Nonmalleable Information Flow Control

Cecchetti, Ethan; Myers, Andrew C.; Arden, Owen

doi:10.1145/3133956.3134054

Cited by 29 publications

(45 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hypersafety is a generalization of safety that is very important in practice, since several important notions of noninterference are hypersafety, such as termination-insensitive noninterference [13,45,86], observational determinism [68,83,101], and nonmalleable information flow [26].…”

Section: Robust Hypersafety Preservation (Rhsp)mentioning

confidence: 99%

“…For hypersafety the involved observations are finite sets but their cardinality is otherwise unrestricted. In practice though, most hypersafety properties can be falsified by very small sets: counterexamples to termination-insensitive noninterference [13,45,86] and observational determinism [68,83,101] are observations containing 2 finite prefixes, while counterexamples to nonmalleable information flow [26] are observations containing 4 finite prefixes. To account for this, Clarkson and Schneider [31] introduce K-hypersafety as a restriction of hypersafety to observations of a fixed cardinality K. Given Obs K = 2 FinPref Fin(K) , the set of observations with cardinality K, all definitions and results above can be ported to K-hypersafety by simply replacing Obs with Obs K .…”

Section: Robust Hypersafety Preservation (Rhsp)mentioning

confidence: 99%

See 1 more Smart Citation

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program's data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce.We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.(∀C T . ∀t 1 , .., t k , ..(∀i.C T [P i ] t i ) ⇒ (t 1 , .., t k , ..) ∈ R)

show abstract

Section: Robust Hypersafety Preservation (Rhsp)mentioning

confidence: 99%

Section: Robust Hypersafety Preservation (Rhsp)mentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…DFLATE permits weakening, or downgrading, of policies. 12 Downgrading occurs by adding delegations (via assume terms) and by TEE execution (via endorsement of the TEE's program counter level).…”

Section: Security Guaranteesmentioning

confidence: 99%

“…However, downgrading in DFLATE is carefully controlled and restricted: well-typed assume terms can only execute in contexts with sufficient integrity, and endorsement of TEEs reflect measurement and verification of code executing in a TEE. We thus expect that well-typed DFLATE programs satisfy a variety of expressive noninterference-based security guarantees, based on controlled downgrading (e.g., [12,25,8,9,13,3]), suitably adapted to be consistent with our threat model IV.…”

Section: Security Guaranteesmentioning

confidence: 99%

See 1 more Smart Citation

Information Flow Control for Distributed Trusted Execution Environments

Gollamudi

Chong

Arden

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Distributed applications cannot assume that their security policies will be enforced on untrusted hosts. Trusted execution environments (TEEs) combined with cryptographic mechanisms enable execution of known code on an untrusted host and the exchange of confidential and authenticated messages with it. TEEs do not, however, establish the trustworthiness of code executing in a TEE. Thus, developing secure applications using TEEs requires specialized expertise and careful auditing. This paper presents DFLATE, a core security calculus for distributed applications with TEEs. DFLATE offers high-level abstractions that reflect both the guarantees and limitations of the underlying security mechanisms they are based on. The accuracy of these abstractions is exhibited by asymmetry between confidentiality and integrity in our formal results: DFLATE enforces a strong form of noninterference for confidentiality, but only a weak form for integrity. This reflects the asymmetry of the security guarantees of a TEE: a malicious host cannot access secrets in the TEE or modify its contents, but they can suppress or manipulate the sequence of its inputs and outputs. Therefore DFLATE cannot protect against the suppression of high-integrity messages, but when these messages are delivered, their contents cannot have been influenced by an attacker.

show abstract

A Calculus for Flow-Limited Authorization

Arden

Myers

2016

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Real-world applications routinely make authorization decisions based on dynamic computation. Reasoning about dynamically computed authority is challenging. Integrity of the system might be compromised if attackers can improperly influence the authorizing computation. Confidentiality can also be compromised by authorization, since authorization decisions are often based on sensitive data such as membership lists and passwords. Previous formal models for authorization do not fully address the security implications of permitting trust relationships to change, which limits their ability to reason about authority that derives from dynamic computation. Our goal is an approach to constructing dynamic authorization mechanisms that do not violate confidentiality or integrity. The Flow-Limited Authorization Calculus (FLAC) is a simple, expressive model for reasoning about dynamic authorization as well as an information flow control language for securely implementing various authorization mechanisms. FLAC combines the insights of two previous models: it extends the Dependency Core Calculus with features made possible by the Flow-Limited Authorization Model. FLAC provides strong end-to-end information security guarantees even for programs that incorporate and implement rich dynamic authorization mechanisms. These guarantees include noninterference and robust declassification, which prevent attackers from influencing information disclosures in unauthorized ways. We prove these security properties formally for all FLAC programs and explore the expressiveness of FLAC with several examples.

show abstract

Nonmalleable Information Flow Control

Cited by 29 publications

References 38 publications

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Information Flow Control for Distributed Trusted Execution Environments

A Calculus for Flow-Limited Authorization

Contact Info

Product

Resources

About