Achieving information flow security through precise control of effects
Sponsored Links
This presentation is the property of its rightful owner.
1 / 27

Achieving Information Flow Security Through Precise Control of Effects PowerPoint PPT Presentation


  • 47 Views
  • Uploaded on
  • Presentation posted in: General

Achieving Information Flow Security Through Precise Control of Effects. Bill Harrison Department of Computer Science University of Missouri at Columbia. Ph.D 2001, UIUC Thesis: Modular Compilers and Their Correctness Proofs Thesis Advisor: Sam Kamin Post-doc, Oregon Graduate Inst. (OGI)

Download Presentation

Achieving Information Flow Security Through Precise Control of Effects

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Achieving Information Flow Security Through Precise Control of Effects

Bill Harrison

Department of Computer Science

University of Missouri at Columbia


  • Ph.D 2001, UIUC

    • Thesis: Modular Compilers and Their Correctness Proofs

    • Thesis Advisor: Sam Kamin

  • Post-doc, Oregon Graduate Inst. (OGI)

    • Three years on Programatica Project

      • using Haskell language as basis for formal methods

  • Assistant Professor, University of Missouri-Columbia since Fall 2003


Separation Kernel Approach [Rushby82,81,…]

Lo “domain”

Kernel

Hi “domain”

mediating

services

mediating

services

Lo state

Hi state

“system resources”

  • Relies on taming effects via state partitioning

  • AND controlling interactions through trusted kernel services

  • Today: Outline development of separation kernel & its security verification

  • based on well-understood properties of monads

  • To appear: Proceedings of the IEEE Computer Security Foundations

  • Workshop (CSFW05). Paper at www.cs.missouri.edu/~harrison


Domain Separation by Construction

  • Our approach unifies “security by design” with formal trace-based security models [Rushby82,81; GoguenMeseguer81]

    • Reasoning about systems in familiar algebraic style

    • Implemented directly in higher-order functional languages

  • Promise of the approach: Scalability/Modularity of systems & their verifications through monads

    • Monads provide an algebraic theory of programming useful in formal specification & verification

      • Verification promoted via “by construction” properties of monads

      • System development through refinement to underlying monads

        • Cost of re-verification of a refined system can be minimal


Outline

  • Background

    • Language-based Security

  • Precise Control of Effects from Monads

  • Constructing Separation Kernels

  • Verifying Separation Kernels

  • Conclusions and Future Work


Language Based Security

  • Idea: Apply techniques and structures from programming language research to the computer security

    • Sabelfeld & Meyer’s “Language-based Information Flow Security” is an excellent survey article

  • Proscriptive: These frequently are sophisticated type systems or logics to reject programs with security flaws

    [Heintze 1998; Smith/Volpano 1998; Palsberg, 1997; Crary2004]

  • Constructive: Our approach relies on properties of monads & monad transformers to build, verify, and extend secure software systems


An Example: Security via Type-checking

  e2: intl

  e2: intL

  e1: intl

  e1: intL

  e1 e2: intH

  e1 e2: intL

Fromλsec (Li & Zdancewic, POPL2005):

“Reading up is permitted”

(l {L,H})

“Low computations

consider low”


The constructive approach

4

semaphores

System enhancements

have minimal impact on

re-verification

3

forking

intradomain

behaviors

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

Refinements to Monads


Monads are ADTs for computational paradigms

  • Monad captures a distinct notion of computation as an algebra

    • …defines a programming language with (at least) sequencing “;” and skip features

    • plus operators particular to its paradigm

      • paradigm = shared state concurrency for separation kernel

  • What makes monads useful are their other features

    • called “non-proper morphisms” in monad-speak

    • their behavior is specified with equational axioms

    • new features added by monad transformers


Monads, formally and informally

skip ; c = c

c ; skip = c

(c0 ; c1) ; c2 = c0 ; (c1 ; c2)

Monad M is a type constructor (functor)

with extra structure, η and , obeying

the “monad laws”

A monad defines a prog. language with (at least) sequencing “;” and skip plus operators special to its computational paradigm


State monad

for any f, f' : Sto  Sto,

Behavioral Properties

mask = u (λ_.σ0)


Two State Monad

Two sets of stateful effects

…for Hi and Lo effects commute


Monad transformers are constructors for monads

Concurrency

Reactivity

Lostate

Histate

send receive

||

:=

:=

  • monad defines a programming language

  • each application of a monad transformer

  • introduces new features

    • monads constructed in “layers”

Intuition


Periodic Table of Effects

StateT

imperative

:=

BackT

backtracking

cut

ResT

threads

step pause

EnvT

binding

 @ v

ErrorT

exceptions

raise/catch

ContT

continuations

callcc

NondetT

non-determ.

