Information Flow Control

📎 Simple imperative language

Information flow determines Information security.

(End-to-end) Confidentiality no leakage, no insecure information flow

Integrity data only changed when authorized

Until now we used different security mechanisms.

Problem of security mechanisms:

None offer full security or end-to-end security

each have their own weaknesses

Software is always viewed as black box.

Solution: language-based approach

(Ideally automatic) formal methods for proof of security.

Proofs based on code semantics - security type checking (statically and dynamically)

controlling information flow

not being too restrictive (declassifying when necessary)

Side channels

Mechanisms to get sensitive information through the observable behaviour of a computing system.

Explicit flow information leakage through direct assignment.

Implicit flow control structure of the program. (Using $H$ as a guard)

Termination channels termination / non-termination.

Timing channels execution time of program, cache access time, $\dots$

Probabilistic channels different stochastic properties, observing behaviour of execution scheduler

Power channels Power consumption by computer

Resource exhaustion c. exhaustion of a finite, shared resource: memory space, $\dots$

Confidentiality, Integrity

Informal definition of Non-Interference

Non interference = formal definition of confidentiality.

Program is secure if high inputs do not interfere with low inputs.

Computation $\text{C}$ , with semantics $\llbracket \mathrm{C} \rrbracket$ (maps the input to the output or does not terminate $\bot$ )

$\forall \text { mem, mem}':\\ \text{ mem }=_{L} \text { mem}^{\prime} \Rightarrow \llbracket C \rrbracket \text { mem } \approx_{L} \llbracket C \rrbracket \text { mem}^{\prime}$

where

$=_L$ means low memory equality

$\approx_L$ means low view indistinguishability by attacker

Confidentiality vs. Integrity are dual

Security Types, Security Lattice

Multiple security types: One for confidentiality, one for integrity

High confidentiality means low integrity - vice versa.

$\ell=L_{1} L_{2}$ confidentiality level $\cdot$ integrity level

Formal definition of non-interference

Program $\text{c}$ satisfies non-interference, if:

$\forall \mu , v, \mu', v':$

$\mu \sim_\ell v,$

$(\text{c}, \mu) \stackrel{*}{\rightarrow} \mu',$

$(\text{c}, v) \stackrel{*}{\rarr} v'$

$\Rarr u' \sim_{\ell} v'$

where $(\mu \sim_\ell v)$ means that $\mu$ and $v$ are equivalent at level $\ell$ or lower.

This definition is incomplete:

termination, timing-insensitive

does not work with multi-threading, non-determinism

Considering Termination

If they do terminate, then they must have the same lower part.

mem≈Lmem′iffmem=⊥=mem′∨(mem≠⊥≠mem′∧mem=Lmem′)\begin{array}{c}\mathrm{mem} \approx_{\mathrm{L}} \text {mem}'\textcolor{grey}{ \text{ iff}} \\\mathrm{mem}=\perp=\mathrm{mem}^{\prime} ~\vee \left(\mathrm{mem} \neq \perp \neq \mathrm{mem}^{\prime} \wedge \mathrm{mem}=_L\mathrm{mem}^{\prime}\right)\end{array}mem≈Lmem′iffmem=⊥=mem′∨(mem=⊥=mem′∧mem=Lmem′)

Security Type System

non-interference definition contains a universal quantification over all possible inputs → undecidable.

Static analysis

We type expressions and then enforce rules.

Good option but incomplete because of undecidability.

Insecure program might get accepted.

Description of used notation
We write the preconditions for above the line: $\frac{\textsf{precondition}}{\textsf{assignment}}$
$\ell=H \mid L$ (Security) Types
$L \sqsubseteq H$ Simple lattice (there could theoretically be more Types between $L$ and $H$ )
$\Gamma=x_{1}: \ell_{1},~ \ldots,~ x_{n}: \ell_{n}$ Function that assigns types to variables ("typing environment")
$p c:=\ell$ Program counter (as security type)
$\Gamma \vdash e$ Judgement: expression $e$ is well typed in $\Gamma$
$\Gamma, p c \vdash c$ Judgement: program $c$ is well typed in $\Gamma$ and $pc$
$\sqcup$ ("join") - like Max function for upper bounds

Assigned type

Type $\ell$ of $x$ as assigned by $\Gamma$

Γ(x)=ℓΓ⊢x:ℓ\frac{\Gamma(x)=\ell}{\Gamma \vdash x: \ell}Γ⊢x:ℓΓ(x)=ℓ

program counter $pc$

always has the higher type: $\ell \sqcup p c = \max(\ell, p c )$

Γ⊢e:ℓΓ,ℓ⊔pc⊢c1Γ,ℓ⊔pc⊢c2Γ,pc⊢ifethenc1elsec2\frac{\Gamma \vdash e: \ell \quad \Gamma, \ell \sqcup p c \vdash c_{1} \quad \Gamma, \ell \sqcup p c \vdash c_{2}}{\Gamma, p c \vdash \text { if } e \text { then } c_{1} \text { else } c_{2}}Γ,pc⊢ifethenc1elsec2Γ⊢e:ℓΓ,ℓ⊔pc⊢c1Γ,ℓ⊔pc⊢c2

Γ⊢e:ℓΓ,ℓ⊔pc⊢cΓ,pc⊢whileedoc\frac{\Gamma \vdash e: \ell \quad \Gamma, \ell \sqcup p c \vdash c}{\Gamma, p c \vdash \text { while } e \text { do } c}Γ,pc⊢whileedocΓ⊢e:ℓΓ,ℓ⊔pc⊢c

Explicit flow, impicit flow

If expression $e$ has type $\ell$ then:

$\ell \sqcup p c$ must be lower than the type of $x$ . (implicit flow through $pc$ and explicit flow through $\Gamma(x)$ )

Γ⊢e:ℓℓ⊔pc⊑Γ(x)Γ,pc⊢x:=e\frac{\Gamma \vdash e: \ell \quad \ell \sqcup p c \sqsubseteq \Gamma(x)}{\Gamma, p c \vdash x:=e}Γ,pc⊢x:=eΓ⊢e:ℓℓ⊔pc⊑Γ(x)

Number $n$ — skip instruction — sequencing instructions

Γ⊢n:L\Gamma \vdash n: LΓ⊢n:L

Γ,pc⊢skip\Gamma, p c \vdash \text {skip }Γ,pc⊢skip

Γ,pc⊢c1Γ,pc⊢c2Γ,pc⊢c1;c2\frac{\Gamma, p c \vdash c_{1} \quad \Gamma, p c \vdash c_{2}}{\Gamma, p c \vdash c_{1} ; c_{2}}Γ,pc⊢c1;c2Γ,pc⊢c1Γ,pc⊢c2

Declassification

Sometimes necessary to allow explicit flow ie. for checking passwords. We do not check $\ell \sqcup p c \sqsubseteq \Gamma(x)$ anymore.

pc⊑Γ(x)Γ,pc⊢x:=declassify⁡(e)\frac{p c \sqsubseteq \Gamma(x)}{\Gamma, p c \vdash x:=\operatorname{declassify}(e)}Γ,pc⊢x:=declassify(e)pc⊑Γ(x)

Considering Timing: hiding timing leaks

Cross-copy low slices = dummy instructions (like skip sequences) in each branch that so that both take an equal amount of time - means number of instructions per branch must be equal.

Γ⊢e:ℓΓ,ℓ⊔pc⊢c1Γ,ℓ⊔pc⊢c2c1∼c2Γ,pc⊢ifethenc1elsec2\frac{\Gamma \vdash e: \ell \quad \Gamma, \ell \sqcup p c \vdash c_{1} \quad \Gamma, \ell \sqcup p c \vdash c_{2} \quad \textcolor{pink}{c_1 \sim c_2}}{\Gamma, p c \vdash \text { if } e \text { then } c_{1} \text {else } c_{2}}Γ,pc⊢ifethenc1elsec2Γ⊢e:ℓΓ,ℓ⊔pc⊢c1Γ,ℓ⊔pc⊢c2c1∼c2

The guard must be low and the entire instruction must be checked under a low $pc$ . We don't want different looping times based on the guard.

Γ⊢e:LΓ,ℓ⊔pc⊢cΓ,L⊢whileedoc\frac{\Gamma \vdash e: \textcolor{pink}L \quad \Gamma, \ell \sqcup p c \vdash c}{\Gamma, \textcolor{pink}L \vdash \text { while } e \text { do } c}Γ,L⊢whileedocΓ⊢e:LΓ,ℓ⊔pc⊢c