A Cryptographic Decentralized Label Model

Similar documents
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Towards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011

Information Security Theory vs. Reality

Fast Probabilistic Simulation, Nontermination, and Secure Information Flow

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Rapporto di Ricerca CS

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Language-based Information Security. CS252r Spring 2012

DERIVING AND PROVING ABSTRACT NON-INTERFERENCE

Collaborative Planning with Privacy

Information Flow Inference for ML

Notes on BAN Logic CSG 399. March 7, 2006

Program Analysis Probably Counts

Information Flow Inference for ML

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Typing Noninterference for Reactive Programs

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

Integer Clocks and Local Time Scales

Introduction to Cryptography. Lecture 8

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

On the computational soundness of cryptographically masked flows

CPSA and Formal Security Goals

Dynamic Dependency Monitoring to Secure Information Flow

Simply Typed Lambda Calculus

A bisimulation for dynamic sealing

Security: Foundations, Security Policies, Capabilities

Using Architecture to Reason about Information Security

Cryptographical Security in the Quantum Random Oracle Model

A process algebraic analysis of privacy-type properties in cryptographic protocols

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Keyword Search and Oblivious Pseudo-Random Functions

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Analysing privacy-type properties in cryptographic protocols

Non-interference. Christoph Sprenger and Sebastian Mödersheim. FMSEC Module 11, v.2 November 30, Department of Computer Science ETH Zurich

Secrecy in Multiagent Systems

Quantum threat...and quantum solutions

Lecture Notes 20: Zero-Knowledge Proofs

A Logic of Authentication

ASYMMETRIC ENCRYPTION

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

Typed MSR: Syntax and Examples

CPSC 467: Cryptography and Computer Security

Notes for Lecture 17

CS 395T. Probabilistic Polynomial-Time Calculus

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Securing Interactive Systems

Cryptography 2017 Lecture 2

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 10: Zero-Knowledge Proofs

Lecture 1: Introduction to Public key cryptography

Control Flow Analysis of Security Protocols (I)

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Computing on Encrypted Data

Lecture 28: Public-key Cryptography. Public-key Cryptography

Tutorial: Device-independent random number generation. Roger Colbeck University of York

1 Secure two-party computation

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

An Independence Relation for Sets of Secrets

Mandatory Access Control (MAC)

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

The Laws of Cryptography Zero-Knowledge Protocols

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Towards a Practical Secure Concurrent Language

Extracting a Secret Key from a Wireless Channel

Computers and Mathematics with Applications

Proof assistants as a tool for thought

Mobile Functions and Secure Information Flow

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Constructing Provably-Secure Identity-Based Signature Schemes

Lecture 5, CPA Secure Encryption from PRFs

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Security Abstractions and Intruder Models

A Temporal Logic Approach to Information-flow Control

A Theory for Comparing the Expressive Power of Access Control Models

CPSC 467b: Cryptography and Computer Security

Challenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley

Exam Security January 19, :30 11:30

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2

Public Key Cryptography

CPSC 467: Cryptography and Computer Security

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University

Transcription:

A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007

Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Program and Runtime Network Disk Attackers 1/21

Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21

Information flow protects secrets from disclosure. Legit Users with Secrets Jif Applications Info. Flow Jif Program and [Myers et. JPmail al.] Runtime Jif Servlet Framework Network Battleship Attackers Game Disk Distributed Poker 1/21

Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow System Jif Program and [Myers et. al.] Trusted runtimeruntime Programming Language Network Attackers "Closed world" Disk 1/21

Information flow protects secrets from disclosure. Decentralized Labels Legit Users High with Secrets Alice: no readers Alice: Bob reads Network Info. Flow Jif Program and [Myers et. al.] Runtime Low Disk Attackers 1/21

Information flow protects secrets from disclosure. Legit Users Annotated Memory with Secrets x low 3 y Info. Flow high 4 Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21

Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21

Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21

Some programs need to violate noninterference. Secret High Declassify Low Public Satisfies (decentralized) robust declassification instead of noninterference [Myers & Chong CSFW 06]. 3/21

Encryption can restore noninterference. Secret High Encrypt GenKey Low Public [Chothia, Duggan, & Vitek CSFW 02] [Sumii & Pierce POPL 04] [Laud & Vene ACSAC 05] [Askarov, Hedin, & Sabelfeld ISAS 06] 4/21

Our idea: make the cryptography transparent. Secret High Pack Low Public 5/21

Our idea: make the cryptography transparent. Secret High Encrypt Error Runtime Low Public 5/21

Our solution: label directed implicit packing. The Cryptographic Decentralized Label Model unifies a high-level, information-flow language, declarative labels that describe security policies, and cryptographic packages that implement policies. Key notation data + policies package v + l v l 6/21

SImp language can pack and unpack labeled data. Definition (SImp Syntax) types τ ::= int... pkg values v ::= 0 1... v l package expressions e ::=... pack e at l package intro unpack e as τ{l} package elim Packages may be constructed and analyzed according to l. 7/21

SImp can implement a simple messaging system. Example text: string{high} out: pkg{low} dest: string{low} in: pkg{low} text := readline() match (pack text at {high}) with ok(p) => out := p; send(out) error => skip. in := receive() match (unpack in as text{high}) ok(t) => text := t; printline(text) error => skip 8/21

Pack succeeds iff runtime has sufficient authority. The SImp runtime contains a memory, M, and an authority, p. Evaluation Model precondition runtime state from to Definition (Pack Evaulation) p writes l p; M pack v at l ok( v l ) E-PACK-OK (p writes l) p; M pack v at l error E-PACK-FAIL Without enough keys, it is infeasible for the runtime to perform these operations. 9/21

Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21

Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false 11/21

Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} } if h then Rule: High guard requires variables v := pack 0 at low assigned in branches are high. else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high 11/21

Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high Rule: Unpack does not declassify secret data.. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low 11/21

Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low; high = low 11/21

Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false reject statically 11/21

Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing, 1 st attempt) If e has label l e then pack e at l e has label l. Definition Fragment (Unpack Security Typing, 1 st attempt) If e has label l e, and labels l and l e are equal, then unpack e as τ{l} has label l. 12/21

Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing) If e has label l e, and labels l and l e have equal integrity components, then pack e at l e has label l. Definition Fragment (Unpack Security Typing) If e has label l e, and labels l and l e have equal confidentiality components, then unpack e as τ{l} has label l. 12/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Check: high low 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip unpacking fails 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21

Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Conclusion: not a leak 13/21

Evaluation respects noninterference. Property (M 1 =l M 2 ) Example Memories M 1 and M 2 are equivalent to an observer with power l, if the observer cannot distinguish the memories. M 1 M 2 x low 2 x low 2 y low 3 high y low 4 high z high 3 z high 4 M 1 =low M 2 M 1 =high M 2 Property (Noninterference) evaluation M 1 =l M 2 M 2 = l M 1 evaluation 14/21

SImp is parameterized by a security lattice. Definition Fragment (Security lattice) A lattice whose elements are composed of orthogonal confidentiality and integrity components is a security lattice. Example high = {private!tainted} {private!trusted} {public!tainted} low = {public!trusted} 15/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21

Labels and packages need meaning outside of SImp. Cryptographic assumptions Each principal is mapped to a well-known public key. Cryptographic functions follow the Dolev-Yao model. Goals of interpretation Package confidentiality protects data from eavesdroppers. Package integrity protects the program from data. Packages can created and consumed offline. 17/21

Packages compile to cryptographic messages. Example (Compile 42 {Alice: Bob! } ) 1. Generate fresh key pairs (R +, R ) and (W +, W ). 2. Let payload = sign(w, { 42 } R +) 3. Let seal = sign(alice, ["{Alice: Bob!}", R +, W +, { R } K +, { R } Alice K +, { W } Bob K + ]) Alice 4. Return package = (seal, payload) R is a read capability. W is a write capability. 18/21

Package compilation is adequate. Property (m 1 =l m 2 ) Say m 1 =l m 2 when messages m 1 and m 2 reveal only equivalent information to Dolev-Yao observers weaker than l. Corollary Lemma (Adequacy for Values) If v 1 =l v 2 then compile(v 1 ) = l compile(v 2 ). M 1 =l M 2 compile compile σ 1 =l σ 2 19/21

Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21

Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21

Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21

Take home messages SImp explores a new space in information flow languages with declarative policies implemented by a cryptographic mechanism, a strong noninterference property, and a rich, structural label language. 21/21

Appendix Typing Rules Future Work Package Uniqueness DLM Comparison Expression Noninterference Statement Command Noninterference Statement Adequacy Statements Feasibility Statement Cryptographic Operations

Pack provides a limited declassify, unpack an endorse. Definition Fragment Θ; Γ e : τ{l e } I(l e ) = I(l) Θ; Γ pack e at l e : (pkg + error){l} Θ; Γ e : pkg{l e } C(l e ) = C(l) Θ; Γ unpack e as τ{l} : (τ + error){l} These rules are safe because of the dynamic checks. toc A

This is just the beginning. Further research questions: Can homomorphic encryption be used for computation within packages? How can we compile alternative label models? share semantics uniqueness labels How does package upgrading and downgrading interact with cryptography? toc B

A explicit non-goal: package uniqueness. Replay attacks (vs. legitimate uses of persistence) are best detected at higher levels of abstraction. Uniqueness checks appear to require interactive protocols. Resolving these challenges would be interesting future work. toc C

Our DLM is a variant of Myers and Liskov s original. Example Here: l = {Alice: Charlie! ; Bob: Dave! } {Charlie, Dave} reads l Myers and Liskov: {Dave, Charlie} reads l toc We don t consider an explicit acts-for-hierarchy. It should work technically but is orthogonal. Intuitively, principal sets act for component principals. Key difference: Myers and Liskov: Calculate readers, then close under acts-for. Here: Close under acts-for, then calculate readers. D

Formal statement of expression noninterference. Theorem (Expression noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 Θ; e 1 : τ{l e } and e 1 =l e 2 where l e l p; M 1 e 1 v 1 and p; M 2 e 2 v 2 then v 1 =l v 2. toc E

Command evaluation respects noninterference. Theorem (Command Noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 pc; Θ; c 1 and c 1 =l c 2 p M 1, c 1 M 1, skip and p M 2, c 2 M 2, skip then Θ M 1 = l M 2. toc F

Adequacy theorems: compilation is secret preserving. Lemma (Adequacy of Value Translation) If v 1 =l v 2 and κ is fresh then V[[v 1 ]] κ =l V[[v 2 ]] κ. Corollary (Adequacy of Memory Translation) If Θ M 1 =l M 2 and κ is fresh then M[[M 1 ]] κ Θ = l M[[M 2 ]] Θ κ. toc G

Realizable operations simulate SImp evaluation. Theorem (Feasibility) If Θ M OK pc; Θ; Γ c p reads pc and p writes pc, p M, c M, c then κ 3, κ 4. M[[M]] Θ κ 1 state(κ 2, p, c) M[[M ]] Θ κ 3 state(κ 4, p, c). toc H

Only some operations are cryptographically realizable. Definition σ σ, knows (K + κ, K κ ) CS-FRESH κ fresh CS-DERIVE σ d m σ σ, knows m CS-FORGET σ σ σ σ CS-COMPUTE σ d "i 1 " σ d "i 2 " σ σ, "i 3 " where i 3 = i 1 + i 2 toc I

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback