information flow security in haskell n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information-Flow Security in Haskell PowerPoint Presentation
Download Presentation
Information-Flow Security in Haskell

Loading in 2 Seconds...

play fullscreen
1 / 41

Information-Flow Security in Haskell - PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on

Information-Flow Security in Haskell. Alejandro Russo russo@chalmers.se. Advance Functional Programming Guest Lecture, February 1 6 th, 200 9. Introduction. Computer systems usually handles confidential information Credit card numbers, passwords, medical files, etc Mobile phones?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information-Flow Security in Haskell' - kalare


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information flow security in haskell

Information-Flow Security in Haskell

Alejandro Russo

russo@chalmers.se

Advance Functional Programming

Guest Lecture, February 16th, 2009

introduction
Introduction
  • Computer systems usuallyhandlesconfidential information
    • Credit card numbers, passwords, medical files, etc
  • Mobile phones?
  • How can programs preserve confidentiality of data ?

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

linux login authentication

Linux Shadow Password HOWTO: Adding shadow support to a C program

Adding shadow support to a program is actually fairly straightforward.

The only problem is that the program must be run by root (or SUID root) in

order for the the program to be able to access the /etc/shadow file.

Linux Login Authentication
  • /etc/passwd
  • /etc/shadow

bjorn:x:1003:100::/home/andrei:/bin/bash

hana:x:500:100::/home/tsa:

josef:x:1006:100::/home/john:/bin/bash

bjorn:$1$0ID5oZxB$0tdKR1VQWWQlkJR1Uj7na0:13397:0:99999:7:::

hana:$1$.28fO/M9$aaNMN4SWEKZiGPYoEq9996:13460:0:::::0

josef:$1$UP1uD.28$hi3vYEa20.zgWYNVN/Lq81:13539:0:99999:7:::

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

linux login authentication1
Linux Login Authentication
  • Security problems?
  • Passwords can be stolen
    • It is only necessary to obtain root access
      • Trojan horses
      • Buffer overflow attacks
      • Etc...

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

linux login authentication2
Linux Login Authentication
  • Linux provides an API to access /etc/shadow

#ifdef HAS_SHADOW

#include <shadow.h>

#include <shadow/pwauth.h>

#endif

  • /etc/shadow can be accessed not only by the API
    • Let assume the opposite

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

more graphically
More graphically

access control is not enough!

API

Storage for passwords

language based security
Language-based Security
  • Analyzing the code of the whole system
    • Confidentiality, Integrity, etc.
  • Information-flow analysis:
    • How the information flow inside programs: is there a secret “going out” of the system?
information flow
Information-Flow
  • Programs have secret and public inputs and outputs, respectively

Non-interference

information flow1
Information-Flow
  • Programs have secret and public inputs and outputs, respectively

Leak of Information!

information flow security
Information-Flow Security
  • Study for ~30 years
  • Active research field
  • Compilers
    • JIF (Java) 2001-2009
      • Cornell University
    • FlowCaml (ML) 2002
      • INRIA (not actively developed)
  • Impact on practice
    • Limited!
why haskell
Why Haskell?
  • Pure language
    • No side-effects
    • Side-effects reflected in types (IO, etc)
  • Strong type system
    • Cannot ”cheat”
examples
Examples

f ::(Char {- secret -}, Int)

-> (Char {- secret -}, Int)

Secure

f (c, i) = ( chr(ord c + i), i)

Secure

f (c, i) = (chr(ord c + 1),i+1)

Insecure

f (c, i) = (chr(ord c + i), chr c)

Insecure

f (c, i) | c > 65 = (c, 42)

| otherwise = (c, i)

simple security api
Simple security API

dataSecH a – abstract

  • Once inside the monad, you cannot go out!!

instance Functor SecH

instance Monad SecH

f ::(SecH Char, Int)

-> (SecH Char, Int)

  • Termination-insensitivesecurity
    • Termination-sensitive.. Agda?
revised examples
Revised examples

f ::(SecH Char,Int)-> (SecH Char,Int)

Secure

f (c, i) = ( chr(ord c + i), i)

Type checks!

f (sc,i) = (do c <- sc

return chr(ord c+i),

i)

Insecure

f (c, i) = (chr(ord c + i), chr c)

Doesn’ttype checks!

f (sc, i) = (…, do c <- sc

return (chr c)

)

security guarantee
Security guarantee

Typechecks!

