Securing functional programs with floating-label information-flow control

Doktorsavhandling, 2016

The work presented in this thesis focuses on information-flow control systems for functional programs, particularly on the LIO library in Haskell. The thesis considers three main aspects in this area: timing covert channels, dynamic policies and enforcement mechanisms that improve precision of the analysis. Timing channels are dangerous in the presence of concurrency. We start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. In further work, we tackle leaks that result from hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO and proposes two solutions that rely on time-agnostic scheduling: the first one consists in a modification to the Haskell runtime and the other one is a purely language-based implementation. We also present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. Dynamic policies arise when the set of allowed flows of information is permitted to change as the program runs. Declassification can be viewed as a special case of dynamic policies. This thesis introduces an extension to LIO which supports dynamic policies and can encode well-known label formats such as the DLM and DC labels. Moreover, we also present the notion of restricted privileges, giving principals the ability to restrict the ways in which their authority can be used in the system, and supporting robust declassification. We also add flow-sensitivity to LIO, which consists in the ability for the security labels of references to mutate, depending on the sensitivity of what is stored in them. Finally, we introduce a hybrid enforcement which mixes static and dynamic analyses. In particular, we leverage advanced type system features in Haskell to give the programmer control over which parts of the program are dynamically checked and which parts are statically checked. The core of this library is a general technique for deferring checking of type-class constraints to runtime which is applicable to other domains beyond language-based security.