Securing Interactive Systems
Doktorsavhandling, 2014

This thesis provides means to achieve end-to-end information-flow security in interactive systems. The elusiveness of this problem stems from the fact that interaction patterns, primitives, synchronous communication and nondeterminism combine in ways where seemingly innocuous systems compromise security in unexpected ways under interaction. We study what it means for interactive systems to not leak information about confidential behavior into observable behavior in a nondeterministic setting. We focus on two properties: progress-sensitive noninterference (PSNI), requiring that observable behavior is invariant to confidential input, and progress-insensitive noninterference (PINI), permitting confidential input to impede the ability of a system to make progress on its observable output. The latter is a popular target of information-flow security enforcement mechanisms, e.g. JSFlow, Paragon, LIO and Jif. We formalize PINI and PSNI extensionally, based on the view the attacker has on the interaction. To identify the essense of interactive systems security, we explore classes of attacks PSNI and PINI must guarantee protection against, and find previous work ignores classes of attacks powered by varied presence of input -- a high-bandwidth channel in the concurrent setting. This is due to limitations in the model used for system environments. To address this, we devise a new, preservation-based, formalization of noninterference. Since preservation-based noninterference guarantees secure systems interact securely, it is compositional; we prove this for a core of combinators, and derive from it a rich language of security-preserving combinators. While both PSNI and PINI are preserved under arbitrary wirings, the latter is not preserved fairly; it relies fundamentally on lack of scheduling fairness to guarantee security of interactions, and is therefore unfit autonomous interactive systems security. To facilitate building secure systems in parts, we advance secure multi-execution (SME): a combinator which repairs insecurities. SME thus makes any interactive system, secure or not, readily pluggable into a secure composed system. We prove soundness for all fair schedulers, and redesign SME to enforce PSNI, obtaining a more semantics-preserving combinator. We give a language-independent model for information release in SME. For scenarios where semantics must be preserved, we present type-based enforcements of PSNI and PINI. The type systems guarantee absence of leaks through challenging constructs e.g. dynamic event handlers and lazy class initialization. Lastly, we give a combinator which places a logarithmic bound on leaks through progress. Together with the type-based enforcement of PINI, we get a permissive hybrid enforcement of a stronger property.

program analysis

concurrency

multi-threading

covert channels

semantics-based security

language-based security

information-flow security

runtime enforcement

parallelism

scheduling

program transformation

information-flow control

fairness

HC4
Opponent: Prof. Fred B. Schneider, Department of Computer Science, Cornell University, Ithaca, USA

Författare

Willard Thor Rafnsson

Chalmers, Data- och informationsteknik, Programvaruteknik

Securing Class Initialization in Java-like Languages

IEEE Transactions on Dependable and Secure Computing,; Vol. 10(2013)p. 1-13

Artikel i vetenskaplig tidskrift

Securing interactive programs

Proceedings of the Computer Security Foundations Symposium,; (2012)p. 293-307

Paper i proceeding

Secure multi-execution: Fine-grained, declassification-aware, and transparent

Proceedings of the Computer Security Foundations Workshop,; (2013)p. 33-48

Paper i proceeding

Limiting Information Leakage in Event-based Communication

ACM SIGPLAN Workshop on Programming Languages and Analysis for Security,; (2011)p. (Article no. 4)-

Paper i proceeding

Styrkeområden

Informations- och kommunikationsteknik

Fundament

Grundläggande vetenskaper

Ämneskategorier

Programvaruteknik

ISBN

978-91-7385-989-9

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 3670

HC4

Opponent: Prof. Fred B. Schneider, Department of Computer Science, Cornell University, Ithaca, USA