Lazy Programs Leak Secrets
Paper in proceedings, 2013

To preserve confidentiality, information-flow control (IFC) restricts how untrusted code handles secret data. While promising, IFC systems are not perfect; they can still leak sensitive information via covert channels. In this work, we describe a novel exploit of lazy evaluation to reveal secrets in IFC systems. Specifically, we show that lazy evaluation might transport information through the internal timing covert channel, a channel present in systems with concurrency and shared resources. We illustrate our claim with an attack for LIO, a concurrent IFC system for Haskell. We propose a countermeasure based on restricting the implicit sharing caused by lazy evaluation.

language-based security

covert channels

lazy evaluation

Haskell

information flow control

Author

Pablo Buiras

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Alejandro Russo

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Lecture Notes in Computer Science

0302-9743 (ISSN)

Vol. 8208 116-122

Areas of Advance

Information and Communication Technology

Subject Categories

Computer Science

DOI

10.1007/978-3-642-41488-6_8

ISBN

978-3-642-41488-6