1 / 41

Information-Flow Security in Haskell

Information-Flow Security in Haskell. Alejandro Russo russo@chalmers.se. Advance Functional Programming Guest Lecture, February 1 6 th, 200 9. Introduction. Computer systems usually handles confidential information Credit card numbers, passwords, medical files, etc Mobile phones?

kalare
Download Presentation

Information-Flow Security in Haskell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information-Flow Security in Haskell Alejandro Russo russo@chalmers.se Advance Functional Programming Guest Lecture, February 16th, 2009

  2. Introduction • Computer systems usuallyhandlesconfidential information • Credit card numbers, passwords, medical files, etc • Mobile phones? • How can programs preserve confidentiality of data ? TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  3. Linux Shadow Password HOWTO: Adding shadow support to a C program Adding shadow support to a program is actually fairly straightforward. The only problem is that the program must be run by root (or SUID root) in order for the the program to be able to access the /etc/shadow file. Linux Login Authentication • /etc/passwd • /etc/shadow bjorn:x:1003:100::/home/andrei:/bin/bash hana:x:500:100::/home/tsa: josef:x:1006:100::/home/john:/bin/bash bjorn:$1$0ID5oZxB$0tdKR1VQWWQlkJR1Uj7na0:13397:0:99999:7::: hana:$1$.28fO/M9$aaNMN4SWEKZiGPYoEq9996:13460:0:::::0 josef:$1$UP1uD.28$hi3vYEa20.zgWYNVN/Lq81:13539:0:99999:7::: TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  4. Linux Login Authentication • Security problems? • Passwords can be stolen • It is only necessary to obtain root access • Trojan horses • Buffer overflow attacks • Etc... TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  5. Linux Login Authentication • Linux provides an API to access /etc/shadow #ifdef HAS_SHADOW #include <shadow.h> #include <shadow/pwauth.h> #endif • /etc/shadow can be accessed not only by the API • Let assume the opposite TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  6. More graphically access control is not enough! API Storage for passwords

  7. Demo

  8. Language-based Security • Analyzing the code of the whole system • Confidentiality, Integrity, etc. • Information-flow analysis: • How the information flow inside programs: is there a secret “going out” of the system?

  9. Information-Flow • Programs have secret and public inputs and outputs, respectively Non-interference

  10. Information-Flow • Programs have secret and public inputs and outputs, respectively Leak of Information!

  11. Information-Flow Security • Study for ~30 years • Active research field • Compilers • JIF (Java) 2001-2009 • Cornell University • FlowCaml (ML) 2002 • INRIA (not actively developed) • Impact on practice • Limited!

  12. Why Haskell? • Pure language • No side-effects • Side-effects reflected in types (IO, etc) • Strong type system • Cannot ”cheat”

  13. Examples f ::(Char {- secret -}, Int) -> (Char {- secret -}, Int) Secure f (c, i) = ( chr(ord c + i), i) Secure f (c, i) = (chr(ord c + 1),i+1) Insecure f (c, i) = (chr(ord c + i), chr c) Insecure f (c, i) | c > 65 = (c, 42) | otherwise = (c, i)

  14. Simple security API dataSecH a – abstract • Once inside the monad, you cannot go out!! instance Functor SecH instance Monad SecH f ::(SecH Char, Int) -> (SecH Char, Int) • Termination-insensitivesecurity • Termination-sensitive.. Agda?

  15. Revised examples f ::(SecH Char,Int)-> (SecH Char,Int) Secure f (c, i) = ( chr(ord c + i), i) Type checks! f (sc,i) = (do c <- sc return chr(ord c+i), i) Insecure f (c, i) = (chr(ord c + i), chr c) Doesn’ttype checks! f (sc, i) = (…, do c <- sc return (chr c) )

  16. Security guarantee Typechecks! Secure

  17. Security lattice dataSec s a -- abstract dataH = H -- abstract dataL = L -- public class Less sL sH where lesser :: sL -> sH -> () up :: Less sL sH => Sec sL a -> Sec sH a instance Less L H instance Less L L instance Less H H H Sec H a ~= SecH a Sec L a ~= a L

  18. Arquitecture unsafePerformIO, Exceptions, etc. ~400 LOC TrustedCode HaskellLibraries Code of the library SafeHaskellLibraries Secure Interface (SecLib.hs) Attacker/ UntrustedCode

  19. What about IO? • IO Features • References • Files • Stdin/Stdout • In this talk only files

  20. Secure side-effects • What about trying to do side-effects inside of the security monad? Insecure Secure SecH (IO a) We don’t know! • Another monad?

  21. Extended security API -Write to level s or higher -Produce a value at level s dataSecIO s a –- abstract value :: Sec s a -> SecIO s a dataFile s-- abstract readFileSecIO :: File s’ -> SecIO s (Sec s’String) writeFileSecIO :: File s -> String -> SecIO s () run :: SecIO s a -> IO (Sec s a) instance Functor SecIO instance Monad SecIO Side effects escape from SecIO!

