Language-based Security: Information Flow Control

1. 18739A: Foundations of Security and Privacy Language-based Security: Information Flow Control Anupam Datta Fall 2009

2. Lecture Outline Information Flow Control (IFC) • Security definition • Non-interference [Goguen-Meseguer82] • Language-based enforcement • Type system [Volpano-Smith-Irvine96] based on prior work [Denning-Denning77]

3. IFC in Tax Preparation Software

4. Definition of Security Security levels: H: Classified L: Unclassified • Non-interference (idea) HO HO’ HI HI’ Program LI LO No information flows from high inputs to low outputs

5. Example if x = 1 then y:=1 else y:=0 x y NI H H Yes L L Yes H L No L H Yes

6. Specification and Enforcement • Approach • Use a typed programming language • Types represent security levels • H, L,… • Sub-typing captures partial order among security levels • L  H • Type system captures allowed information flows • Soundness theorem • Well-typed programs satisfy non-interference

7. Language Definition • Syntax • Type System • Operational Semantics • Soundness Theorem • Well typed programs satisfy non-interference

8. Syntax (I)

9. Syntax (II) • We will focus on the special case where type is • either H or L and L  H

10. Type System (I) • Typing judgment

11. Type system (II)

12. Type System (III)

13. Example if x = 1 then y:=1 else y:=0 x y NI H H Yes L L Yes H L No L H Yes Will justify rows 1 & 2

14. Example with types Key rules used are (ASSIGN) and (IF)

15. Type System (IV)

16. Example if x = 1 then y:=1 else y:=0 x y NI H H Yes L L Yes H L No L H Yes Will justify rows 3 & 4

17. Example with types L  H • Suppose x: L var and y: H var • Use (ASSIGN), (CMD-), (SUBTYPE) to infer (y:=1): L cmd and (y:=0): L cmd • Now use (IF) rule • x: H var and y: L var is not well-typed as expected

18.  is memory: a function from locations to values (l) is contents of location l Judgments Evaluating expression e in memory  yields value n Evaluating command c in memory  yields memory ’ Operational Semantics (I) Program executes by evaluating expressions and commands

19. Operational Semantics (II)

20. Operational Semantics (III)

21. Soundness Theorem

22. Recall Non-interference Security levels: H: Classified L: Unclassified HO HO’ HI HI’ Program LI LO No information flows from high inputs to low outputs

23. Practical Languages for IFC • Jif [Liskov-Myers et al.] • Java + information flow • http://www.cs.cornell.edu/jif/ • Flow Caml [Pottier-Simonet] • Extends OCaml language with type system for tracing information flow • http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.2104

24. Web Security: A Domain for IFC Brendan Eich, Chief Technology Officer, Mozilla Corp. Improving JavaScript's Default Security Model with Information Flow, CSF 2009 Invited talk

25. Thanks Questions?

26. Formal definition • System is deterministic finite state machine: takes input and transitions to next state producing output • Trace tr is a sequence of inputs and outputs (high & low) • OutputL(S,tr,c): low output of system S when input c is applied to the state corresponding to trace tr • purgeHI(tr): returns a trace with all high inputs in tr removed

27. Programming Language Definition • Syntax and Static Semantics (or “well-formed programs”) • Syntax of types and terms • Type system • Semantics (or “meaning of programs”) • Operational or dynamic semantics (Defines how programs execute) • Type Safety • Well-typed programs do not get stuck, i.e., they either terminate or keep reducing following the operational semantics

28. Language Definition Examples • Syntax, Semantics (Static, Dynamic) • ML: • R. Milner, M. Tofte, R. Harper, and D. MacQueen, The Definition of Standard ML (Revised). MIT Press, 1997 • Java: • J. Alves-Foss (Ed.), Formal Syntax and Semantics of Java. LNCS 1523, 1999