Flexible dynamic information flow control in Haskell

Stefan, Deian; Russo, Alejandro; Mitchell, John C.; Mazières, David

doi:10.1145/2034675.2034688

Cited by 117 publications

(195 citation statements)

References 35 publications

Supporting

Mentioning

177

Contrasting

Order By: Relevance

“…This result has been previously established for the sequential version of LIO [34]. As in [20,31,34], we prove this property by using the term erasure technique.…”

Section: Soundnesssupporting

confidence: 74%

“…To this end, we extend the notion of resumptions and modify the scheduler to handle thread local state and exceptions. Thread local state As described in [34], the LIO monad keeps track of a current label, L cur . This label is an upper bound on the labels of all data in lexical scope.…”

Section: Extending Resumptions With State and Exceptionsmentioning

confidence: 99%

“…In this section, we extend the previous formalization of LIO [34] to model the semantics of our concurrency library. We present the syntax extensions that we require to model the behavior of the Thread monad:…”

Section: Soundnessmentioning

confidence: 99%

“…We consider a global environment Σ which contains the current label of the computation (Σ.lbl), and also represents the resources shared among all threads, such as mutable references. We start from the one-step reduction relation 7 Σ, e −→ Σ , e , which has already been defined for LIO [34]. This relation represents a single evaluation step from e to e , with Σ as the initial environment and Σ as the final one.…”

Section: Soundnessmentioning

confidence: 99%

See 3 more Smart Citations

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Buiras

Levy

Stefan

et al. 2014

Trustworthy Global Computing

Self Cite

View full text Add to dashboard Cite

Abstract. Information-flow control (IFC) is a security mechanism conceived to allow untrusted code to manipulate sensitive data without compromising confidentiality. Unfortunately, untrusted code might exploit some covert channels in order to reveal information. In this paper, we focus on the LIO concurrent IFC system. By leveraging the effects of hardware caches (e.g., the CPU cache), LIO is susceptible to attacks that leak information through the internal timing covert channel. We present a resumption-based approach to address such attacks. Resumptions provide fine-grained control over the interleaving of thread computations at the library level. Specifically, we remove cache-based attacks by enforcing that every thread yield after executing an "instruction," i.e., atomic action. Importantly, our library allows for porting the full LIO libraryour resumption approach handles local state and exceptions, both features present in LIO. To amend for performance degradations due to the library-level thread scheduling, we provides two novel primitives. First, we supply a primitive for securely executing pure code in parallel. Second, we provide developers a primitive for controlling the granularity of "instructions"; this allows developers to adjust the frequency of context switching to suit application demands.

show abstract

“…This result has been previously established for the sequential version of LIO [34]. As in [20,31,34], we prove this property by using the term erasure technique.…”

Section: Soundnesssupporting

confidence: 74%

Section: Extending Resumptions With State and Exceptionsmentioning

confidence: 99%

Section: Soundnessmentioning

confidence: 99%

Section: Soundnessmentioning

confidence: 99%

See 2 more Smart Citations

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Buiras

Levy

Stefan

et al. 2014

Trustworthy Global Computing

Self Cite

View full text Add to dashboard Cite

show abstract

“…For example, a computation with no privileges might read sensitive data and leak information by, e.g., not terminating or affecting timing behavior. To address confinement in the presence of covert channels, we use the notion of clearance [5], previously introduced and formalized in [30,30,28] in the context of IFC.…”

Section: Confinement and Access Controlmentioning

confidence: 99%

Disjunction Category Labels

Stefan

Russo

Mazières

et al. 2012

Information Security Technology for Applications

Self Cite

View full text Add to dashboard Cite

Abstract. We present disjunction category (DC) labels, a new label format for enforcing information flow in the presence of mutually distrusting parties. DC labels can be ordered to form a lattice, based on propositional logic implication and conjunctive normal form. We introduce and prove soundness of decentralized privileges that are used in declassifying data, in addition to providing a notion of privilege-hierarchy. Our model is simpler than previous decentralized information flow control (DIFC) systems and does not rely on a centralized principal hierarchy. Additionally, DC labels can be used to enforce information flow both statically and dynamically. To demonstrate their use, we describe two Haskell implementations, a library used to perform dynamic label checks, compatible with existing DIFC systems, and a prototype library that enforces information flow statically, by leveraging the Haskell type checker.

show abstract

DMoiSDN: A defensive mechanism of object integrity for SDN

Alsalamh,

Al‐Mutairi,

Humayed

et al. 2023

Concurrency and Computation

View full text Add to dashboard Cite

SummarySoftware‐defined network (SDN) technology is widely used for computer networks, especially in enterprise data centers and virtualized networking. However, SDN networks encounter severe challenges to security. One such challenge comes from third‐party applications that contain malicious logic and security vulnerabilities, resulting in controller integrity attacks. In this paper, we propose a defensive mechanism of object integrity for SDN (DMoiSDN) to mitigate the issue known as Cross‐App Poisoning (CAP). Our results contribute to increasing the integrity level of the controller's resources by conducting a potential risk analysis, which showed a decrease of 57% in the risk factor for potential attacks. We further examined the results of comparing DMoiSDN's performance with related work that uses information flow control (IFC) policies. The best results among the three conducted scenarios were as follows: we found that decreased latency in our system ranged from 12% to 90%, with an average of 59%, when encountering an increase in requests. It ranged from 78% to 49%, with an average of 63%, when receiving a variable number of total permissions for each application. DMoiSDN is expected to show a perceptible but reasonable latency and, to some extent, be able to avoid a critical impact on performance.

show abstract

Flexible dynamic information flow control in Haskell

Cited by 117 publications

References 35 publications

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems

Disjunction Category Labels

DMoiSDN: A defensive mechanism of object integrity for SDN

Contact Info

Product

Resources

About