Flexible and Practical Information-Flow Control

Licentiate thesis, 2016

As more and more sensitive data is handled by software, its trustworthiness becomes an increasingly important concern. This thesis presents work on ensuring that information that is processed by computing systems is not disclosed to third parties without the user's permission; i.e. to prevent unwanted flows of information. Since most approaches to information-flow control have not seen widespread use in practice, this work explores flexible policies and enforcement techniques to guarantee that information is not leaked by a program. The thesis consists of three parts: The first chapter explores opacity, a security policy for protecting sensitive system properties, motivated by location privacy and privacy-preserving aggregation scenarios. We present a general, parametric framework for opacity and relate it to noninterference. Moreover, we present two approaches to enforcement: a dynamic monitor making use of SMT solving, and a blackbox sampling-based approach based on the random testing tool QuickCheck. The second chapter discusses taint tracking, a popular security mechanism for tracking data-flow dependencies, which is widely used for both high-level languages and machine code. However, the question of what, exactly, tainting means - what security policy it embodies - remains largely unexplored. We propose explicit secrecy, a generic framework capturing the essence of explicit flows, i.e., the data flows tracked by tainting. We illustrate our approach by instantiating explicit secrecy to both, a high-level imperative language and machine code. Additionally, we prove soundness with respect to explicit secrecy for the cores of dynamic and static taint trackers. Lastly, we present JSLINQ, a framework providing end-to-end information-flow control for multi-tiered web applications; i.e. web applications consisting of a database, server-side code, and client-side JavaScript code. To prevent information flows at component boundaries, we leverage homogeneous meta-programming features in F# to provide a unified language for programming all components. We present a security type system for a core of F# and prove that all well-typed programs are noninterfering. We evaluate our approach using various case studies indicating that JSLINQ is suitable for implementing practical web applications.