Securing concurrent programs with dynamic information-flow control
Licentiatavhandling, 2014

The work presented in this thesis focusses on dealing with timing covert channels in dynamic information-flow control systems, particularly for the LIO library in Haskell. Timing channels are dangerous in the presence of concurrency. Therefore, we start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. Timing channels can also be exploited through hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO that relies on timing perturbations to leak sensitive information through internal timing. To address this problem, we modify the Haskell runtime to support instruction-based scheduling, a scheduling strategy that is indifferent to such perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. Additionally, we provide a purely language-based implementation of the instruction-based strategy for LIO, by means of a library. We leverage the notion of resumptions, a restricted form of continuations, to control the interleaving of threads, forcing each thread to yield after every LIO operation. Due to the flexibility of this approach, we are able to support parallel computation in the library, a novel feature in information-flow control tools. Finally, we present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. We illustrate our claim with a concrete attack on LIO that relies on memoisation of shared thunks to leak information. We also propose a countermeasure based on restricting the implicit sharing of values.

dynamic

lazy evaluation

LIO

Haskell

information-flow control

cache

covert channels

covert timing channels

concurrency

Room EA, EDIT building
Opponent: Dimitrios Vytiniotis, Microsoft Research Cambridge, United Kingdom

Författare

Pablo Buiras

Chalmers, Data- och informationsteknik

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Lecture Notes in Computer Science,; Vol. 8134(2013)p. 718-735

Paper i proceeding

Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems

SIGPLAN Notices (ACM Special Interest Group on Programming Languages),; Vol. 47(2012)p. 201-213

Paper i proceeding

Lazy Programs Leak Secrets

Lecture Notes in Computer Science,; Vol. 8208(2013)p. 116-122

Paper i proceeding

A Library for Removing Cache-based Attacks in Concurrent Information Flow Systems

Lecture Notes in Computer Science,; Vol. 8358(2013)p. 199-216

Paper i proceeding

Styrkeområden

Informations- och kommunikationsteknik

Ämneskategorier

Datavetenskap (datalogi)

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 118L

Room EA, EDIT building

Opponent: Dimitrios Vytiniotis, Microsoft Research Cambridge, United Kingdom