Security Type Checking for MILS-AADL Specifications · Security Type Checking for MILS-AADL...

Security Type Checking forMILS-AADL Specifications

Kevin van der Pol, Thomas Noll

MILS Workshop Amsterdam – January 20, 2015

Kevin van der Pol, Thomas Noll | MILS Workshop Amsterdam – January 20, 2015 0/25

Security Type Checking for MILS-AADL Specifications

trusted untrusted

cryptocontroller

(confidential) (public)

I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security

Motivation

trusted untrusted

cryptocontroller

I Cryptographic controller [Rus92]

I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security

Motivation

trusted untrusted

cryptocontroller

I Cryptographic controller [Rus92]I Placed between trusted system and untrusted network

I Declassifies confidential informationI Goal: verify its security

Motivation

trusted untrusted

cryptocontroller

I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential information

I Goal: verify its security

Motivation

trusted untrusted

cryptocontroller

I Cryptographic controller [Rus92]I Placed between trusted system and untrusted networkI Declassifies confidential informationI Goal: verify its security

Motivation

1 MILS-AADL specifications

2 Non-interference

3 Type checking

4 Conclusion

Table of Contents

2 Non-interference

3 Type checking

4 Conclusion

MILS-AADL specifications

Table of Contents

crypto controller

Crypto controller

crypto controller

split merge

bypass

crypto

Crypto controller

crypto controller

split merge

bypass

crypto

Crypto controller

crypto controller

split merge

bypass

crypto

Crypto controller

system cryptocontroller(

Syntax

inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))

Syntax

inframe: in (int L, int H) (0,0)outframe: out (int L, enc int H L) (0, encrypt(0, k0))system split(. . . )system bypass(. . . )system merge(. . . )system crypto(

inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0

Syntax

)connection (split.payload, crypto.inpayload)

connection (crypto.outpayload, merge.payload)

inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0

Syntax

)connection (split.payload, crypto.inpayload)

connection (crypto.outpayload, merge.payload)

inpayload: in int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m

Syntax

Case Grammar

Level σ ::= H | LBasic type t ::= int | bool | enc τSecurity type τ ::= t σ | key σ

Expression e ::= n | x | e⊕ eSystem S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

System S ::= system s(S∗ P ∗ C∗ V ∗ M∗ T ∗)Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Port P ::= p : (in | out)(event σ | data τ e)Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Connection C ::= ([s.]p, [s.]p)Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Variable V ::= x : τ eMode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Mode M ::= m : [initial] mode σTransition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Transition T ::= m -[ [p] [when e] [then x := e] ]->m′

Syntax

Case Grammar

Syntax

2 Non-interference

3 Type checking

4 Conclusion

Non-interference

Table of Contents

I Lattice of confidentiality levels

I This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs

I When varying secret variables and ports, reachable values of publicvariables and ports are indistinguishable

Non-interference

I Lattice of confidentiality levelsI This presentation: high and low (H v L)

I Non-interference: low outputs not affected by high inputs

Non-interference

I Lattice of confidentiality levelsI This presentation: high and low (H v L)I Non-interference: low outputs not affected by high inputs

Non-interference

lowI When varying secret variables and ports, reachable values of public

variables and ports are indistinguishable

Non-interference

I Explicit data flow

I physical connection from high to low portsI low := high

I Implicit data flow

I data leak through control flowI if high then low := 1 else low := 2 endif

Non-interference

Unwanted data flows

I Explicit data flowI physical connection from high to low ports

I low := highI Implicit data flow

Non-interference

Unwanted data flows

I Explicit data flowI physical connection from high to low portsI low := high

Non-interference

Unwanted data flows

Non-interference

Unwanted data flows

I Implicit data flowI data leak through control flow

I if high then low := 1 else low := 2 endif

Non-interference

Unwanted data flows

I Implicit data flowI data leak through control flowI if high then low := 1 else low := 2 endif

Non-interference

Unwanted data flows

I Abstract encryption function

I Encryption breaks traditional non-interference

I Public ciphertexts do depend on confidential contents!

