- 40 Views
- Uploaded on
- Presentation posted in: General

Achieving Information Flow Security Through Precise Control of Effects

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Achieving Information Flow Security Through Precise Control of Effects

Bill Harrison

Department of Computer Science

University of Missouri at Columbia

- Ph.D 2001, UIUC
- Thesis: Modular Compilers and Their Correctness Proofs
- Thesis Advisor: Sam Kamin

- Post-doc, Oregon Graduate Inst. (OGI)
- Three years on Programatica Project
- using Haskell language as basis for formal methods

- Three years on Programatica Project
- Assistant Professor, University of Missouri-Columbia since Fall 2003

Lo “domain”

Kernel

Hi “domain”

mediating

services

mediating

services

Lo state

Hi state

“system resources”

- Relies on taming effects via state partitioning
- AND controlling interactions through trusted kernel services
- Today: Outline development of separation kernel & its security verification
- based on well-understood properties of monads
- To appear: Proceedings of the IEEE Computer Security Foundations
- Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison

- Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81]
- Reasoning about systems in familiar algebraic style
- Implemented directly in higher-order functional languages

- Promise of the approach: Scalability/Modularity of systems & their verifications through monads
- Monads provide an algebraic theory of programming useful in formal specification & verification
- Verification promoted via “by construction” properties of monads
- System development through refinement to underlying monads
- Cost of re-verification of a refined system can be minimal

- Monads provide an algebraic theory of programming useful in formal specification & verification

- Background
- Language-based Security

- Precise Control of Effects from Monads
- Constructing Separation Kernels
- Verifying Separation Kernels
- Conclusions and Future Work

- Idea: Apply techniques and structures from programming language research to the computer security
- Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article

- Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws
[Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004]

- Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems

e2: intl

e2: intL

e1: intl

e1: intL

e1 e2: intH

e1 e2: intL

Fromλsec (Li & Zdancewic, POPL2005):

“Reading up is permitted”

(l {L,H})

“Low computations

consider low”

4

semaphores

System enhancements

have minimal impact on

re-verification

3

forking

intradomain

behaviors

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

Refinements to Monads

- Monad captures a distinct notion of computation as an algebra
- …defines a programming language with (at least) sequencing “;” and skip features
- plus operators particular to its paradigm
- paradigm = shared state concurrency for separation kernel

- What makes monads useful are their other features
- called “non-proper morphisms” in monad-speak
- their behavior is specified with equational axioms
- new features added by monad transformers

skip ; c = c

c ; skip = c

(c0 ; c1) ; c2 = c0 ; (c1 ; c2)

Monad M is a type constructor (functor)

with extra structure, η and , obeying

the “monad laws”

A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm

for any f, f' : Sto Sto,

Behavioral Properties

mask = u (λ_.σ0)

Two sets of stateful effects

…for Hi and Lo effects commute

Concurrency

Reactivity

Lostate

Histate

send receive

||

:=

:=

- monad defines a programming language
- each application of a monad transformer
- introduces new features
- monads constructed in “layers”

Intuition

StateT

imperative

:=

BackT

backtracking

cut

ResT

threads

step pause

EnvT

binding

@ v

ErrorT

exceptions

raise/catch

ContT

continuations

callcc

NondetT

non-determ.

choose

IoT

input/output

printf

DebugT

debugging

rollback

ReactT

reactivity

send,recv,…

- Moggi:
- Prog Langs are collections of effects captured as monads
- Monads assembled from constructors (monad transformers)

- Our view
- Systems are collections of effects captured as monads
- “Systems” broadly construed

For all Hi and Lo assignments, x:=e & y:=e’,

Atomic Non-interference

x:=e ;y:=e’=y:=e’; x:=e

read(d) ; x:=e

Cancellation

read(d) ; y:=e’

Lostate

Histate

“Clobber”

x:=e ; maskHi = maskHi

A key meta-property is that these properties

are preserved by monad transformers

= Two StateT Hi (StateT Lo M) for any monad M

*Theorems 1-3 of the CSFW paper.

…defines a precise notion of “thread”:

…

x2:=e2

x1:=e1

x3:=e3

::

::

an “atom”

…

x3:=e3

x1:=e1

x2:=e2

“Hi” security threads

::

::

…

“Lo” security threads

y1:=f1

y2:=f2

y3:=f3

::

::

…

x1:=e1

y1:=f1

x2:=e2

System executions

::

::

x1:=e1

y1:=f1

x2:=e2

y1:=f1

;

;

maskHi

maskHi

;

=

;

Ex: Generalized Non-interference [GoguenMeseguer]

“Changes in high-security inputs only result in

changes to high-security outputs”

Take Separation: Hi effects must cancel

= Hi security actions

= Lo security actions

x1:=e1

y1:=f1

x2:=e2

maskHi

;

;

;

x1:=e1

;

y1:=f1

;

maskHi

=

x1:=e1

;

y1:=f1

;

maskHi

=

;

y1:=f1

maskHi

=

y1:=f1

;

maskHi

=

Each interaction rule used above comes for free “by construction” of the monad!

Lo “domain”

Hi “domain”

Kernel

Concurrency

Reactivity

mediating

services

mediating

services

Lo state

Hi state

“system resources”

Lostate

Histate

Monad for shared-state concurrency with separation:

For a resumption monad R

requests by user thread to access kernel-level structures

waiting list, semaphores, message channels,…

- sched and handler are mutually recursive functions
- compact: process forking, preemption, synchronization, message passing
- in less than 50 lines of Haskell 98 code!
- reasoning resembles well-understood stream-based reasoning.
- See “Cheap (But Functional) Threads” for further details:

www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf

Theorem 4 (No write down)

An attempt to “write down” has no effect.

handler sys ( )

handler sys ( )

=

send Lo v;…

skip;…

Hi security thread

Refinements to Monad Transformers

4

semaphores

- OS behaviors
- are easily expressed
- System enhancements
- = Refinements to MTs
- Tend to have minimal
- impact on re-verification

3

forking

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

* see “Cheap (But Functional) Threads” for more details

- The monadic constructions can be readily represented
- in any functional language
- allowing system models to be type-checked & tested
- Haskell implementations at
- www.cs.missouri.edu/~harrison/CSFW05

Ex:

brc = x := 100 ;

loop(x := x+1 ; broadcast x)

Increment & broadcast

Receive & receive

rcv = loop (receive x)

An HTTP web server with a verified separation property:

handler sys ( )

handler sys ( )

=

GETurlHI;

(page-contents)

handler sys ( )

handler sys ( )

=

GETurlHi;

skip;

Other possibilities include

- garbage collectors,
- network drivers,
- device drivers,
- virtual machines,
- the IO monad

- Illustrates the utility of viewing systems as collections of interacting effects
- Our approach is constructive
- relies on properties of monads & monad transformers to build, verify, and extend secure software systems

- Many useful properties are given by construction of the monads themselves
- …and are preserved by monad transformers
- …thereby aiding system refinements

Thank You!