270 likes | 369 Vues
Explore how monads control effects in achieving information flow security, including separation kernel approach, language-based security, monad properties, and system refinements for scalability. Review system development through monads, monad laws, and monad transformers for secure software. Understand implications for verification and refinement in software security.
E N D
Achieving Information Flow Security Through Precise Control of Effects Bill Harrison Department of Computer Science University of Missouri at Columbia
Ph.D 2001, UIUC • Thesis: Modular Compilers and Their Correctness Proofs • Thesis Advisor: Sam Kamin • Post-doc, Oregon Graduate Inst. (OGI) • Three years on Programatica Project • using Haskell language as basis for formal methods • Assistant Professor, University of Missouri-Columbia since Fall 2003
Separation Kernel Approach [Rushby82,81,…] Lo “domain” Kernel Hi “domain” mediating services mediating services Lo state Hi state “system resources” • Relies on taming effects via state partitioning • AND controlling interactions through trusted kernel services • Today: Outline development of separation kernel & its security verification • based on well-understood properties of monads • To appear: Proceedings of the IEEE Computer Security Foundations • Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison
Domain Separation by Construction • Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81] • Reasoning about systems in familiar algebraic style • Implemented directly in higher-order functional languages • Promise of the approach: Scalability/Modularity of systems & their verifications through monads • Monads provide an algebraic theory of programming useful in formal specification & verification • Verification promoted via “by construction” properties of monads • System development through refinement to underlying monads • Cost of re-verification of a refined system can be minimal
Outline • Background • Language-based Security • Precise Control of Effects from Monads • Constructing Separation Kernels • Verifying Separation Kernels • Conclusions and Future Work
Language Based Security • Idea: Apply techniques and structures from programming language research to the computer security • Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article • Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004] • Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems
An Example: Security via Type-checking e2: intl e2: intL e1: intl e1: intL e1 e2: intH e1 e2: intL Fromλsec (Li & Zdancewic, POPL2005): “Reading up is permitted” (l {L,H}) “Low computations consider low”
The constructive approach 4 semaphores System enhancements have minimal impact on re-verification 3 forking intradomain behaviors Enhanced Capabilities 2 message passing interdomain communication 1 basic separation 0 shared-state concurrency reactivity separation Refinements to Monads
Monads are ADTs for computational paradigms • Monad captures a distinct notion of computation as an algebra • …defines a programming language with (at least) sequencing “;” and skip features • plus operators particular to its paradigm • paradigm = shared state concurrency for separation kernel • What makes monads useful are their other features • called “non-proper morphisms” in monad-speak • their behavior is specified with equational axioms • new features added by monad transformers
Monads, formally and informally skip ; c = c c ; skip = c (c0 ; c1) ; c2 = c0 ; (c1 ; c2) Monad M is a type constructor (functor) with extra structure, η and , obeying the “monad laws” A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm
State monad for any f, f' : Sto Sto, Behavioral Properties mask = u (λ_.σ0)
Two State Monad Two sets of stateful effects …for Hi and Lo effects commute
Monad transformers are constructors for monads Concurrency Reactivity Lostate Histate send receive || := := • monad defines a programming language • each application of a monad transformer • introduces new features • monads constructed in “layers” Intuition
Periodic Table of Effects StateT imperative := BackT backtracking cut ResT threads step pause EnvT binding @ v ErrorT exceptions raise/catch ContT continuations callcc NondetT non-determ. choose IoT input/output printf DebugT debugging rollback ReactT reactivity send,recv,… • Moggi: • Prog Langs are collections of effects captured as monads • Monads assembled from constructors (monad transformers) • Our view • Systems are collections of effects captured as monads • “Systems” broadly construed
“Properties for free” For all Hi and Lo assignments, x:=e & y:=e’, Atomic Non-interference x:=e ;y:=e’=y:=e’; x:=e read(d) ; x:=e Cancellation read(d) ; y:=e’ Lostate Histate “Clobber” x:=e ; maskHi = maskHi A key meta-property is that these properties are preserved by monad transformers = Two StateT Hi (StateT Lo M) for any monad M *Theorems 1-3 of the CSFW paper.
Concurrency based on the resumption monad …defines a precise notion of “thread”: … x2:=e2 x1:=e1 x3:=e3 :: :: an “atom”
“Security-conscious” Concurrency Paradigm … x3:=e3 x1:=e1 x2:=e2 “Hi” security threads :: :: … “Lo” security threads y1:=f1 y2:=f2 y3:=f3 :: :: … x1:=e1 y1:=f1 x2:=e2 System executions :: ::
Specifying Non-interference Properties in a Monadic Setting x1:=e1 y1:=f1 x2:=e2 y1:=f1 ; ; maskHi maskHi ; = ; Ex: Generalized Non-interference [GoguenMeseguer] “Changes in high-security inputs only result in changes to high-security outputs” Take Separation: Hi effects must cancel = Hi security actions = Lo security actions
Monadic theory of effects supports simple verification x1:=e1 y1:=f1 x2:=e2 maskHi ; ; ; x1:=e1 ; y1:=f1 ; maskHi = x1:=e1 ; y1:=f1 ; maskHi = ; y1:=f1 maskHi = y1:=f1 ; maskHi = Each interaction rule used above comes for free “by construction” of the monad!
To build a Separation Kernel, just construct the right monad! Lo “domain” Hi “domain” Kernel Concurrency Reactivity mediating services mediating services Lo state Hi state “system resources” Lostate Histate Monad for shared-state concurrency with separation:
Kernel Structure For a resumption monad R requests by user thread to access kernel-level structures waiting list, semaphores, message channels,… • sched and handler are mutually recursive functions • compact: process forking, preemption, synchronization, message passing • in less than 50 lines of Haskell 98 code! • reasoning resembles well-understood stream-based reasoning. • See “Cheap (But Functional) Threads” for further details: www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf
“No Write Down” Policy Enforced By Kernel Theorem 4 (No write down) An attempt to “write down” has no effect. handler sys ( ) handler sys ( ) = send Lo v;… skip;… Hi security thread
Underlying architecture is very flexible… Refinements to Monad Transformers 4 semaphores • OS behaviors • are easily expressed • System enhancements • = Refinements to MTs • Tend to have minimal • impact on re-verification 3 forking Enhanced Capabilities 2 message passing interdomain communication 1 basic separation 0 shared-state concurrency reactivity separation * see “Cheap (But Functional) Threads” for more details
System Models are Executable • The monadic constructions can be readily represented • in any functional language • allowing system models to be type-checked & tested • Haskell implementations at • www.cs.missouri.edu/~harrison/CSFW05 Ex: brc = x := 100 ; loop(x := x+1 ; broadcast x) Increment & broadcast Receive & receive rcv = loop (receive x)
Future Work: Underlying architecture applies to all manner of concurrent applications An HTTP web server with a verified separation property: handler sys ( ) handler sys ( ) = GETurlHI; (page-contents) handler sys ( ) handler sys ( ) = GETurlHi; skip; Other possibilities include • garbage collectors, • network drivers, • device drivers, • virtual machines, • the IO monad
A Constructive Approach to Controlling Information Flow • Illustrates the utility of viewing systems as collections of interacting effects • Our approach is constructive • relies on properties of monads & monad transformers to build, verify, and extend secure software systems • Many useful properties are given by construction of the monads themselves • …and are preserved by monad transformers • …thereby aiding system refinements