I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one

I low1 := encrypt(v,k); low2 := low1

Non-interference

Possibilistic non-interference

I Abstract encryption functionI Encryption breaks traditional non-interference

Non-interference

I Encryption non-deterministically calculates a ciphertext from a set

I Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one

Non-interference

I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilities

I Naive approach: all ciphertexts are indistinguishableI Cannot distinguish calculating new ciphertext or re-using same one

Non-interference

I Encryption non-deterministically calculates a ciphertext from a setI Look at sets of possibilitiesI Naive approach: all ciphertexts are indistinguishable

I Cannot distinguish calculating new ciphertext or re-using same one

Non-interference

I Indistinguishability equivalence .= on ciphertexts [AHS08]

I safe usageI prevent implicit flow

I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]I Possibilistic non-interference

Non-interference

I safe usage

I prevent implicit flow

Non-interference

I Realistic for common encryption classes (IND-CPA, INT-PTXT) [Lau08]

I Possibilistic non-interference

Non-interference

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

Non-interference

Non-interference non-compositionality

oddsiso

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

Non-interference

oddsiso

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

oddsiso

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

Non-interference

oddsiso

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

oddsiso

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

si si soso

oddeven

Non-interference

non-determinism

e. . .

Non-interference

Restrictions

non-determinism branching on secrets

e. . .

Non-interference

Restrictions

secret-Zeno

e. . .

Non-interference

Restrictions

secret-Zeno

e. . .

public output from

secret region

Non-interference

Restrictions

2 Non-interference

3 Type checking

4 Conclusion

Type checking

Table of Contents

I T : local variables and data ports→ declared type

I Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition

Theorem

If the system is typable, it is non-interfering

Type checking

I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality level

I Type rules in context of TI Goal: type each subsystem, connection and transition

Theorem

Type checking

I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of T

I Goal: type each subsystem, connection and transition

Theorem

Type checking

I T : local variables and data ports→ declared typeI Modes and event ports get a confidentiality levelI Type rules in context of TI Goal: type each subsystem, connection and transition

Theorem

Type checking

Theorem

Type checking

Theorem

Type checking

Case Type rule

Basic types T ` n : int L T ` b : bool L

Variable T (x) = τ

T ` x : τ

OperatorT ` e1 : t1 σ1 T ` e2 : t2 σ2 ⊕ : t1 × t2 → t

T ` e1 ⊕ e2 : t (σ1 t σ2)

EncryptionT ` e1 : τ T ` e2 : key L

T ` encrypt(e1, e2) : enc τ L

DecryptionT ` e1 : enc τ σ T ` e2 : key H

T ` decrypt(e1, e2) : τσ

Type checking

Types of expressions

system crypto(

inpayload: int H 0outpayload: out enc int H L encrypt(0, k0)k: key L k0m: initial mode Lm-[then outpayload:=encrypt(inpayload,k)]->m

I Type of encrypt(inpayload,k)?

T (inpayload) = int H

T ` inpayload : int H

T (k) = key L

T ` k : key L

T ` encrypt(inpayload,k) : enc int H L

Type checking

Types of expressions

I If τe <: τx, assignment x:=e is validI Traditional type safetyI Confidentiality restriction

Case Subtype rule

Basic types σ v σ′int σ <: int σ′

σ v σ′bool σ <: bool σ′

key σ <: key σ

Encryption τ <: τ ′ σ v σ′enc τ σ <: enc τ ′ σ′

Type checking

Subtyping

Case Subtype rule

key σ <: key σ

Type checking

Subtyping

Case Subtype rule

key σ <: key σ

Type checking

Subtyping

system crypto(

I Is outpayload:=encrypt(inpayload,k) valid?