  22. Little quiz for trusted code’s programmers Secure IO (Sec H a) Insecure Sec H ( IO (Sec L a) ) TrustedCode Secure SecIO L Int Insecure Attacker/ UntrustedCode SecIO L (IO () )

  23. Login Authentication • We have the following API to the shadow file data Spwd = Spwd { uid :: UID, cypher :: Cypher } getSpwdName :: Name -> IO (Maybe Spwd) putSpwd :: Spwd -> IO ( ) • Can we rewrite it ? • To avoid passwords being stolen TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  24. Secure API? • Can we implement an API that preserves the confidentiality of passwords? • Let’s use our Sec, SecIO, etc. • Let’s see the types again. data Spwd = Spwd { uid :: UID, cypher :: Cypher } getSpwdName :: Name -> IO putSpwd :: (Maybe (Sec H Spwd) ) (Maybe Spwd) Sec H Spwd -> IO (Sec H ( ) ) Spwd -> IO ( )

  25. Auxiliaries functions • do s <- readFile path_Shadow • (s == s) `seq` return (read s :: [(UID, Cypher)]) path_Shadow :: File H path_Shadow = highF -- Like /etc/shadow.. (access only by API) path_Passwd :: FilePath path_Passwd = “/etc/passwd“ parseSpwd :: IO parseSpwd = parsePwd :: IO ([(Name, UID)]) parsePwd = do s <- readFile path_Passwd (s == s) `seq` return (read s :: [(Name, UID)]) ( Sec H [(UID, Cypher)] ) run ( do sec <- readFile path_Shadow -- sec :: Sec H String s <- value sec -- s :: String (s == s) `seq` return (read s :: [(UID, Cypher)]))

  26. ( \ps -> `fmap` sec_pwds API: Getting a password getSpwdName user = do sec_pwds<- parseSpwd -- sec_pwds :: Sec H [(UID, Cypher)] users<- parsePwd -- users :: ([(Name, UID)] case lookup user users of Nothing -> return Nothing Just uid’ -> return $ Just $ case lookup uid’ps of Nothing -> error “not possible” Just c -> Spwd { uid = uid’ , cypher = c}) getSpwdName :: Name -> IO (Maybe (Sec H Spwd) )

  27. API: Setting a password putSpwd :: putSpwd pwd = do sec_pwds <- parseSpwd -- sec_pwds :: Sec H [(UID, Cypher)] Sec H Spwd -> IO (Sec H ( ) ) let secio = do pwds <- value sec_pwds -- pwds :: [(UID, Cypher)] let (id, c) = (uid pwd, cypher pwd) (ts,ds) = span (\(u,_) -> u /= id ) pwds updated = if null ds then ts++[(id,c)] else ts++[(id,c)]++(tail ds) writeFileSecIO path_Shadow (show updated) run secio

  28. More graphically API Storage for passwords

  29. Secure API • Security problems of our secure API? • Passwords can be stolen? • No! • Trojans? Buffer overflows? • No need to be root to use the API • No need to perform SIUD to use the API • Can we implement a login program? TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  30. Declassification

  31. Declassification • Login program: it is necessary to leak information that depends on secrets • pwd == input • Dimensions and principles of declassificaiton [Sabelfeld and Sands, 06] • What information can be leak? • When can information be leaked? • Where in the program is safe to leak information? • Who can leak information? • How to be certain that our programs leak what they are supposed to leak?

  32. Declassification in the Library • Our library should be able to handle different kind of declassificaiton policies • Policies are programs! • Trusted users of the library implement them • Controlled at run-time • A module defines combinators for different declassification policies (what, when, who) • In the talk: what TrustedCode

  33. Escape hatches • Declassification is performed by functions • Terminology: escape hatches [Sabelfeld and Myers, 2004] • In our library: • Example: checking password • type Hatch sH sL a b = Sec sH a -> Sec sL b • hatch :: (a -> b) -> Hatch sH sL a b –- hidden • check :: Hatch H L (String,Passwd) Bool • check = hatch (\(input,pwd) -> pwd == input) monomorphic

  34. Escape hatches • We want to restrict capabilities of escape hatches type Hatch sH sL a b = Sec sH a -> IO (Maybe (Sec sL b)) mayfail internalstate

  35. Declassification combinators -- Restricting ”what” (how often) nTimes :: Int -> Hatch sH sL a b -> IO (Hatch sH sL a b) -- Example match = nTimes 3 (hatch (\(secret,pwd) -> secret == pwd)) • Other combinators in the library... • who, when • Possible to combine them and create ”complex” policies for declassification!

  36. (Maybe (Sec H Spwd) ) (Sec H Spwd) Login Program (Code) login 0 _ = return () login n u = do putStr "Password:" pwd <- getLine src <- getSpwdName u case src of Nothing -> putStrLn "Invalid user!" Just p -> check p pwd n u check p pwd n u = import IO import SpwdData import Spwd loginMain = do welcome u <- username login 3 u welcome = putStrLn "This is ged node. Welcome!" username = do putStr "ged login: " getLine do Just acc <- match ((\s -> (s, pwd)) `fmap` p) if acc then putStrLn "Launching shell..." else do putStrLn "Invalid login!" login (n-1) u TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  37. Further details • Login program using the secure API + declassification • Paper about the library • Authors: Russo, Claessen, Hughes • Haskell Symposium ’08 • Google: Alejandro Russo http://www.cs.chalmers.se/~russo/

  38. Conclusions about the library • Light-weight (~400 LOC) • Polymorphic secure code for free! • Practical • Simple (Monads) • Features: files, references, stdio/stdout, and more • Declassification • Limitations • Timing leaks • Static security lattice

  39. Future directions • Networking • Cryptography (declassification) • The flexibility of Haskell together with providing information-flow as a library allows to include features with little effort! • Others?

  40. Some ideas (for master thesis?) • Integrity policies in the code • Discretionary policies • How untrusted code can use resources? • Data invariants (indexes of arrays always fit into their boundaries) • Non-interference integrity policies • Untrusted data cannot affect trusted data • Endorcement • Can integrity policies be included in the library in a modular manner? • Topic worth to explore!!!

  41. End

More Related