Eliminating covert flows with minimum typings

Volpano, Dennis; Smith, Geoffrey

doi:10.1109/csfw.1997.596807

Cited by 98 publications

(96 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We conjecture that our results also hold for terminationsensitive noninterference [51], [42], where the termination behavior should not depend on secret data. The termination behavior is hard to control dynamically-no matter if the mechanism is flow-sensitive or insensitive-and so it is not surprising that a purely dynamic mechanism would have to be extremely conservative.…”

Section: Discussionmentioning

confidence: 79%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

154

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Discussionmentioning

confidence: 79%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

154

216

View full text Add to dashboard Cite

show abstract

“…Programs that are well-typed under these type systems satisfy certain security properties. Type systems for enforcing noninterference of programs have been proposed by Volpano and Smith in [16], and subsequently they have been extended to detect also covert timing channels in [17]. The main drawback of this approach is its imprecision, since many secure programs are not typable and so are rejected.…”

Section: Related Workmentioning

confidence: 99%

Ensuring Secure Non-interference of Programs by Game Semantics

Dimovski

2014

Security and Trust Management

View full text Add to dashboard Cite

Abstract. Non-interference is a security property which states that improper information leakages due to direct and indirect flows have not occurred through executing programs. In this paper we investigate a game semantics based formulation of non-interference that allows to perform a security analysis of closed and open procedural programs. We show that such formulation is amenable to automated verification techniques. The practicality of this method is illustrated by several examples, which also emphasize its advantage compared to known operational methods for reasoning about open programs.

show abstract

“…One approach is to use a typing discipline to ensure that all control flow paths have the same number of instructions, by ensuring that conditionals have equal sized branches, and prohibiting the use of secret information in loop guards, i.e., all loop guards are constant or only depend on public, nonsecret values [47,48,51]. If the type system rejects a program because it has "uneven" branches, the program can still be transformed, for example by adding suitable "padding" instructions along shorter branches [2,9,10,28], by using "conditional execution" implemented via bit-masking and ternary choice [39] or by using if-conversion [15].…”

Section: Related Workmentioning

confidence: 99%

On Subnormal Floating Point and Abnormal Timing

Andrysco

Kohlbrenner

Mowery

et al. 2015

2015 IEEE Symposium on Security and Privacy

118

119

View full text Add to dashboard Cite

Abstract-We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practical attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library.Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software.

show abstract

Eliminating covert flows with minimum typings

Cited by 98 publications

References 6 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

Ensuring Secure Non-interference of Programs by Game Semantics

On Subnormal Floating Point and Abnormal Timing

Contact Info

Product

Resources

About