Lazy Programs Leak Secrets
Paper in proceeding, 2013
To preserve confidentiality, information-flow control (IFC) restricts how untrusted code handles secret data. While promising, IFC systems are not perfect; they can still leak sensitive information via covert channels. In this work, we describe a novel exploit of lazy evaluation to reveal secrets in IFC systems. Specifically, we show that lazy evaluation might transport information through the internal timing covert channel, a channel present in systems with concurrency and shared resources. We illustrate our claim with an attack for LIO, a concurrent IFC system for Haskell. We propose a countermeasure based on restricting the implicit sharing caused by lazy evaluation.
language-based security
covert channels
lazy evaluation
Haskell
information flow control
Author
Pablo Buiras
Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)
Alejandro Russo
Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
03029743 (ISSN) 16113349 (eISSN)
Vol. 8208 116-122978-3-642-41488-6 (ISBN)
Areas of Advance
Information and Communication Technology
Subject Categories
Computer Science
DOI
10.1007/978-3-642-41488-6_8
ISBN
978-3-642-41488-6