choose

IoT

input/output

printf

DebugT

debugging

rollback

ReactT

reactivity

send,recv,…

  • Moggi:

    • Prog Langs are collections of effects captured as monads

    • Monads assembled from constructors (monad transformers)

  • Our view

    • Systems are collections of effects captured as monads

    • “Systems” broadly construed


“Properties for free”

For all Hi and Lo assignments, x:=e & y:=e’,

Atomic Non-interference

x:=e ;y:=e’=y:=e’; x:=e

read(d) ; x:=e

Cancellation

read(d) ; y:=e’

Lostate

Histate

“Clobber”

x:=e ; maskHi = maskHi

A key meta-property is that these properties

are preserved by monad transformers

= Two  StateT Hi (StateT Lo M) for any monad M

*Theorems 1-3 of the CSFW paper.


Concurrency based on the resumption monad

…defines a precise notion of “thread”:

x2:=e2

x1:=e1

x3:=e3

::

::

an “atom”


“Security-conscious” Concurrency Paradigm

x3:=e3

x1:=e1

x2:=e2

“Hi” security threads

::

::

“Lo” security threads

y1:=f1

y2:=f2

y3:=f3

::

::

x1:=e1

y1:=f1

x2:=e2

System executions

::

::


Specifying Non-interference Properties in a Monadic Setting

x1:=e1

y1:=f1

x2:=e2

y1:=f1

;

;

maskHi

maskHi

;

=

;

Ex: Generalized Non-interference [GoguenMeseguer]

“Changes in high-security inputs only result in

changes to high-security outputs”

Take Separation: Hi effects must cancel

= Hi security actions

= Lo security actions


Monadic theory of effects supports simple verification

x1:=e1

y1:=f1

x2:=e2

maskHi

;

;

;

x1:=e1

;

y1:=f1

;

maskHi

=

x1:=e1

;

y1:=f1

;

maskHi

=

;

y1:=f1

maskHi

=

y1:=f1

;

maskHi

=

Each interaction rule used above comes for free “by construction” of the monad!


To build a Separation Kernel, just construct the right monad!

Lo “domain”

Hi “domain”

Kernel

Concurrency

Reactivity

mediating

services

mediating

services

Lo state

Hi state

“system resources”

Lostate

Histate

Monad for shared-state concurrency with separation:


Kernel Structure

For a resumption monad R

requests by user thread to access kernel-level structures

waiting list, semaphores, message channels,…

  • sched and handler are mutually recursive functions

  • compact: process forking, preemption, synchronization, message passing

  • in less than 50 lines of Haskell 98 code!

  • reasoning resembles well-understood stream-based reasoning.

  • See “Cheap (But Functional) Threads” for further details:

www.cs.missouri.edu/~harrison/drafts/CheapThreads.pdf


“No Write Down” Policy Enforced By Kernel

Theorem 4 (No write down)

An attempt to “write down” has no effect.

handler sys ( )

handler sys ( )

=

send Lo v;…

skip;…

Hi security thread


Underlying architecture is very flexible…

Refinements to Monad Transformers

4

semaphores

  • OS behaviors

  • are easily expressed

  • System enhancements

  • = Refinements to MTs

  • Tend to have minimal

  • impact on re-verification

3

forking

Enhanced

Capabilities

2

message

passing

interdomain

communication

1

basic

separation

0

shared-state

concurrency

reactivity

separation

* see “Cheap (But Functional) Threads” for more details


System Models are Executable

  • The monadic constructions can be readily represented

  • in any functional language

  • allowing system models to be type-checked & tested

  • Haskell implementations at

  • www.cs.missouri.edu/~harrison/CSFW05

Ex:

brc = x := 100 ;

loop(x := x+1 ; broadcast x)

Increment & broadcast

Receive & receive

rcv = loop (receive x)


Future Work: Underlying architecture applies to all manner of concurrent applications

An HTTP web server with a verified separation property:

handler sys ( )

handler sys ( )

=

GETurlHI;

(page-contents)

handler sys ( )

handler sys ( )

=

GETurlHi;

skip;

Other possibilities include

  • garbage collectors,

  • network drivers,

  • device drivers,

  • virtual machines,

  • the IO monad


A Constructive Approach to Controlling Information Flow

  • Illustrates the utility of viewing systems as collections of interacting effects

  • Our approach is constructive

    • relies on properties of monads & monad transformers to build, verify, and extend secure software systems

  • Many useful properties are given by construction of the monads themselves

    • …and are preserved by monad transformers

    • …thereby aiding system refinements


Thank You!


  • Login