Securing functional programs with floating-label information-flow control
The work presented in this thesis focuses on
information-flow control systems for functional programs,
particularly on the LIO library in Haskell. The thesis considers three
main aspects in this area: timing covert channels, dynamic policies and
enforcement mechanisms that improve precision of the analysis.
Timing channels are dangerous in the presence of
concurrency. We start with the design, formalisation and
implementation of a concurrent version of LIO which is secure against
them. More specifically, we remove leaks due to non-terminating
behaviour of programs (termination covert channel) and leaks produced
by forcing certain interleavings of threads, as a result of affecting
their timing behaviour (internal timing covert channel). The key
insight is to decouple computations so that threads observing the
timing or termination behaviour of other threads are required to be at
the same confidentiality level. This work only deals with internal
timing that can be exploited through language-level operations.
We also mitigate leaks that result from the precise measurement of the
timing of observable events (external timing covert channel), e.g. by
using a stopwatch. In further work, we tackle leaks that result from
hardware-based shared resources, such as the processor cache. This
thesis presents a cache-based attack on LIO and proposes two solutions
that rely on time-agnostic scheduling: the first one consists in a
modification to the Haskell runtime and the other one is a purely
language-based implementation. We also present a new manifestation of
internal timing in Haskell, by exploiting lazy evaluation to encode
sensitive information as timing perturbations.
Dynamic policies arise when the set of allowed flows of information is
permitted to change as the program runs. Declassification can be
viewed as a special case of dynamic policies. This thesis introduces
an extension to LIO which supports dynamic policies and can encode
well-known label formats such as the DLM and DC labels. Moreover, we
also present the notion of restricted privileges, giving principals
the ability to restrict the ways in which their authority can be used
in the system, and supporting robust declassification.
We also add flow-sensitivity to LIO, which
consists in the ability for the security labels of references to
mutate, depending on the sensitivity of what is stored in them.
Finally, we introduce a hybrid enforcement which mixes static
and dynamic analyses. In particular, we leverage advanced type system
features in Haskell to give the programmer control over which parts of
the program are dynamically checked and which parts are statically
checked. The core of this library is a general technique for deferring
checking of type-class constraints to runtime which is applicable to
other domains beyond language-based security.
covert timing channels
HA1, Hörsalsvägen 4, Chalmers University of Technology
Opponent: Nikhil Swamy, Microsoft Research, Redmond, WA, USA