Securing functional programs with floating-label information-flow control
Doktorsavhandling, 2016

The work presented in this thesis focuses on information-flow control systems for functional programs, particularly on the LIO library in Haskell. The thesis considers three main aspects in this area: timing covert channels, dynamic policies and enforcement mechanisms that improve precision of the analysis. Timing channels are dangerous in the presence of concurrency. We start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. In further work, we tackle leaks that result from hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO and proposes two solutions that rely on time-agnostic scheduling: the first one consists in a modification to the Haskell runtime and the other one is a purely language-based implementation. We also present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. Dynamic policies arise when the set of allowed flows of information is permitted to change as the program runs. Declassification can be viewed as a special case of dynamic policies. This thesis introduces an extension to LIO which supports dynamic policies and can encode well-known label formats such as the DLM and DC labels. Moreover, we also present the notion of restricted privileges, giving principals the ability to restrict the ways in which their authority can be used in the system, and supporting robust declassification. We also add flow-sensitivity to LIO, which consists in the ability for the security labels of references to mutate, depending on the sensitivity of what is stored in them. Finally, we introduce a hybrid enforcement which mixes static and dynamic analyses. In particular, we leverage advanced type system features in Haskell to give the programmer control over which parts of the program are dynamically checked and which parts are statically checked. The core of this library is a general technique for deferring checking of type-class constraints to runtime which is applicable to other domains beyond language-based security.

covert timing channels



type-level programming



internal timing

dynamic enforcement

DC labels

dynamic policies

lazy evaluation

information-flow control

cache-based attacks

language-based security

hybrid enforcement


functional programming


HA1, Hörsalsvägen 4, Chalmers University of Technology
Opponent: Nikhil Swamy, Microsoft Research, Redmond, WA, USA


Pablo Buiras

Chalmers, Data- och informationsteknik

On Dynamic Flow-Sensitive Floating-Label Systems

27th IEEE Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 19-22 July 2014,; Vol. 2014-January(2014)p. 65-79

Paper i proceeding

Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems

SIGPLAN Notices (ACM Special Interest Group on Programming Languages),; Vol. 47(2012)p. 201-213

Paper i proceeding

Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling

Lecture Notes in Computer Science,; Vol. 8134(2013)p. 718-735

Paper i proceeding

A Library for Removing Cache-based Attacks in Concurrent Information Flow Systems

Lecture Notes in Computer Science,; Vol. 8358(2013)p. 199-216

Paper i proceeding

HLIO: Mixing Static and Dynamic Typing for Information-Flow Control in Haskell

SIGPLAN Notices (ACM Special Interest Group on Programming Languages),; Vol. 50(2015)p. 289-301

Paper i proceeding

Lazy Programs Leak Secrets

Lecture Notes in Computer Science,; Vol. 8208(2013)p. 116-122

Paper i proceeding

It's My Privilege: Controlling Downgrading in DC-Labels

Lecture Notes in Computer Science,; Vol. 9331(2015)p. 203-219

Paper i proceeding

Dynamic Enforcement of Dynamic Policies

PLAS 2015,; (2015)p. 28-41

Paper i proceeding


Informations- och kommunikationsteknik


Datavetenskap (datalogi)



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 4049

HA1, Hörsalsvägen 4, Chalmers University of Technology

Opponent: Nikhil Swamy, Microsoft Research, Redmond, WA, USA