Secure

security lattice
Security lattice

dataSec s a -- abstract

dataH = H -- abstract

dataL = L -- public

class Less sL sH where

lesser :: sL -> sH -> ()

up :: Less sL sH => Sec sL a -> Sec sH a

instance Less L H

instance Less L L

instance Less H H

H

Sec H a ~= SecH a

Sec L a ~= a

L

arquitecture
Arquitecture

unsafePerformIO, Exceptions, etc.

~400 LOC

TrustedCode

HaskellLibraries

Code of the library

SafeHaskellLibraries

Secure Interface

(SecLib.hs)

Attacker/ UntrustedCode

what about io
What about IO?
  • IO Features
    • References
    • Files
    • Stdin/Stdout
  • In this talk only files
secure side effects
Secure side-effects
  • What about trying to do side-effects inside of the security monad?

Insecure

Secure

SecH (IO a)

We don’t know!

  • Another monad?
extended security api
Extended security API

-Write to level s or higher

-Produce a value at level s

dataSecIO s a –- abstract

value :: Sec s a -> SecIO s a

dataFile s-- abstract

readFileSecIO :: File s’ -> SecIO s (Sec s’String)

writeFileSecIO :: File s -> String -> SecIO s ()

run :: SecIO s a -> IO (Sec s a)

instance Functor SecIO

instance Monad SecIO

Side effects escape from SecIO!

little quiz for trusted code s programmers
Little quiz for trusted code’s programmers

Secure

IO (Sec H a)

Insecure

Sec H ( IO (Sec L a) )

TrustedCode

Secure

SecIO L Int

Insecure

Attacker/ UntrustedCode

SecIO L (IO () )

login authentication
Login Authentication
  • We have the following API to the shadow file

data Spwd = Spwd { uid :: UID, cypher :: Cypher }

getSpwdName :: Name -> IO (Maybe Spwd)

putSpwd :: Spwd -> IO ( )

  • Can we rewrite it ?
    • To avoid passwords being stolen

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

secure api
Secure API?
  • Can we implement an API that preserves the confidentiality of passwords?
    • Let’s use our Sec, SecIO, etc.
    • Let’s see the types again.

data Spwd = Spwd { uid :: UID, cypher :: Cypher }

getSpwdName :: Name -> IO

putSpwd ::

(Maybe (Sec H Spwd) )

(Maybe Spwd)

Sec H Spwd -> IO (Sec H ( ) )

Spwd -> IO ( )

auxiliaries functions
Auxiliaries functions
  • do s <- readFile path_Shadow
  • (s == s) `seq` return (read s :: [(UID, Cypher)])

path_Shadow :: File H

path_Shadow = highF -- Like /etc/shadow.. (access only by API)

path_Passwd :: FilePath

path_Passwd = “/etc/passwd“

parseSpwd :: IO

parseSpwd =

parsePwd :: IO ([(Name, UID)])

parsePwd =

do s <- readFile path_Passwd

(s == s) `seq` return (read s :: [(Name, UID)])

( Sec H [(UID, Cypher)] )

run ( do sec <- readFile path_Shadow -- sec :: Sec H String

s <- value sec -- s :: String

(s == s) `seq` return (read s :: [(UID, Cypher)]))

api getting a password

( \ps ->

`fmap` sec_pwds

API: Getting a password

getSpwdName user =

do sec_pwds<- parseSpwd -- sec_pwds :: Sec H [(UID, Cypher)]

users<- parsePwd -- users :: ([(Name, UID)]

case lookup user users of

Nothing -> return Nothing

Just uid’ -> return $ Just $

case lookup uid’ps of

Nothing -> error “not possible”

Just c -> Spwd { uid = uid’ , cypher = c})

getSpwdName :: Name -> IO

(Maybe (Sec H Spwd) )

api setting a password
API: Setting a password

putSpwd ::

putSpwd pwd =

do sec_pwds <- parseSpwd -- sec_pwds :: Sec H [(UID, Cypher)]

Sec H Spwd -> IO (Sec H ( ) )

let secio = do pwds <- value sec_pwds -- pwds :: [(UID, Cypher)]

let (id, c) = (uid pwd, cypher pwd)

(ts,ds) = span (\(u,_) -> u /= id ) pwds

updated = if null ds

then ts++[(id,c)]

else ts++[(id,c)]++(tail ds)

writeFileSecIO path_Shadow (show updated)

run secio

more graphically1
More graphically

API

Storage for passwords

secure api1
Secure API
  • Security problems of our secure API?
  • Passwords can be stolen?
    • No!
      • Trojans? Buffer overflows?
    • No need to be root to use the API
    • No need to perform SIUD to use the API
  • Can we implement a login program?

