Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University

Steve Zdancewic ESOP01 1

Secure Information Flow and CPS

Steve Zdancewic Joint work with Andrew Myers

Cornell University


Valuable Data On-line

• Internet and Connectivity– banks/brokerage firms– e-mail services– applets, plugins, etc.– …

• Creates problem of protection


Protect It!

• Confidentiality– Data doesn't escape– Does my accounting software

transmit my private information?

• Integrity– Trustworthiness of data– Does my accounting software use

“bad” information to compute taxes?


Information Flow

• Policies on information• End-to-End

– Once data is released to a program, must ensure that policy is obeyed.

• Need static analysis


Security-Typed Languages

• Statically enforce security policies in an extended type system– Smith & Volpano [SVI96, SV98,...]

– Heintze & Riecke [HR98, ABHR99]

– Myers [ML97,My99,...]

– Sabelfeld & Sands [SS99, SS00]

– Pottier & Conchon [PC00,...]


Noninterference

"Low-security behavior of the program is not affected by any

high-security data."Goguen & Messeguer 1982

H1 L1

L2H2

H3 L1

L2H4

L


Our Goal

• Study information flow in rich language– Higher-order functions– State

• Noninterference proof


Continuation Passing Style

• Useful representation of low-level code – verify output of the compiler.

• Main complication: explicit control and interaction with effects


Outline

• Motivating Example• Problem with Naïve CPS translation• Ordered Linear Continuations• Wrap up


Security Types

• A lattice L of labels– order L H– join L H = H

• Types have labels: intH or boolL


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;

pc:L


Example

if0 (x:intH){

y := 1;

} else {

y := 2;

}

z := 3;

pc:H

pc:L


if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

Example

pc:L

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

pc:L

pc:H

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3;

pc:L

pc:L

pc:H

pc:H


Example

if0 (x:intH){

y := 1; // y:intH

} else {

y := 2;

}

z := 3; // z:intL

pc:L

pc:H

pc:H

pc:L


PC Label

• Side-effects are bounded by PC label.

x := e

x:s ref e:r(p r) spc:p


What about functions?

• Effects inside a function must also be bounded by PC label.

f(e)

f:r

p rpc:p

e:


Naive CPS

let k = (). z := 3;

if0 (x:intH){ y := 1; k(); } else { y := 2; k(); }


Naive CPS

let k = (). z := 3;


pc:H


Naive CPS

let k = (). z := 3; //z:intH


pc:H

pc:H


Linear Continuations

let k = (). z := 3; //z:intH


k is used linearly!


Main Idea

• Use linear continuations to express the control-flow properties of the source language via types

• But...not quite enough


Order of Evaluation

• Order the continuations are invoked is also important!

• Can observe the order via side effects

• So...ordered linear continuations


What Are They?

• Linear continuations: First-class postdominators of control flow graph

• Ordered linear continuations: Encode the control stack


Target CPS Language

• Includes regular continuations and ordered linear continuations

• Careful manipulation of context:

| kn,…,k1 [pc] e

Ordered list encodes stack


Noninterference

If x:H |[L] e : intL

v1,v2 : H (M,e{v1/x}) * (M1,n1)

(M,e{v2/x}) * (M2,n2)

Then M1 L M2 and n1 = n2


Results

• Formalize ordered linear continuations in the type system

• Prove that the CPS language enjoys noninterference– Proof hinges on ordering property– First proof for such a rich language

• Expressive enough as a target


Other Connections

• Linearity of control also plays a role in security typed versions of -calculus. [Honda et. al.]

• Linear control is interesting in its own right

Documents

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University