Achieving information flow security through precise control of effects
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Achieving Information Flow Security Through Precise Control of Effects PowerPoint PPT Presentation


  • 40 Views
  • Uploaded on
  • Presentation posted in: General

Achieving Information Flow Security Through Precise Control of Effects. Bill Harrison Department of Computer Science University of Missouri at Columbia. Ph.D 2001, UIUC Thesis: Modular Compilers and Their Correctness Proofs Thesis Advisor: Sam Kamin Post-doc, Oregon Graduate Inst. (OGI)

Download Presentation

Achieving Information Flow Security Through Precise Control of Effects

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Achieving information flow security through precise control of effects

Achieving Information Flow Security Through Precise Control of Effects

Bill Harrison

Department of Computer Science

University of Missouri at Columbia


Achieving information flow security through precise control of effects

  • Ph.D 2001, UIUC

    • Thesis: Modular Compilers and Their Correctness Proofs

    • Thesis Advisor: Sam Kamin

  • Post-doc, Oregon Graduate Inst. (OGI)

    • Three years on Programatica Project

      • using Haskell language as basis for formal methods

  • Assistant Professor, University of Missouri-Columbia since Fall 2003


Separation kernel approach rushby82 81

Separation Kernel Approach [Rushby82,81,…]

Lo “domain”

Kernel

Hi “domain”

mediating

services

mediating

services

Lo state

Hi state

“system resources”

  • Relies on taming effects via state partitioning

  • AND controlling interactions through trusted kernel services

  • Today: Outline development of separation kernel & its security verification

  • based on well-understood properties of monads

  • To appear: Proceedings of the IEEE Computer Security Foundations

  • Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison


Domain separation by construction

Domain Separation by Construction

  • Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81]

    • Reasoning about systems in familiar algebraic style

    • Implemented directly in higher-order functional languages

  • Promise of the approach: Scalability/Modularity of systems & their verifications through monads

    • Monads provide an algebraic theory of programming useful in formal specification & verification

      • Verification promoted via “by construction” properties of monads

      • System development through refinement to underlying monads

        • Cost of re-verification of a refined system can be minimal


Outline

Outline

  • Background

    • Language-based Security

  • Precise Control of Effects from Monads

  • Constructing Separation Kernels

  • Verifying Separation Kernels

  • Conclusions and Future Work


Language based security

Language Based Security

  • Idea: Apply techniques and structures from programming language research to the computer security

    • Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article

  • Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws

    [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004]

  • Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems


An example security via type checking

An Example: Security via Type-checking

  e2: intl

  e2: intL

  e1: intl

  e1: intL

  e1 e2: intH

  e1 e2: intL

Fromλsec (Li & Zdancewic, POPL2005):

“Reading up is permitted”

(l {L,H})

“Low computations

consider low”


The constructive approach

The constructive approach

4

semaphores

System enhancements

have minimal impact on

re-verification

3

forking

intradomain

behaviors

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

Refinements to Monads


Monads are adts for computational paradigms

Monads are ADTs for computational paradigms

  • Monad captures a distinct notion of computation as an algebra

    • …defines a programming language with (at least) sequencing “;” and skip features

    • plus operators particular to its paradigm

      • paradigm = shared state concurrency for separation kernel

  • What makes monads useful are their other features

    • called “non-proper morphisms” in monad-speak

    • their behavior is specified with equational axioms

    • new features added by monad transformers


Monads formally and informally

Monads, formally and informally

skip ; c = c

c ; skip = c

(c0 ; c1) ; c2 = c0 ; (c1 ; c2)

Monad M is a type constructor (functor)

with extra structure, η and , obeying

the “monad laws”

A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm


State monad

State monad

for any f, f' : Sto  Sto,

Behavioral Properties

mask = u (λ_.σ0)


Two state monad

Two State Monad

Two sets of stateful effects

…for Hi and Lo effects commute


Monad transformers are constructors for monads

Monad transformers are constructors for monads

Concurrency

Reactivity

Lostate

Histate

send receive

||

:=

:=

  • monad defines a programming language

  • each application of a monad transformer

  • introduces new features

    • monads constructed in “layers”

Intuition


Periodic table of effects

Periodic Table of Effects

StateT

imperative

:=

BackT

backtracking

cut

ResT

threads

step pause

EnvT

binding

 @ v

ErrorT

exceptions

raise/catch

ContT

continuations

callcc

NondetT

non-determ.

choose

IoT

input/output

printf

DebugT

debugging

rollback

ReactT

reactivity

send,recv,…

  • Moggi:

    • Prog Langs are collections of effects captured as monads

    • Monads assembled from constructors (monad transformers)

  • Our view

    • Systems are collections of effects captured as monads

    • “Systems” broadly construed


Properties for free

“Properties for free”

For all Hi and Lo assignments, x:=e & y:=e’,

Atomic Non-interference

x:=e ;y:=e’=y:=e’; x:=e

read(d) ; x:=e

Cancellation

read(d) ; y:=e’

Lostate

Histate

“Clobber”

x:=e ; maskHi = maskHi

A key meta-property is that these properties

are preserved by monad transformers

= Two  StateT Hi (StateT Lo M) for any monad M

*Theorems 1-3 of the CSFW paper.