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

declassification1
Declassification
  • Login program: it is necessary to leak information that depends on secrets
    • pwd == input
  • Dimensions and principles of declassificaiton [Sabelfeld and Sands, 06]
    • What information can be leak?
    • When can information be leaked?
    • Where in the program is safe to leak information?
    • Who can leak information?
  • How to be certain that our programs leak what they are supposed to leak?
declassification in the library
Declassification in the Library
  • Our library should be able to handle different kind of declassificaiton policies
  • Policies are programs!
    • Trusted users of the library implement them
    • Controlled at run-time
  • A module defines combinators for different declassification policies (what, when, who)
  • In the talk: what

TrustedCode

escape hatches
Escape hatches
  • Declassification is performed by functions
    • Terminology: escape hatches [Sabelfeld and Myers, 2004]
  • In our library:
  • Example: checking password
  • type Hatch sH sL a b = Sec sH a -> Sec sL b
  • hatch :: (a -> b) -> Hatch sH sL a b –- hidden
  • check :: Hatch H L (String,Passwd) Bool
  • check = hatch (\(input,pwd) -> pwd == input)

monomorphic

escape hatches1
Escape hatches
  • We want to restrict capabilities of escape hatches

type Hatch sH sL a b =

Sec sH a -> IO (Maybe (Sec sL b))

mayfail

internalstate

declassification c ombinators
Declassification combinators

-- Restricting ”what” (how often)

nTimes :: Int -> Hatch sH sL a b ->

IO (Hatch sH sL a b)

-- Example

match =

nTimes 3

(hatch (\(secret,pwd) -> secret == pwd))

  • Other combinators in the library...
    • who, when
  • Possible to combine them and create ”complex” policies for declassification!
login program code

(Maybe (Sec H Spwd) )

(Sec H Spwd)

Login Program (Code)

login 0 _ = return ()

login n u

= do putStr "Password:"

pwd <- getLine

src <- getSpwdName u

case src of

Nothing

-> putStrLn "Invalid user!"

Just p

-> check p pwd n u

check p pwd n u =

import IO

import SpwdData

import Spwd

loginMain

= do welcome

u <- username

login 3 u

welcome

= putStrLn "This is ged node.

Welcome!"

username

= do putStr "ged login: "

getLine

do Just acc <- match

((\s -> (s, pwd)) `fmap` p)

if acc then putStrLn "Launching shell..."

else do putStrLn "Invalid login!"

login (n-1) u

TexPoint fonts used in EMF.

Read the TexPoint manual before you delete this box.: AAAAAAAAA

further details
Further details
  • Login program using the secure API + declassification
  • Paper about the library
    • Authors: Russo, Claessen, Hughes
    • Haskell Symposium ’08
    • Google: Alejandro Russo

http://www.cs.chalmers.se/~russo/

conclusions about the library
Conclusions about the library
  • Light-weight (~400 LOC)
    • Polymorphic secure code for free!
  • Practical
    • Simple (Monads)
    • Features: files, references, stdio/stdout, and more
    • Declassification
  • Limitations
    • Timing leaks
    • Static security lattice
future directions
Future directions
  • Networking
  • Cryptography (declassification)
  • The flexibility of Haskell together with providing information-flow as a library allows to include features with little effort!
  • Others?
some ideas for master thesis
Some ideas (for master thesis?)
  • Integrity policies in the code
    • Discretionary policies
      • How untrusted code can use resources?
    • Data invariants (indexes of arrays always fit into their boundaries)
    • Non-interference integrity policies
      • Untrusted data cannot affect trusted data
      • Endorcement
  • Can integrity policies be included in the library in a modular manner?
    • Topic worth to explore!!!