A Dependently Typed Library for Static Information-Flow Control in Idris

Gregersen, Simon Oddershede; Thomsen, Søren Eller; Askarov, Aslan

doi:10.1007/978-3-030-17138-4_3

Cited by 4 publications

(4 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is impractical for realistic settings where resources, such as the heap, can be shared. To address this issue, some recent information-flow systems [Gregersen et al 2019;Lourenço and Caires 2015;Murray et al 2016;Nanevski et al 2011;Zheng and Myers 2007] support value-dependent classification policies. These policies describe a relationship between two values, such that the value of one decides the classification-level of the other.…”

Section: Value-dependent Classification and Modularitymentioning

confidence: 99%

“…Such systems establish various notions of noninterference [Goguen and Meseguer 1982], conveying that observable aspects of the program's behavior is independent of its sensitive inputs. Information-flow control enforcement is often specified as a static type system (e.g., Abadi et al [1999]; Arden and Myers [2016]; Heintze and Riecke [1998]; Lourenço and Caires [2015]; Myers [1999]; Simonet [2003b]) or via an encoding into an existing type system (e.g., Algehed and Russo [2017]; Gregersen et al [2019]; Li and Zdancewic [2006]; Pottier and Simonet [2003]; Russo [2015]; Russo et al [2008]; Vassena et al [2018]). Modern programming languages have rich type systems featuring, e.g., higher types, reference types, and abstract types, which are all essential for modern software engineering practice and for implementing reusable software components.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Mechanized logical relations for termination-insensitive noninterference

Gregersen

Bay

Timany

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present an expressive information-flow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higher-order programming language with higher-order state. We give a novel semantic model of this type system and show that well-typed programs satisfy termination-insensitive noninterference. Our semantic approach supports compositional integration of syntactically well-typed and syntactically ill-typed---but semantically sound---components, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture termination-insensitivity, we develop a novel language-agnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant.

show abstract

Section: Value-dependent Classification and Modularitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Mechanized logical relations for termination-insensitive noninterference

Gregersen

Bay

Timany

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Rules S-AT and S-DELAY implement simple predictive mitigation of direct timing channels, i.e., channels represented directly in the control-flow of the program: S-AT reduces to the underlying command c, but ensures that the command terminates in exactly n steps, where n is the result of evaluating expression e, by delaying further commands until the command delay n has terminated. 9 The semantics of unscope is defined in the Appendix. 10 The complete definition of matching is found in the Appendix.…”

Section: B Semanticsmentioning

confidence: 99%

“…The use of existentially quantified labels is introduced by Tse and Zdancewic [36], and we follow the same typing discipline for such values. Dependent type systems for IFC has also been explored by Lourenço and Caires [16], Zhang et al [43] and Gregersen et al [9].…”

Section: Static Information Flow Controlmentioning

confidence: 99%

Static Enforcement of Security in Runtime Systems

Pedersen

Askarov

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Underneath every modern programming language is a runtime environment (RTE) that handles features such as automatic memory management and thread scheduling. In the information-flow control (IFC) literature, the RTE is often part of the trusted computing base (TCB), and there has been little focus on applying IFC to the implementation of the RTE itself. In this paper we address this problem by designing an IFC language, Zee, for implementing secure RTEs, thereby removing the RTE from the TCB. We implement Zee and design and implement secure versions of garbage collectors and thread schedulers using Zee. We also prove that a faithful calculus of Zee satisfies a strong variant of timing-sensitive noninterference.

show abstract

Compositional Non-Interference for Fine-Grained Concurrent Programs

Frumin¹,

Krebbers

Birkedal

2021

2021 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Recent secure cache designs aim to mitigate sidechannel attacks by randomizing the mapping from memory addresses to cache sets. As vendors investigate deployment of these caches, it is crucial to understand their actual security.In this paper, we consolidate existing randomization-based secure caches into a generic cache model. We then comprehensively analyze the security of existing designs, including CEASER-S and SCATTERCACHE, by mapping them to instances of this model. We tailor cache attacks for randomized caches using a novel PRIME+PRUNE+PROBE technique, and optimize it using burst accesses, bootstrapping, and multi-step profiling. PRIME+ PRUNE+PROBE constructs probabilistic but reliable eviction sets, enabling attacks previously assumed to be computationally infeasible. We also simulate an end-to-end attack, leaking secrets from a vulnerable AES implementation. Finally, a case study of CEASER-S reveals that cryptographic weaknesses in the randomization algorithm can lead to a complete security subversion.Our systematic analysis yields more realistic and comparable security levels for randomized caches. As we quantify how design parameters influence the security level, our work leads to important conclusions for future work on secure cache designs.

show abstract

A Dependently Typed Library for Static Information-Flow Control in Idris

Cited by 4 publications

References 48 publications

Mechanized logical relations for termination-insensitive noninterference

Mechanized logical relations for termination-insensitive noninterference

Static Enforcement of Security in Runtime Systems

Compositional Non-Interference for Fine-Grained Concurrent Programs

Contact Info

Product

Resources

About