Securing concurrent programs with dynamic information-flow control
Licentiatavhandling, 2014
The work presented in this thesis focusses on dealing with timing
covert channels in dynamic information-flow control systems,
particularly for the LIO library in Haskell.
Timing channels are dangerous in the presence of
concurrency. Therefore, we start with the design, formalisation and
implementation of a concurrent version of LIO which is secure against
them. More specifically, we remove leaks due to non-terminating
behaviour of programs (termination covert channel) and leaks produced
by forcing certain interleavings of threads, as a result of affecting
their timing behaviour (internal timing covert channel). The key
insight is to decouple computations so that threads observing the
timing or termination behaviour of other threads are required to be at
the same confidentiality level. This work only deals with internal
timing that can be exploited through language-level operations. We
also mitigate leaks that result from the precise measurement of the
timing of observable events (external timing
covert channel), e.g. by using a stopwatch.
Timing channels can also be exploited through hardware-based shared
resources, such as the processor cache. This thesis presents a
cache-based attack on LIO that relies on timing perturbations to leak
sensitive information through internal timing. To address this
problem, we modify the Haskell runtime to support instruction-based
scheduling, a scheduling strategy that is indifferent to such
perturbations from underlying hardware components, such as the cache,
TLB, and CPU buses. We show this scheduler is secure against
cache-based internal timing attacks for applications using a single
CPU. Additionally, we provide a purely language-based implementation
of the instruction-based strategy for LIO, by means of a library. We
leverage the notion of resumptions, a restricted form of
continuations, to control the interleaving of threads, forcing each
thread to yield after every LIO operation. Due to the flexibility of
this approach, we are able to support parallel computation in the
library, a novel feature in information-flow control tools.
Finally, we present a new manifestation of internal timing in Haskell,
by exploiting lazy evaluation to encode sensitive information as
timing perturbations. We illustrate our claim with a concrete attack
on LIO that relies on memoisation of shared thunks to leak
information. We also propose a countermeasure based on restricting the
implicit sharing of values.
dynamic
lazy evaluation
LIO
Haskell
information-flow control
cache
covert channels
covert timing channels
concurrency