A Cryptographic Decentralized Label Model

Transcription

1 A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007

2 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Program and Runtime Network Disk Attackers 1/21

3 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21

4 Information flow protects secrets from disclosure. Legit Users with Secrets Jif Applications Info. Flow Jif Program and [Myers et. JPmail al.] Runtime Jif Servlet Framework Network Battleship Attackers Game Disk Distributed Poker 1/21

5 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow System Jif Program and [Myers et. al.] Trusted runtimeruntime Programming Language Network Attackers "Closed world" Disk 1/21

6 Information flow protects secrets from disclosure. Decentralized Labels Legit Users High with Secrets Alice: no readers Alice: Bob reads Network Info. Flow Jif Program and [Myers et. al.] Runtime Low Disk Attackers 1/21

7 Information flow protects secrets from disclosure. Legit Users Annotated Memory with Secrets x low 3 y Info. Flow high 4 Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21

8 Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21

9 Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21

10 Some programs need to violate noninterference. Secret High Declassify Low Public Satisfies (decentralized) robust declassification instead of noninterference [Myers & Chong CSFW 06]. 3/21

11 Encryption can restore noninterference. Secret High Encrypt GenKey Low Public [Chothia, Duggan, & Vitek CSFW 02] [Sumii & Pierce POPL 04] [Laud & Vene ACSAC 05] [Askarov, Hedin, & Sabelfeld ISAS 06] 4/21

12 Our idea: make the cryptography transparent. Secret High Pack Low Public 5/21

13 Our idea: make the cryptography transparent. Secret High Encrypt Error Runtime Low Public 5/21

14 Our solution: label directed implicit packing. The Cryptographic Decentralized Label Model unifies a high-level, information-flow language, declarative labels that describe security policies, and cryptographic packages that implement policies. Key notation data + policies package v + l v l 6/21

15 SImp language can pack and unpack labeled data. Definition (SImp Syntax) types τ ::= int... pkg values v ::= v l package expressions e ::=... pack e at l package intro unpack e as τ{l} package elim Packages may be constructed and analyzed according to l. 7/21

16 SImp can implement a simple messaging system. Example text: string{high} out: pkg{low} dest: string{low} in: pkg{low} text := readline() match (pack text at {high}) with ok(p) => out := p; send(out) error => skip. in := receive() match (unpack in as text{high}) ok(t) => text := t; printline(text) error => skip 8/21

17 Pack succeeds iff runtime has sufficient authority. The SImp runtime contains a memory, M, and an authority, p. Evaluation Model precondition runtime state from to Definition (Pack Evaulation) p writes l p; M pack v at l ok( v l ) E-PACK-OK (p writes l) p; M pack v at l error E-PACK-FAIL Without enough keys, it is infeasible for the runtime to perform these operations. 9/21

18 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

19 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

20 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

21 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

22 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

23 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false 11/21

24 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} } if h then Rule: High guard requires variables v := pack 0 at low assigned in branches are high. else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high 11/21

25 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high Rule: Unpack does not declassify secret data.. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low 11/21

26 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low; high = low 11/21

27 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false reject statically 11/21

28 Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing, 1 st attempt) If e has label l e then pack e at l e has label l. Definition Fragment (Unpack Security Typing, 1 st attempt) If e has label l e, and labels l and l e are equal, then unpack e as τ{l} has label l. 12/21

29 Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing) If e has label l e, and labels l and l e have equal integrity components, then pack e at l e has label l. Definition Fragment (Unpack Security Typing) If e has label l e, and labels l and l e have equal confidentiality components, then unpack e as τ{l} has label l. 12/21

30 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip 13/21

31 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true 13/21

32 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21

33 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Check: high low 13/21

34 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip unpacking fails 13/21

35 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21

36 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Conclusion: not a leak 13/21

37 Evaluation respects noninterference. Property (M 1 =l M 2 ) Example Memories M 1 and M 2 are equivalent to an observer with power l, if the observer cannot distinguish the memories. M 1 M 2 x low 2 x low 2 y low 3 high y low 4 high z high 3 z high 4 M 1 =low M 2 M 1 =high M 2 Property (Noninterference) evaluation M 1 =l M 2 M 2 = l M 1 evaluation 14/21

38 SImp is parameterized by a security lattice. Definition Fragment (Security lattice) A lattice whose elements are composed of orthogonal confidentiality and integrity components is a security lattice. Example high = {private!tainted} {private!trusted} {public!tainted} low = {public!trusted} 15/21

