Declarative DIFC

1. Declarative DIFC David Costanzo, Yale University October 5, 2012

2. The IFC Problem system data high low observer Noninterference – values of high data have no effect on what the observer sees David Costanzo, Yale University

3. Our New Results • Solve the IFC problem for a low-level, C-like language with pointer manipulation • The system must be applicable to CertiKOS code • Build a program logic for statically guaranteeing that noninterference holds on the code • Allow for high-level, declarative declassification policies • These specify certain circumstances under which a piece of high-security data can be viewed as low • Key Idea: Semantic Labels David Costanzo, Yale University

4. Simple Imperative Language C = x := E E= 0 | 1 | -1 | … B= true | false | x := [E] | x | y | z | … | E1= E2 | [E1] := E2 | E1+ E2 | E1- E2 | … | B1 ∧ B2| B1 ∨ B2 | … | outputE | skip | C1;C2 | if B then C1else C2 | while B do C David Costanzo, Yale University

5. Output Dependency Does the output of the program depend on the value of x? David Costanzo, Yale University

6. Output Dependency Does the output of the program depend on the value of x? Trivially dependent: outputx David Costanzo, Yale University

7. Output Dependency Does the output of the program depend on the value of x? Trivially independent: output0 David Costanzo, Yale University

8. Output Dependency Does the output of the program depend on the value of x? Transitive dependence: y := x; outputy David Costanzo, Yale University

9. Output Dependency Does the output of the program depend on the value of x? Implicit dependence: if(x % 2 == 0)theny := 0elsey := 1; outputy David Costanzo, Yale University

10. Noninterference Label l = Lo | Hi Store s = var→ valxlbl Heap h = addrvalxlbl State σ = store x heap Noninterference of a program C: Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o. Assumption: these executions of C are safe – this will guaranteed by our logic David Costanzo, Yale University

11. Termination Sensitivity Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o. Most IFC systems guarantee termination-insensitive noninterference, which assumes that the executions terminate. But OS code is often required to be nonterminating! if(x % 2 == 0) then(while(true)doskip) elseskip; output0 David Costanzo, Yale University

12. Proving Noninterference σ1 ≈ σ2 means that every variable or heap cell which is Lo in both states has the same value in both states … … David Costanzo, Yale University

13. Proving Noninterference • Security-aware, intermediate operational semantics • High machine: • Executes when inside an if statement or while loop that branched on a Hi variable • Cannot output • Any locations written to are tainted with a Hi label • Low machine: • Takes a single step to simulate the entirety of a high-machine execution, thus skipping over the if statement or while loop if(x % 2 == 0)theny := 0elsey := 1; outputy David Costanzo, Yale University

14. Proving Noninterference Security-aware, intermediate operational semantics Key Observation/Novelty: If σ1 ≈ σ2, then the two executions of a noninterfering program C on those states will operate in lock-step in the low machine … L L L L … L L L L David Costanzo, Yale University

15. A Conundrum [1] := 0; y := 1; if (x % 2 == 0) theny := 2 elseskip; [y] := 1; z := [1]; outputz x x x (100, H) (100, H) (100, H) y y y (1, L) (2, H) (1, L) Output 0 (0, L) (0, L) (0, L) 1 1 1 2 2 2 (-, -) (-, -) (1, H) David Costanzo, Yale University

16. A Conundrum [1] := 0; y := 1; if (x % 2 == 0) theny := 2 elseskip; [y] := 1; z := [1]; outputz x x x (101, H) (100, H) (101, H) y y y (1, L) (1, L) (1, L) Output 1 (1, L) (0, L) (0, L) 1 1 1 2 2 2 (-, -) (-, -) (-, -) David Costanzo, Yale University

17. A Conundrum [1] := 0; y := 1; if (x % 2 == 0) theny := 2 elseskip; [y] := 1; z := [1]; outputz Solution • Make store variables label-immutable during updates • The labels of variables must be predetermined • Whenever a variable is written to, a check must be performed David Costanzo, Yale University

18. Declassification Instead of labels, data will now have policies attached. Policy d = state → lbl How to define noninterference? Suppose executing C on state σ1 results in output o. Then, if we change the value of any Hi variable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o. David Costanzo, Yale University

19. Declassification Semantic Labels Given a configuration, a piece of data is semantically low if there is some future (or past) configuration in which the data’s policy evaluates to Lo. … Hi Lo Hi Hi Policy is semantically low in every configuration of this execution David Costanzo, Yale University

20. Declassification Semantic Labels Given a configuration, a piece of data is semantically high if there is no future (or past) configuration in which the data’s policy evaluates to Lo. … Hi Hiforever … Hi Hi Hi Policy is semantically high in every configuration of this execution David Costanzo, Yale University

21. Noninterference + Declassification Suppose executing C on state σ1 results in output o. Then, if we change the value of any semantically highvariable or heap cell to obtain a new state σ2, executing C on σ2 will produce the same output o. • Some subtleties: • If the value of a piece of semantically high data is changed, then the semantic label of any data in the entire program state could change! • Observable equivalence definition is tricky. • Expression/boolean expression label could be different in the two executions! • The logic is extended to guarantee that this situation does not occur. • Semantic labels (and hence observable equivalence) are purely logical notions since they are undecidable to compute. • A user cannot designate data as being semantically high in the way that he can designate data as being Hiin the system without declassification David Costanzo, Yale University

22. An Example • Alice and Bob wish to pick a meeting time without revealing their entire calendars David Costanzo, Yale University

23. An Example OK to declassify a time slot if it's 'Free', and the corresponding time slot in Bob's calendar is also 'Free' Calendars: Alice's Bob's Free Event 1:00 Event Free 2:00 Free Free 3:00 Event Event 4:00 Event Free 5:00 David Costanzo, Yale University

24. An Example i := 0; while (i < n) do x := [a + i]; y := [b + i]; if(x == 0 ∧ y == 0) then(outputi) elseskip; i := i + 1 Doesn’t quite work, since x and y must have predetermined policies. David Costanzo, Yale University

25. An Example i := 0; while (i < n) do F(i); i := i + 1 F(i): x := [a + i]; y := [b + i]; if(x == 0 ∧ y == 0) then(outputi) elseskip This works because x and y are fresh variables with each function call. David Costanzo, Yale University

26. Current Progress • Many working versions of the system: • Weak-update store, no heap, with/without declassification • Strong-update store, no heap, with/without declassification • Weak-update store, strong-update heap, deterministic/nondeterministic memory allocation, with/without declassification • Goals for the near future: • Add in function calls • Completely work out formal proofs using the logic • Try to formalize an example from the RESIN system, as it is very easy to formulate their declassifier functions in terms of our policies David Costanzo, Yale University