1 / 27

Achieving Information Flow Security Through Precise Control of Effects

Achieving Information Flow Security Through Precise Control of Effects. Bill Harrison Department of Computer Science University of Missouri at Columbia. Ph.D 2001, UIUC Thesis: Modular Compilers and Their Correctness Proofs Thesis Advisor: Sam Kamin Post-doc, Oregon Graduate Inst. (OGI)

howie
Télécharger la présentation

Achieving Information Flow Security Through Precise Control of Effects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Achieving Information Flow Security Through Precise Control of Effects Bill Harrison Department of Computer Science University of Missouri at Columbia

  2. Ph.D 2001, UIUC • Thesis: Modular Compilers and Their Correctness Proofs • Thesis Advisor: Sam Kamin • Post-doc, Oregon Graduate Inst. (OGI) • Three years on Programatica Project • using Haskell language as basis for formal methods • Assistant Professor, University of Missouri-Columbia since Fall 2003

  3. Separation Kernel Approach [Rushby82,81,…] Lo “domain” Kernel Hi “domain” mediating services mediating services Lo state Hi state “system resources” • Relies on taming effects via state partitioning • AND controlling interactions through trusted kernel services • Today: Outline development of separation kernel & its security verification • based on well-understood properties of monads • To appear: Proceedings of the IEEE Computer Security Foundations • Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison

  4. Domain Separation by Construction • Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81] • Reasoning about systems in familiar algebraic style • Implemented directly in higher-order functional languages • Promise of the approach: Scalability/Modularity of systems & their verifications through monads • Monads provide an algebraic theory of programming useful in formal specification & verification • Verification promoted via “by construction” properties of monads • System development through refinement to underlying monads • Cost of re-verification of a refined system can be minimal

  5. Outline • Background • Language-based Security • Precise Control of Effects from Monads • Constructing Separation Kernels • Verifying Separation Kernels • Conclusions and Future Work

  6. Language Based Security • Idea: Apply techniques and structures from programming language research to the computer security • Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article • Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004] • Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems

  7. An Example: Security via Type-checking   e2: intl   e2: intL   e1: intl   e1: intL   e1 e2: intH   e1 e2: intL Fromλsec (Li & Zdancewic, POPL2005): “Reading up is permitted” (l {L,H}) “Low computations consider low”

  8. The constructive approach 4 semaphores System enhancements have minimal impact on re-verification 3 forking intradomain behaviors Enhanced Capabilities 2 message passing interdomain communication 1 basic separation 0 shared-state concurrency reactivity separation Refinements to Monads

  9. Monads are ADTs for computational paradigms • Monad captures a distinct notion of computation as an algebra • …defines a programming language with (at least) sequencing “;” and skip features • plus operators particular to its paradigm • paradigm = shared state concurrency for separation kernel • What makes monads useful are their other features • called “non-proper morphisms” in monad-speak • their behavior is specified with equational axioms • new features added by monad transformers

  10. Monads, formally and informally skip ; c = c c ; skip = c (c0 ; c1) ; c2 = c0 ; (c1 ; c2) Monad M is a type constructor (functor) with extra structure, η and , obeying the “monad laws” A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm

  11. State monad for any f, f' : Sto  Sto, Behavioral Properties mask = u (λ_.σ0)

  12. Two State Monad Two sets of stateful effects …for Hi and Lo effects commute

  13. Monad transformers are constructors for monads Concurrency Reactivity Lostate Histate send receive || := := • monad defines a programming language • each application of a monad transformer • introduces new features • monads constructed in “layers” Intuition

  14. Periodic Table of Effects StateT imperative := BackT backtracking cut ResT threads step pause  EnvT binding  @ v ErrorT exceptions raise/catch ContT continuations callcc NondetT non-determ. choose IoT input/output printf DebugT debugging rollback ReactT reactivity send,recv,… • Moggi: • Prog Langs are collections of effects captured as monads • Monads assembled from constructors (monad transformers) • Our view • Systems are collections of effects captured as monads • “Systems” broadly construed

  15. “Properties for free” For all Hi and Lo assignments, x:=e & y:=e’, Atomic Non-interference x:=e ;y:=e’=y:=e’; x:=e read(d) ; x:=e Cancellation read(d) ; y:=e’ Lostate Histate “Clobber” x:=e ; maskHi = maskHi A key meta-property is that these properties are preserved by monad transformers = Two  StateT Hi (StateT Lo M) for any monad M *Theorems 1-3 of the CSFW paper.