39 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

40 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

41 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

42 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

43 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

44 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

45 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

46 Labels and packages need meaning outside of SImp. Cryptographic assumptions Each principal is mapped to a well-known public key. Cryptographic functions follow the Dolev-Yao model. Goals of interpretation Package confidentiality protects data from eavesdroppers. Package integrity protects the program from data. Packages can created and consumed offline. 17/21

47 Packages compile to cryptographic messages. Example (Compile 42 {Alice: Bob! } ) 1. Generate fresh key pairs (R +, R ) and (W +, W ). 2. Let payload = sign(w, { 42 } R +) 3. Let seal = sign(alice, ["{Alice: Bob!}", R +, W +, { R } K +, { R } Alice K +, { W } Bob K + ]) Alice 4. Return package = (seal, payload) R is a read capability. W is a write capability. 18/21

48 Package compilation is adequate. Property (m 1 =l m 2 ) Say m 1 =l m 2 when messages m 1 and m 2 reveal only equivalent information to Dolev-Yao observers weaker than l. Corollary Lemma (Adequacy for Values) If v 1 =l v 2 then compile(v 1 ) = l compile(v 2 ). M 1 =l M 2 compile compile σ 1 =l σ 2 19/21

49 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

50 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

51 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

52 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21

53 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21

54 Take home messages SImp explores a new space in information flow languages with declarative policies implemented by a cryptographic mechanism, a strong noninterference property, and a rich, structural label language. 21/21

55 Appendix Typing Rules Future Work Package Uniqueness DLM Comparison Expression Noninterference Statement Command Noninterference Statement Adequacy Statements Feasibility Statement Cryptographic Operations

56 Pack provides a limited declassify, unpack an endorse. Definition Fragment Θ; Γ e : τ{l e } I(l e ) = I(l) Θ; Γ pack e at l e : (pkg + error){l} Θ; Γ e : pkg{l e } C(l e ) = C(l) Θ; Γ unpack e as τ{l} : (τ + error){l} These rules are safe because of the dynamic checks. toc A

57 This is just the beginning. Further research questions: Can homomorphic encryption be used for computation within packages? How can we compile alternative label models? share semantics uniqueness labels How does package upgrading and downgrading interact with cryptography? toc B

58 A explicit non-goal: package uniqueness. Replay attacks (vs. legitimate uses of persistence) are best detected at higher levels of abstraction. Uniqueness checks appear to require interactive protocols. Resolving these challenges would be interesting future work. toc C

59 Our DLM is a variant of Myers and Liskov s original. Example Here: l = {Alice: Charlie! ; Bob: Dave! } {Charlie, Dave} reads l Myers and Liskov: {Dave, Charlie} reads l toc We don t consider an explicit acts-for-hierarchy. It should work technically but is orthogonal. Intuitively, principal sets act for component principals. Key difference: Myers and Liskov: Calculate readers, then close under acts-for. Here: Close under acts-for, then calculate readers. D

60 Formal statement of expression noninterference. Theorem (Expression noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 Θ; e 1 : τ{l e } and e 1 =l e 2 where l e l p; M 1 e 1 v 1 and p; M 2 e 2 v 2 then v 1 =l v 2. toc E

61 Command evaluation respects noninterference. Theorem (Command Noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 pc; Θ; c 1 and c 1 =l c 2 p M 1, c 1 M 1, skip and p M 2, c 2 M 2, skip then Θ M 1 = l M 2. toc F

62 Adequacy theorems: compilation is secret preserving. Lemma (Adequacy of Value Translation) If v 1 =l v 2 and κ is fresh then V[[v 1 ]] κ =l V[[v 2 ]] κ. Corollary (Adequacy of Memory Translation) If Θ M 1 =l M 2 and κ is fresh then M[[M 1 ]] κ Θ = l M[[M 2 ]] Θ κ. toc G

63 Realizable operations simulate SImp evaluation. Theorem (Feasibility) If Θ M OK pc; Θ; Γ c p reads pc and p writes pc, p M, c M, c then κ 3, κ 4. M[[M]] Θ κ 1 state(κ 2, p, c) M[[M ]] Θ κ 3 state(κ 4, p, c). toc H

64 Only some operations are cryptographically realizable. Definition σ σ, knows (K + κ, K κ ) CS-FRESH κ fresh CS-DERIVE σ d m σ σ, knows m CS-FORGET σ σ σ σ CS-COMPUTE σ d "i 1 " σ d "i 2 " σ σ, "i 3 " where i 3 = i 1 + i 2 toc I