our system can be understood using the example of an online conference review system, called λ Chair. In this system, which we describe more fully later in the paper, authenticated users can read any paper and can normally read any review. This reflects the normal practice in conference reviewing, for example, where every member of the program committee can see submissions and their reviews, and participate in related discussion. Users can be added dynamically and assigned to review specific papers. As an illustration of the power of the labeling system, integrity labels are used to make sure that only assigned reviewers can write reviews for any given paper. Conversely, confidentiality labels are used to manage conflicts of interest. Users with a conflict of interest on a specific paper lack the privileges, represented by confidentiality labels, to read a review. As conflicts of interest are identified, confidentiality labels on the papers may change dynamically and become more restrictive.This paper extends an earlier conference version (Stefan et al., 2011b) by including formal proofs and extending the calculus and library implementation with exception handling. The main contributions of this work are:◮ We propose a new design point for IFC systems in which most values in lexical scope are protected by a single, mutable, current label, ...

show abstract

Section: Base Calculus For Pure Termsmentioning

confidence: 99%

Flexible dynamic information flow control in the presence of exceptions

et al. 2017

Self Cite

View full text Add to dashboard Cite

show abstract

“…In particular, GHC's approach to reclaiming memory via a stop-the-world GC simultaneously stops all threads on all cores, thus the relative write rate of public threads remain constant. Interestingly, though, implementing LIO on runtimes (e.g., Node.js as proposed by Heule et al [17]) with modern parallel garbage collectors that do not always stop the world would internalize the GC-based external timing attacks. Similarly, abusing GHC's memory allocation to exhaust all memory crashes all the program threads and, even though it cannot be internalized, it still results in information leakage.…”

Section: Internalizing External Timing Attacksmentioning

confidence: 99%

“…In Sect. 5.1, we describe our proof technique based on term erasure, which has been used to verify security guarantees of functional programming languages [30], IFC libraries [8,17,54,56,61], and an IFC runtime system [59]. In Sect.…”

Section: Security Guaranteesmentioning

confidence: 99%

Foundations for Parallel Information Flow Control Runtime Systems

Vassena

Soeller

Amidon

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We present the foundations for a new dynamic information flow control (IFC) parallel runtime system, LIOPAR. To our knowledge, LIOPAR is the first dynamic language-level IFC system to (1) support deterministic parallel thread execution and (2) eliminate both internaland external-timing covert channels that exploit the runtime system. Most existing IFC systems are vulnerable to external timing attacks because they are built atop vanilla runtime systems that do not account for security-these runtime systems allocate and reclaim shared resources (e.g., CPU-time and memory) fairly between threads at different security levels. While such attacks have largely been ignored-or, at best, mitigated-we demonstrate that extending IFC systems with parallelism leads to the internalization of these attacks. Our IFC runtime system design addresses these concerns by hierarchically managing resourcesboth CPU-time and memory-and making resource allocation and reclamation explicit at the language-level. We prove that LIOPAR is secure, i.e., it satisfies progress-and timing-sensitive non-interference, even when exposing clock and heap-statistics APIs.

show abstract

“…LIO is a domain-specific language embedded in Haskell that rephrases OS-like IFC enforcement into a language-based setting [Stefan et al , 2011. Heule et al [2015] introduce a general framework for coarse-grained IFC in any programming language in which external effects can be controlled. Laminar [Roy et al 2009] unifies mechanisms for IFC in programming languages and operating systems, resulting in a mix of dynamic fine-and coarse-grained enforcement.…”

Section: Cross-language Semantic Equivalence Up To Extra Annotationsmentioning

confidence: 99%

From fine- to coarse-grained dynamic information flow control and back

Vassena

Russo

Garg

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

We show that fine-grained and coarse-grained dynamic information-flow control (IFC) systems are equally expressive. To this end, we mechanize two mostly standard languages, one with a fine-grained dynamic IFC system and the other with a coarse-grained dynamic IFC system, and prove a semantics-preserving translation from each language to the other. In addition, we derive the standard security property of non-interference of each language from that of the other, via our verified translation. This result addresses a longstanding open problem in IFC: whether coarse-grained dynamic IFC techniques are less expressive than fine-grained dynamic IFC techniques (they are not!). The translations also stand to have important implications on the usability of IFC approaches. The coarse-to fine-grained direction can be used to remove the label annotation burden that fine-grained systems impose on developers, while the fine-to coarse-grained translation shows that coarse-grained systemsÐwhich are easier to design and implementÐcan track information as precisely as fine-grained systems and provides an algorithm for automatically retrofitting legacy applications to run on existing coarse-grained systems. CCS Concepts: • Security and privacy → Formal security models;

show abstract

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control

Cited by 16 publications

References 54 publications

Flexible dynamic information flow control in the presence of exceptions

Flexible dynamic information flow control in the presence of exceptions

Foundations for Parallel Information Flow Control Runtime Systems

From fine- to coarse-grained dynamic information flow control and back

Contact Info

Product

Resources

About