Declarative DIFC

1 / 26

# Declarative DIFC - PowerPoint PPT Presentation

Declarative DIFC. David Costanzo, Yale University October 5, 2012. The IFC Problem. system data. high. low. o bserver. Noninterference – values of high data have no effect on what the observer sees. Our New Results.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Declarative DIFC

David Costanzo, Yale University

October 5, 2012

The IFC Problem

system data

high

low

observer

Noninterference – values of high data have no effect on what the observer sees

David Costanzo, Yale University

Our New Results
• Solve the IFC problem for a low-level, C-like language with pointer manipulation
• The system must be applicable to CertiKOS code
• Build a program logic for statically guaranteeing that noninterference holds on the code
• Allow for high-level, declarative declassification policies
• These specify certain circumstances under which a piece of high-security data can be viewed as low
• Key Idea: Semantic Labels

David Costanzo, Yale University

Simple Imperative Language

C = x := E

E= 0 | 1 | -1 | …

B= true | false

| x := [E]

| x | y | z | …

| E1= E2

| [E1] := E2

| E1+ E2 | E1- E2 | …

| B1 ∧ B2| B1 ∨ B2 | …

| outputE

| skip

| C1;C2

| if B then C1else C2

| while B do C

David Costanzo, Yale University

Output Dependency

Does the output of the program depend on the value of x?

David Costanzo, Yale University

Output Dependency

Does the output of the program depend on the value of x?

Trivially dependent:

outputx

David Costanzo, Yale University

Output Dependency

Does the output of the program depend on the value of x?

Trivially independent:

output0

David Costanzo, Yale University

Output Dependency

Does the output of the program depend on the value of x?

Transitive dependence:

y := x;

outputy

David Costanzo, Yale University

Output Dependency

Does the output of the program depend on the value of x?

Implicit dependence:

if(x % 2 == 0)theny := 0elsey := 1;

outputy

David Costanzo, Yale University

Noninterference

Label l = Lo | Hi

Store s = var→ valxlbl

State σ = store x heap

Noninterference of a program C:

Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o.

Assumption: these executions of C are safe – this will guaranteed by our logic

David Costanzo, Yale University

Termination Sensitivity

Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o.

Most IFC systems guarantee termination-insensitive noninterference, which assumes that the executions terminate.

But OS code is often required to be nonterminating!

if(x % 2 == 0)

then(while(true)doskip)

elseskip;

output0

David Costanzo, Yale University

Proving Noninterference

σ1 ≈ σ2 means that every variable or heap cell which is Lo in both states has the same value in both states

David Costanzo, Yale University

Proving Noninterference
• Security-aware, intermediate operational semantics
• High machine:
• Executes when inside an if statement or while loop that branched on a Hi variable
• Cannot output
• Any locations written to are tainted with a Hi label
• Low machine:
• Takes a single step to simulate the entirety of a high-machine execution, thus skipping over the if statement or while loop

if(x % 2 == 0)theny := 0elsey := 1;

outputy

David Costanzo, Yale University

Proving Noninterference

Security-aware, intermediate operational semantics

Key Observation/Novelty:

If σ1 ≈ σ2, then the two executions of a noninterfering program C on those states will operate in lock-step in the low machine

L

L

L

L

L

L

L

L

David Costanzo, Yale University

A Conundrum

[1] := 0;

y := 1;

if (x % 2 == 0) theny := 2 elseskip;

[y] := 1;

z := [1];

outputz

x

x

x

(100, H)

(100, H)

(100, H)

y

y

y

(1, L)

(2, H)

(1, L)

Output 0

(0, L)

(0, L)

(0, L)

1

1

1

2

2

2

(-, -)

(-, -)

(1, H)

David Costanzo, Yale University

A Conundrum

[1] := 0;

y := 1;

if (x % 2 == 0) theny := 2 elseskip;

[y] := 1;

z := [1];

outputz

x

x

x

(101, H)

(100, H)

(101, H)

y

y

y

(1, L)

(1, L)

(1, L)

Output 1

(1, L)

(0, L)

(0, L)

1

1

1

2

2

2

(-, -)

(-, -)

(-, -)

David Costanzo, Yale University

A Conundrum

[1] := 0;

y := 1;

if (x % 2 == 0) theny := 2 elseskip;

[y] := 1;

z := [1];

outputz

Solution

• Make store variables label-immutable during updates
• The labels of variables must be predetermined
• Whenever a variable is written to, a check must be performed

David Costanzo, Yale University

Declassification

Instead of labels, data will now have policies attached.

Policy d = state → lbl

How to define noninterference?

Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o.

David Costanzo, Yale University

Declassification

Semantic Labels

Given a configuration, a piece of data is semantically low if there is some future (or past) configuration in which the data’s policy evaluates to Lo.

Hi

Lo

Hi

Hi

Policy is semantically low in every configuration of this execution

David Costanzo, Yale University

Declassification

Semantic Labels

Given a configuration, a piece of data is semantically high if there is no

future (or past) configuration in which the data’s policy evaluates to Lo.

Hi

Hiforever …

Hi

Hi

Hi

Policy is semantically high in every configuration of this execution

David Costanzo, Yale University

Noninterference + Declassification

Suppose executing C on state σ1 results in output o. Then, if we change the value of any semantically highvariable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o.

• Some subtleties:
• If the value of a piece of semantically high data is changed, then the semantic label of any data in the entire program state could change!
• Observable equivalence definition is tricky.
• Expression/boolean expression label could be different in the two executions!
• The logic is extended to guarantee that this situation does not occur.
• Semantic labels (and hence observable equivalence) are purely logical notions since they are undecidable to compute.
• A user cannot designate data as being semantically high in the way that he can designate data as being Hiin the system without declassification

David Costanzo, Yale University

An Example
• Alice and Bob wish to pick a meeting time without revealing their entire calendars

David Costanzo, Yale University

An Example

OK to declassify a time slot if it\'s \'Free\', and the corresponding time slot in Bob\'s calendar is also \'Free\'

Calendars:

Alice\'s

Bob\'s

Free

Event

1:00

Event

Free

2:00

Free

Free

3:00

Event

Event

4:00

Event

Free

5:00

David Costanzo, Yale University

An Example

i := 0;

while (i < n) do

x := [a + i];

y := [b + i];

if(x == 0 ∧ y == 0) then(outputi) elseskip;

i := i + 1

Doesn’t quite work, since x and y must have predetermined policies.

David Costanzo, Yale University

An Example

i := 0;

while (i < n) do

F(i);

i := i + 1

F(i):

x := [a + i];

y := [b + i];

if(x == 0 ∧ y == 0) then(outputi) elseskip

This works because x and y are fresh variables with each function call.

David Costanzo, Yale University

Current Progress
• Many working versions of the system:
• Weak-update store, no heap, with/without declassification
• Strong-update store, no heap, with/without declassification
• Weak-update store, strong-update heap, deterministic/nondeterministic memory allocation, with/without declassification
• Goals for the near future: