Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

Secure Information Flow and CPS

advertisement 
Secure Information
Flow and CPS
Steve Zdancewic
Joint work with Andrew Myers
Cornell University
Steve Zdancewic ESOP01
1
Valuable Data On-line
• Internet and Connectivity
– banks/brokerage firms
– e-mail services
– applets, plugins, etc.
–…
• Creates problem of protection
Steve Zdancewic ESOP01
2
Protect It!
• Confidentiality
– Data doesn't escape
– Does my accounting software
transmit my private information?
• Integrity
– Trustworthiness of data
– Does my accounting software use
“bad” information to compute taxes?
Steve Zdancewic ESOP01
3
Information Flow
• Policies on information
• End-to-End
– Once data is released to a program,
must ensure that policy is obeyed.
• Need static analysis
Steve Zdancewic ESOP01
4
Security-Typed
Languages
• Statically enforce security policies
in an extended type system
– Smith & Volpano [SVI96, SV98,...]
– Heintze & Riecke [HR98, ABHR99]
– Myers [ML97,My99,...]
– Sabelfeld & Sands [SS99, SS00]
– Pottier & Conchon [PC00,...]
Steve Zdancewic ESOP01
5
Noninterference
"Low-security behavior of the
program is not affected by any
high-security data."
Goguen & Messeguer 1982
H1
L1
H3
L1
L
H2 L2
H4 L2
Steve Zdancewic ESOP01
6
Our Goal
• Study information flow in rich
language
– Higher-order functions
– State
• Noninterference proof
Steve Zdancewic ESOP01
7
Continuation Passing
Style
• Useful representation of low-level
code – verify output of the
compiler.
• Main complication: explicit control
and interaction with effects
Steve Zdancewic ESOP01
8
Outline
• Motivating Example
• Problem with Naïve CPS translation
• Ordered Linear Continuations
• Wrap up
Steve Zdancewic ESOP01
9
Security Types
• A lattice
L of labels
– order 
– join 
LH
LH=H
• Types have labels: intH or boolL
Steve Zdancewic ESOP01
10
Example
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
11
Example
pc:L
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
12
Example
pc:L
pc:H
if0 (x:intH){
y := 1;
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
13
Example
pc:L
pc:H
if0 (x:intH){
y := 1;
// y:intH
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
14
Example
pc:L
pc:H
pc:H
if0 (x:intH){
y := 1;
// y:intH
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
15
Example
pc:L
pc:H
pc:H
pc:L
if0 (x:intH){
y := 1;
// y:intH
} else {
y := 2;
}
z := 3;
Steve Zdancewic ESOP01
16
Example
pc:L
pc:H
pc:H
pc:L
if0 (x:intH){
y := 1;
// y:intH
} else {
y := 2;
}
z := 3;
// z:intL
Steve Zdancewic ESOP01
17
PC Label
• Side-effects are bounded by PC
label.
x:ts ref
pc:p
e:tr
(p  r)  s
x := e
Steve Zdancewic ESOP01
18
What about functions?
• Effects inside a function must also
be bounded by PC label.
f:t  s
e:t
r
pc:p
p  r
f(e)
Steve Zdancewic ESOP01
19
Naive CPS
let k = l(). z := 3;
if0 (x:intH){
y := 1;
k();
} else {
y := 2;
k();
}
Steve Zdancewic ESOP01
20
Naive CPS
pc:H
let k = l(). z := 3;
if0 (x:intH){
y := 1;
k();
} else {
y := 2;
k();
}
Steve Zdancewic ESOP01
21
Naive CPS
pc:H
let k = l(). z := 3; //z:intH
if0 (x:intH){
pc:H
y := 1;
k();
} else {
y := 2;
k();
}
Steve Zdancewic ESOP01
22
Linear Continuations
let k = l(). z := 3; //z:intH
if0 (x:intH){
y := 1;
k();
k is used linearly!
} else {
y := 2;
k();
}
Steve Zdancewic ESOP01
23
Main Idea
• Use linear continuations to express
the control-flow properties of the
source language via types
• But...not quite enough
Steve Zdancewic ESOP01
24
Order of Evaluation
• Order the continuations are
invoked is also important!
• Can observe the order via side
effects
• So...ordered linear continuations
Steve Zdancewic ESOP01
25
What Are They?
• Linear continuations:
First-class postdominators of
control flow graph
• Ordered linear continuations:
Encode the control stack
Steve Zdancewic ESOP01
26
Target CPS Language
• Includes regular continuations and
ordered linear continuations
• Careful manipulation of context:
G | kn,…,k1 [pc]  e
Ordered list encodes stack
Steve Zdancewic ESOP01
27
Noninterference
If
x:tH |[L] e : intL
 v1,v2 : tH
(M,e{v1/x})
*
(M1,n1)
(M,e{v2/x})
*
(M2,n2)
Then M1 L M2 and n1 = n2
Steve Zdancewic ESOP01
28
Results
• Formalize ordered linear
continuations in the type system
• Prove that the CPS language
enjoys noninterference
– Proof hinges on ordering property
– First proof for such a rich language
• Expressive enough as a target
Steve Zdancewic ESOP01
29
Other Connections
• Linearity of control also plays a
role in security typed versions of pcalculus. [Honda et. al.]
• Linear control is interesting in its
own right
Steve Zdancewic ESOP01
31
Related documents
File - Conroe Art League
File - Conroe Art League
Steve Desjardins, University of Ottawa
Steve Desjardins, University of Ottawa
Steve Chadwick - University of Exeter
Steve Chadwick - University of Exeter
Testimonials
Testimonials
Steve Jobs, transformational leader
Steve Jobs, transformational leader
The need for high efficiency energy recovery systems
The need for high efficiency energy recovery systems
At the Computer: STEVE JOBS
At the Computer: STEVE JOBS
julissa bermudez
julissa bermudez
Lessons of Steve Jobs
Lessons of Steve Jobs
Download
advertisement