Securing Interactive Systems
This thesis provides means to achieve end-to-end information-flow security in interactive systems. The elusiveness of this problem stems from the fact that interaction patterns, primitives, synchronous communication and nondeterminism combine in ways where seemingly innocuous systems compromise security in unexpected ways under interaction.
We study what it means for interactive systems to not leak information about confidential behavior into observable behavior in a nondeterministic setting. We focus on two properties: progress-sensitive noninterference (PSNI), requiring that observable behavior is invariant to confidential input, and progress-insensitive noninterference (PINI), permitting confidential input to impede the ability of a system to make progress on its observable output. The latter is a popular target of information-flow security enforcement mechanisms, e.g. JSFlow, Paragon, LIO and Jif. We formalize PINI and PSNI extensionally, based on the view the attacker has on the interaction. To identify the essense of interactive systems security, we explore classes of attacks PSNI and PINI must guarantee protection against, and find previous work ignores classes of attacks powered by varied presence of input -- a high-bandwidth channel in the concurrent setting. This is due to limitations in the model used for system environments.
To address this, we devise a new, preservation-based, formalization of noninterference. Since preservation-based noninterference guarantees secure systems interact securely, it is compositional; we prove this for a core of combinators, and derive from it a rich language of security-preserving combinators. While both PSNI and PINI are preserved under arbitrary wirings, the latter is not preserved fairly; it relies fundamentally on lack of scheduling fairness to guarantee security of interactions, and is therefore unfit autonomous interactive systems security.
To facilitate building secure systems in parts, we advance secure multi-execution (SME): a combinator which repairs insecurities. SME thus makes any interactive system, secure or not, readily pluggable into a secure composed system. We prove soundness for all fair schedulers, and redesign SME to enforce PSNI, obtaining a more semantics-preserving combinator. We give a language-independent model for information release in SME. For scenarios where semantics must be preserved, we present type-based enforcements of PSNI and PINI. The type systems guarantee absence of leaks through challenging constructs e.g. dynamic event handlers and lazy class initialization. Lastly, we give a combinator which places a logarithmic bound on leaks through progress. Together with the type-based enforcement of PINI, we get a permissive hybrid enforcement of a stronger property.