  16. Concurrency based on the resumption monad …defines a precise notion of “thread”: … x2:=e2 x1:=e1 x3:=e3 :: :: an “atom”

  17. “Security-conscious” Concurrency Paradigm … x3:=e3 x1:=e1 x2:=e2 “Hi” security threads :: :: … “Lo” security threads y1:=f1 y2:=f2 y3:=f3 :: :: … x1:=e1 y1:=f1 x2:=e2 System executions :: ::

  18. Specifying Non-interference Properties in a Monadic Setting x1:=e1 y1:=f1 x2:=e2 y1:=f1 ; ; maskHi maskHi ; = ; Ex: Generalized Non-interference [GoguenMeseguer] “Changes in high-security inputs only result in changes to high-security outputs” Take Separation: Hi effects must cancel = Hi security actions = Lo security actions

  19. Monadic theory of effects supports simple verification x1:=e1 y1:=f1 x2:=e2 maskHi ; ; ; x1:=e1 ; y1:=f1 ; maskHi = x1:=e1 ; y1:=f1 ; maskHi = ; y1:=f1 maskHi = y1:=f1 ; maskHi = Each interaction rule used above comes for free “by construction” of the monad!

  20. To build a Separation Kernel, just construct the right monad! Lo “domain” Hi “domain” Kernel Concurrency Reactivity mediating services mediating services Lo state Hi state “system resources” Lostate Histate Monad for shared-state concurrency with separation:

  21. Kernel Structure For a resumption monad R requests by user thread to access kernel-level structures waiting list, semaphores, message channels,… • sched and handler are mutually recursive functions • compact: process forking, preemption, synchronization, message passing • in less than 50 lines of Haskell 98 code! • reasoning resembles well-understood stream-based reasoning. • See “Cheap (But Functional) Threads” for further details: www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf

  22. “No Write Down” Policy Enforced By Kernel Theorem 4 (No write down) An attempt to “write down” has no effect. handler sys ( ) handler sys ( ) = send Lo v;… skip;… Hi security thread

  23. Underlying architecture is very flexible… Refinements to Monad Transformers 4 semaphores • OS behaviors • are easily expressed • System enhancements • = Refinements to MTs • Tend to have minimal • impact on re-verification 3 forking Enhanced Capabilities 2 message passing interdomain communication 1 basic separation 0 shared-state concurrency reactivity separation * see “Cheap (But Functional) Threads” for more details

  24. System Models are Executable • The monadic constructions can be readily represented • in any functional language • allowing system models to be type-checked & tested • Haskell implementations at • www.cs.missouri.edu/~harrison/CSFW05 Ex: brc = x := 100 ; loop(x := x+1 ; broadcast x) Increment & broadcast Receive & receive rcv = loop (receive x)

  25. Future Work: Underlying architecture applies to all manner of concurrent applications An HTTP web server with a verified separation property: handler sys ( ) handler sys ( ) = GETurlHI; (page-contents) handler sys ( ) handler sys ( ) = GETurlHi; skip; Other possibilities include • garbage collectors, • network drivers, • device drivers, • virtual machines, • the IO monad

  26. A Constructive Approach to Controlling Information Flow • Illustrates the utility of viewing systems as collections of interacting effects • Our approach is constructive • relies on properties of monads & monad transformers to build, verify, and extend secure software systems • Many useful properties are given by construction of the monads themselves • …and are preserved by monad transformers • …thereby aiding system refinements

  27. Thank You!

More Related