Concurrency based on the resumption monad

Concurrency based on the resumption monad

…defines a precise notion of “thread”:

x2:=e2

x1:=e1

x3:=e3

::

::

an “atom”


Security conscious concurrency paradigm

“Security-conscious” Concurrency Paradigm

x3:=e3

x1:=e1

x2:=e2

“Hi” security threads

::

::

“Lo” security threads

y1:=f1

y2:=f2

y3:=f3

::

::

x1:=e1

y1:=f1

x2:=e2

System executions

::

::


Specifying non interference properties in a monadic setting

Specifying Non-interference Properties in a Monadic Setting

x1:=e1

y1:=f1

x2:=e2

y1:=f1

;

;

maskHi

maskHi

;

=

;

Ex: Generalized Non-interference [GoguenMeseguer]

“Changes in high-security inputs only result in

changes to high-security outputs”

Take Separation: Hi effects must cancel

= Hi security actions

= Lo security actions


Monadic theory of effects supports simple verification

Monadic theory of effects supports simple verification

x1:=e1

y1:=f1

x2:=e2

maskHi

;

;

;

x1:=e1

;

y1:=f1

;

maskHi

=

x1:=e1

;

y1:=f1

;

maskHi

=

;

y1:=f1

maskHi

=

y1:=f1

;

maskHi

=

Each interaction rule used above comes for free “by construction” of the monad!


To build a separation kernel just construct the right monad

To build a Separation Kernel, just construct the right monad!

Lo “domain”

Hi “domain”

Kernel

Concurrency

Reactivity

mediating

services

mediating

services

Lo state

Hi state

“system resources”

Lostate

Histate

Monad for shared-state concurrency with separation:


Kernel structure

Kernel Structure

For a resumption monad R

requests by user thread to access kernel-level structures

waiting list, semaphores, message channels,…

  • sched and handler are mutually recursive functions

  • compact: process forking, preemption, synchronization, message passing

  • in less than 50 lines of Haskell 98 code!

  • reasoning resembles well-understood stream-based reasoning.

  • See “Cheap (But Functional) Threads” for further details:

www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf


No write down policy enforced by kernel

“No Write Down” Policy Enforced By Kernel

Theorem 4 (No write down)

An attempt to “write down” has no effect.

handler sys ( )

handler sys ( )

=

send Lo v;…

skip;…

Hi security thread


Underlying architecture is very flexible

Underlying architecture is very flexible…

Refinements to Monad Transformers

4

semaphores

  • OS behaviors

  • are easily expressed

  • System enhancements

  • = Refinements to MTs

  • Tend to have minimal

  • impact on re-verification

3

forking

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

* see “Cheap (But Functional) Threads” for more details


System models are executable

System Models are Executable

  • The monadic constructions can be readily represented

  • in any functional language

  • allowing system models to be type-checked & tested

  • Haskell implementations at

  • www.cs.missouri.edu/~harrison/CSFW05

Ex:

brc = x := 100 ;

loop(x := x+1 ; broadcast x)

Increment & broadcast

Receive & receive

rcv = loop (receive x)


Future work underlying architecture applies to all manner of concurrent applications

Future Work: Underlying architecture applies to all manner of concurrent applications

An HTTP web server with a verified separation property:

handler sys ( )

handler sys ( )

=

GETurlHI;

(page-contents)

handler sys ( )

handler sys ( )

=

GETurlHi;

skip;

Other possibilities include

  • garbage collectors,

  • network drivers,

  • device drivers,

  • virtual machines,

  • the IO monad


A constructive approach to controlling information flow

A Constructive Approach to Controlling Information Flow

  • Illustrates the utility of viewing systems as collections of interacting effects

  • Our approach is constructive

    • relies on properties of monads & monad transformers to build, verify, and extend secure software systems

  • Many useful properties are given by construction of the monads themselves

    • …and are preserved by monad transformers

    • …thereby aiding system refinements


Achieving information flow security through precise control of effects

Thank You!


  • Login