1 / 28

JFlow : Practical Mostly-Static Information Flow Control

JFlow : Practical Mostly-Static Information Flow Control. Andrew C. Myers Presented by Shiyi Wei. JFlow. Java language certain features omitted + Information flow annotations decentralized label model. JFlow source. JFlow compiler. .java. Labeled types, classes, etc.

reece
Download Presentation

JFlow : Practical Mostly-Static Information Flow Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers Presented by Shiyi Wei

  2. JFlow Java language certain features omitted + Information flow annotations decentralized label model JFlow source JFlow compiler .java Labeled types, classes, etc. Static checking of flow annotations Jflow.lang.Label Jflow.lang.Principal

  3. Overview • Motivation • Background • Decentralized label model • Language description • Extended language • Examples • Limitations • JFlow compiler • Static type and label checking

  4. Motivation • Privacy data protection • Statically check information flows within programs that might manipulate the data • Fine-grained tracking of security classes • Without the run-time overhead • Previous work • Not practical • Too limited/restrictive • JFlow: a usable programming model

  5. Motivation • Information leakage • Explicit flow • Implicit flow int secret; … int pub = secret; boolean secret; … int pub = 0; if(secret) pub = 1;

  6. Reference: http://courses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Decentralized-Information-Flow.pdf Background • Decentralized label model • Form • L = {o1: r1 , r2 ; o2: r2 , r3 } • Assignment x/L2 := v/L1 • Can be assigned iff • L2 is at least as restrictive as L1 • Joining of labels • Least upper bound • Declassification • Strict information flow control is too restrictive

  7. Background • Information leakage • Explicit flow • Implicit flow int secret; //secret: L1 … int pub = secret; //pub: L2 boolean secret; //secret: L1 … int pub = 0; //pub: L2 if(secret) pub = 1; //1: ? 7

  8. Language Description • Labeled types • Implicit flows • Run-time labels • Authority and declassification • Run-time principals • Classes • Methods

  9. Labeled Types • Labeled type • An ordinary Java type • A label • Written as: t{l} • Examples • int{p:} x; //principal p owns and p can read x • int{x} y; //y is as restricted as x is • intz; //the label is inferred automatically or by default • Type checking vs. label checking

  10. Implicit Flows • Implicit flows • Channels created by the control flow structure • Program-counter label (pc) • With every statement and expression • Information learned from the statement or expression evaluated int{public} x; //pc = {} boolean{secret} b; //pc = {} … intx= 0; //pc = {} if(b) { //pc = {} x = 1; //pc = {b} } The label of x({public}) is not at least as restrictive as the label of 1({secret})

  11. Run-time Labels • New primitive type: label • When the label cannot be determined statically • E.g. static float{*lb} compute(intx{*lb}, label lb) • *lb: the label contained in the variable lb • Variables of type label are final • switch label statement • The statement executed is the first whose associated label is at least as restrictive as the expression label

  12. Run-time Labels • switch label example • Transfer an integer from the x to the y label{L} lb; int{*lb} x; int{p:} y; switch label(x) { case (int{y} z) y = z; else throw new UnsafeTransfer(); }

  13. Authority and Declassification • Authority: • The capability to act for some principals • Controls the ability to declassify data • actsFor(p1, p2) S • Execute S if p1 can act for p2; otherwise skipped • declassify(e, L) • Relabel the result of e with the label L • Relax policies owned by principals in the authority

  14. Run-time Principals • New primitive type: principal • A policy may use final variable of type principal to name an owner or reader • “Run-time principals are needed in order to model systems that are heterogeneous with respect to the principals in the system, without resorting to declassification” class Account { final principal customer; String{customer:} name; float{customer:} balance; }

  15. Classes • Parameterized classes • Important for building reusable data structures • E.g. Java Vector class is parameterized on label L

  16. Classes • {secret} {public} => Vector[{secret}] ≤ Vector[{public}] ? • Covariant label • When the above relation is sound • No method argument or mutable instance variable may be labeled using the parameter • Class implicit label parameter: {this} • A covariant parameter

  17. Classes • authority clause • Name principals external to the program, or principal parameters • E.g. class passwordFileauthority(root) { … }

  18. Methods • JFlow method delaration • The return value, the arguments, and the exceptions may each be individually labeled • Arguments are always implicitly final

  19. Methods • JFlow method declaration • begin-label • Restriction on pc at the point of invocation of method • end-label • The final pc; information can be learned by observing whether the method terminates normally

  20. Methods • Examples static int{x;y}add(intx, inty) {return x + y; } booleancompare_str(String name, String pwd):{name; pwd} throws(NullPointerException) {… } booleanstore{L}(int{} x) throws(NotFound) {… }

  21. Methods • JFlow method declaration

  22. Example: passwordFile return label: {user; password} pc = {user; password; root} declassification: remove root

  23. Example: Protected Caller must have sufficient label to get the data

  24. Limitations • Threads • Single-threaded programs • Timing channels • Gain information by timing code with system clock • HashCode • JFlow class must implement its own hashCode • Finalizers • Run in a separate thread from the main program

  25. Limitations • Resource exhaustion • OutOfMemoryError • Wall-clock timing channels • Unchecked exceptions • Backward compatibility • Not backward compatible with Java

  26. Static Checking • Label-checking rules • Throwing and catching exceptions • Run-time label checking • Checking method calls

  27. Label-checking Rules A literal expression always terminates normally and that its value is labeled with the current pc An empty statement always terminates normally, with the same pc as at its start The value of a variable is labeled with both the label of the variable an the current pc Assignment to a variable X: path labels n: normal termination nv: normal value A: enviroment T: a type L: a label Two statements S1 and S2 performed in sequence

  28. Translation • Most annotations are erased • Type labels -> Java type • Class parameters • Built-in types are translated • label -> jflow.lang.Label • principal -> jflow.lang.Principal • Two constructs translate to intersting code • actsFor • switch label

More Related