Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference

Murray, Toby; Sison, Robert; Pierzchalski, Edward; Rizkallah, Christine

doi:10.1109/csf.2016.36

Cited by 45 publications

(84 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Greiner and Grahl [18] express indistinguishability by attacker for component-based systems via equivalence relations. Murray et al [37] define value-sensitive noninterference for compositional reasoning in concurrent programs. Value-sensitive noninterference emphasizes value-sensitive sources, as in the case of treating the security level of an input buffer or file depending on its runtime security label, enabling declassification policies to be value-dependent.…”

Section: Related Workmentioning

confidence: 99%

If This Then What?

Bastys

Balliu

Sabelfeld

2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

IoT apps empower users by connecting a variety of otherwise unconnected services. These apps (or applets) are triggered by external information sources to perform actions on external information sinks. We demonstrate that the popular IoT app platforms, including IFTTT (If This Then That), Zapier, and Microsoft Flow are susceptible to attacks by malicious applet makers, including stealthy privacy attacks to exfiltrate private photos, leak user location, and eavesdrop on user input to voice-controlled assistants. We study a dataset of 279,828 IFTTT applets from more than 400 services, classify the applets according to the sensitivity of their sources, and find that 30% of the applets may violate privacy. We propose two countermeasures for short-and longterm protection: access control and information flow control. For short-term protection, we suggest that access control classifies an applet as either exclusively private or exclusively public, thus breaking flows from private sources to sensitive sinks. For longterm protection, we develop a framework for information flow tracking in IoT apps. The framework models applet reactivity and timing behavior, while at the same time faithfully capturing the subtleties of attacker observations caused by applet output. We show how to implement the approach for an IFTTT-inspired setting leveraging state-of-the-art information flow tracking techniques for JavaScript based on the JSFlow tool and evaluate its effectiveness on a collection of applets. CCS CONCEPTS • Security and privacy → Web application security; Domainspecific security and privacy architectures;

show abstract

Section: Related Workmentioning

confidence: 99%

If This Then What?

Bastys

Balliu

Sabelfeld

2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Li et al [20] use rely-guarantee style reasoning to reason about information flows in a message-passing distributed settings, where scheduler cannot be controlled. Murray et al [31] use mode-based reasoning in a flow-sensitive dependent type system to enforce timing-sensitive value-dependent non-interference for shared memory concurrent programs.…”

Section: Rely-guarantee Style Reasoning For Concurrent Information Flmentioning

confidence: 99%

Compositional Non-interference for Concurrent Programs via Separation and Framing

Karbyshev

Svendsen

Askarov

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Reasoning about information flow in a concurrent setting is notoriously difficult due in part to timing channels that may leak sensitive information. In this paper, we present a compositional and flexible type-and-effect system that guarantees non-interference by disallowing potentially insecure races that can be exploited through internal timing attacks. In contrast to many previous approaches, which disallow all races on public variables, we use an explicit scheduler model to give a more permissive security definition and type system, which allows benign races on public variables. To achieve compositionality, we use the idea of resources from separation logic, both to locally specify and reason about whether accesses may be racy and to bound the security level of data that may be learned through scheduling.

show abstract

“…Dependent Labels and Information Flow Security Dependent types have been widely studied and have been applied to practical programming languages (e.g., [7,16,31,32,41,42]). New challenges emerge for information flow analysis, such as precise, sound handling of information channels arising from label changes.…”

Section: Related Workmentioning

confidence: 99%

“…Exploring dependent labels to their full extent exposes new challenges that we tackle in this work, such as implicit declassification. Murray et al [31] present a flow-sensitive dependent security type system for shared-memory programs. The type system enforces a stronger security property: timing-sensitive non-interference for concurrent programs.…”

Section: Related Workmentioning

confidence: 99%

Towards a Flow- and Path-Sensitive Information Flow Analysis

Zhang²

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

This paper investigates a flow-and path-sensitive static information flow analysis. Compared with security type systems with fixed labels, it has been shown that flow-sensitive type systems accept more secure programs. We show that an information flow analysis with fixed labels can be both flow-and path-sensitive. The novel analysis has two major components: 1) a general-purpose program transformation that removes false dataflow dependencies in a program that confuse a fixed-label type system, and 2) a fixed-label type system that allows security types to depend on path conditions. We formally prove that the proposed analysis enforces a rigorous security property: noninterference. Moreover, we show that the analysis is strictly more precise than a classic flow-sensitive type system, and it allows sound control of information flow in the presence of mutable variables without resorting to run-time mechanisms.

show abstract

Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference

Cited by 45 publications

References 26 publications

If This Then What?

If This Then What?

Compositional Non-interference for Concurrent Programs via Separation and Framing

Towards a Flow- and Path-Sensitive Information Flow Analysis

Contact Info

Product

Resources

About