(let τ abbreviate enc int H L)

T (outpayload) = τ

T ` outpayload : τ

(Before)T ` encrypt(inpayload,k) : τ τ <: τ

T ` outpayload:=encrypt(inpayload,k) : τ

Type checking

Subtyping

system crypto(

I Is outpayload:=encrypt(inpayload,k) valid?(let τ abbreviate enc int H L)

T (outpayload) = τ

T ` outpayload : τ

Type checking

Subtyping

system crypto(

I Is outpayload:=encrypt(inpayload,k) valid?(let τ abbreviate enc int H L)

T (outpayload) = τ

T ` outpayload : τ

Type checking

Subtyping

Case Type rule

Transition

T ` p : τpT ` g : τg τx <: τe lvl(τx) v σT ` x : τx lvl(m) v lvl(τp) σ v lvl(τp)T ` e : τe lvl(m) v lvl(τx) σ v lvl(τg)

T ` m -[ p when g then x := e ]->m′ : σ

I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)

Type checking

Type of transitions

Case Type rule

Transition

Type checking

Type of transitions

Case Type rule

Transition

I Effect is well typed

I No public outputs from secret region (mode)I Guard or event high→ transition highI No public outputs from secret region (transition)

Type checking

Type of transitions

Case Type rule

Transition

I Effect is well typedI No public outputs from secret region (mode)

I Guard or event high→ transition highI No public outputs from secret region (transition)

Type checking

Type of transitions

Case Type rule

Transition

I Effect is well typedI No public outputs from secret region (mode)I Guard or event high→ transition high

I No public outputs from secret region (transition)

Type checking

Type of transitions

Case Type rule

Transition

Type checking

Type of transitions

system crypto(

I Is the transition well typed?

I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X

I All subsystems and connections trivially well typedI crypto system is non-interfering

Type checking

Example

system crypto(

I Is the transition well typed?I Effect is well typed: X

I No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X

Type checking

Example

system crypto(

I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): X

I Guard or event high→ transition high: XI No public outputs from secret region (transition): X

Type checking

Example

system crypto(

I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: X

I No public outputs from secret region (transition): X

Type checking

Example

system crypto(

I Is the transition well typed?I Effect is well typed: XI No public outputs from secret region (mode): XI Guard or event high→ transition high: XI No public outputs from secret region (transition): X

Type checking

Example

system crypto(

I All subsystems and connections trivially well typed

I crypto system is non-interfering

Type checking

Example

system crypto(

Type checking

Example

2 Non-interference

3 Type checking

4 Conclusion

Conclusion

Table of Contents

I AADL variant with cryptographic primitives

I Automatic verification for possibilistic non-interferenceI Future work: soundness proof, implementation, type inference

Conclusion

I AADL variant with cryptographic primitivesI Automatic verification for possibilistic non-interference

I Future work: soundness proof, implementation, type inference

Conclusion

I AADL variant with cryptographic primitivesI Automatic verification for possibilistic non-interferenceI Future work: soundness proof, implementation, type inference

Conclusion

Aslan Askarov, Daniel Hedin, and Andrei Sabelfeld,Cryptographically-masked flows, Theor. Comput. Sci. 402 (2008),no. 2-3, 82–101.

Peeter Laud, On the computational soundness of cryptographicallymasked flows, Proceedings of the 35th ACM SIGPLAN-SIGACTSymposium on Principles of Programming Languages, POPL 2008,San Francisco, California, USA, January 7-12, 2008, 2008,pp. 337–348.

John Rushby, Noninterference, transitivity, and channel-controlsecurity policies, Tech. Report SRI-CSL-92-2, Computer ScienceLaboratory, SRI International, Menlo Park, CA, December 1992.

Bibliography

Security Type Checking for MILS-AADL Specifications · Security Type Checking for MILS-AADL...

Documents

Contract-Based Verification of MILS-AADL Models

m~ssiah - AADL

LondonP ilharnl - AADL

Cleveland Octet - AADL

Volunteer Handbook - AADL

m~ssiQh - AADL

Lynn Harrell - AADL

Song Recital - AADL

Pianist - AADL

Aulos Ensemble - AADL

LAURA - AADL

ADVERTIHIW KATES. - AADL

FlexPak Product Matrix - Avery Dennison...48 ga. metallized PET/Adh/1.5 Mil LLDPE film Total Construction Caliper 2.60 mils 2.60 mils 2.60 mils 2.60 mils 2.00 mils Printability / Ink

rgus eyes - AADL

Berlin Ballet - AADL

Efoe - AADL

Oakland Ballet - AADL

Till - AADL

Isaac Stern - AADL

Chanticleer - AADL