Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach

Kashyap, Vineeth; Wiedermann, Ben; Hardekopf, Ben

doi:10.1109/sp.2011.19

Cited by 70 publications

(63 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FlowFox multi-executes scripts and event handlers using a low-priority scheduler [34] (see Section 3.1.2 and Section 3.3) on a per-event basis. A fundamental limitation of this type of scheduling is that it does not offer timing-sensitive non-interference.…”

Section: Limitations and Future Workmentioning

confidence: 99%

“…These initial results were improved and extended in several ways: Kashyap et al [34], generalize the technique of secure multi-execution to a family of techniques that they call the scheduling approach to non-interference, and they analyze how the scheduling strategy can impact the security properties offered. Jaskelioff and Russo [30] propose a monadic library to realize secure multi-execution in Haskell, and Barthe et al [11] propose a program transformation that simulates SME.…”

Section: Limitations and Future Workmentioning

confidence: 99%

See 1 more Smart Citation

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide evidence for the security of FlowFox by proving non-interference for a formal model of the essence of FlowFox, and by showing how it stops real attacks. We provide evidence of usefulness by showing how FlowFox subsumes many ad-hoc script-containment countermeasures developed over the last years. An experimental evaluation on the Alexa top-500 web sites provides evidence for compatibility, and shows that FlowFox is compatible with the current web, even on sites that make intricate use of JavaScript.The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two-level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet compatible policies refining the same-origin-policy in a way that is compatible with existing websites.

show abstract

Section: Limitations and Future Workmentioning

confidence: 99%

Section: Limitations and Future Workmentioning

confidence: 99%

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

show abstract

“…In this scenario, cache-based attacks can only be removed in specific configurations [14] (e.g., when there are as many CPU cores as security levels).…”

Section: Related Workmentioning

confidence: 99%

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Buiras

Levy

Stefan

et al. 2014

Trustworthy Global Computing

View full text Add to dashboard Cite

Abstract. Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO libraryour resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provides two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.

show abstract

“…In this scenario, the cachebased covert channel can only be removed in specific configurations [16]. Zhang et al [49] provide a method to mitigate external events when their timing behavior could be affected by the underlying hardware.…”

Section: Related Workmentioning

confidence: 99%

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Stefan

Buiras

Yang

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails' underlying IFC system preserve non-interference in the presence of caches.

show abstract

Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach

Cited by 70 publications

References 38 publications

Secure multi-execution of web scripts: Theory and practice

Secure multi-execution of web scripts: Theory and practice

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Contact Info

Product

Resources

About