Information Flow Policies Research Articles

Specifying and Verifying Information Flow Control in SELinux Configurations

Security Enhanced Linux (SELinux) is a security architecture for Linux implementing Mandatory Access Control. It has been used in numerous security-critical contexts ranging from servers to mobile devices. However, its application is challenging as SELinux security policies are difficult to write, understand, and maintain. Recently, the intermediate language CIL was introduced to foster the development of high-level policy languages and to write structured configurations. Despite CIL’s high level features, CIL configurations are hard to understand as different constructs interact in non-trivial ways. Moreover, there is no mechanism to ensure that a given configuration obeys desired information flow policies. To remedy this, we enrich CIL with a formal semantics, and we propose IFCIL, a backward compatible extension of CIL for specifying fine-grained information flow requirements. Using IFCIL, administrators can express confidentiality, integrity, and non-interference properties. We also provide a tool to statically verify these requirements and we experimentally assess it on ten real-world policies.

Adversities in Abstract Interpretation - Accommodating Robustness by Abstract Interpretation

Robustness is a key and desirable property of any classifying system, in particular, to avoid the ever-rising threat of adversarial attacks. Informally, a classification system is robust when the result is not affected by the perturbation of the input. This notion has been extensively studied, but little attention has been dedicated to how the perturbation affects the classification. The interference between perturbation and classification can manifest in many different ways, and its understanding is the main contribution of the present article. Starting from a rigorous definition of a standard notion of robustness, we build a formal method for accommodating the required degree of robustness—depending on the amount of error the analyst may accept on the classification result. Our idea is to precisely model this error as an abstraction . This leads us to define weakened forms of robustness also in the context of programming languages, particularly in language-based security, e.g., information-flow policies, and in program verification. The latter is possible by moving from a quantitative (standard) model of perturbation to a novel qualitative model, given by means of the notion of abstraction. As in language-based security, we show that it is possible to confine adversities, which means to characterize the degree of perturbation (and/or the degree of class generalization) for which the classifier may be deemed adequately robust. We conclude with an experimental evaluation of our ideas, showing how weakened forms of robustness apply to state-of-the-art image classifiers.

HyperATL*: A Logic for Hyperproperties in Multi-Agent Systems

Hyperproperties are system properties that relate multiple computation paths in a system and are commonly used to, e.g., define information-flow policies. In this paper, we study a novel class of hyperproperties that allow reasoning about strategic abilities in multi-agent systems. We introduce HyperATL*, an extension of computation tree logic with path variables and strategy quantifiers. Our logic supports quantification over paths in a system - as is possible in hyperlogics such as HyperCTL* - but resolves the paths based on the strategic choices of a coalition of agents. This allows us to capture many previously studied (strategic) security notions in a unifying hyperlogic. Moreover, we show that HyperATL* is particularly useful for specifying asynchronous hyperproperties, i.e., hyperproperties where the execution speed on the different computation paths depends on the choices of a scheduler. We show that finite-state model checking of HyperATL* is decidable and present a model checking algorithm based on alternating automata. We establish that our algorithm is asymptotically optimal by proving matching lower bounds. We have implemented a prototype model checker for a fragment of HyperATL* that can check various security properties in small finite-state systems.

Immutability and Encapsulation for Sound OO Information Flow Control

Security-critical software applications contain confidential information which has to be protected from leaking to unauthorized systems. With language-based techniques, the confidentiality of applications can be enforced. Such techniques are for example type systems that enforce an information flow policy through typing rules. The precision of such type systems, especially in object-oriented languages, is an area of active research: an appropriate system should not reject too many secure programs while soundly preserving noninterference. In this work, we introduce the language SIFO which supports information flow control for an object-oriented language with type modifiers. Type modifiers increase the precision of the type system by utilizing immutability and uniqueness properties of objects for the detection of information leaks. We present SIFO informally by using examples to demonstrate the applicability of the language, formalize the type system, prove noninterference, implement SIFO as a pluggable type system in the programming language L42, and evaluate it with a feasibility study and a benchmark.

A permission-carrying security policy and static enforcement for information flows in Android programs

To detect information leaks in Android programs, existing taint analysis approaches usually specify and enforce (statically or dynamically) the two-level information flow policy, represented by a lattice ({⊤,⊥},⊑) with ⊥⊑⊤. However, this policy leaves permissions (an access control mechanism built in the Android system) out of consideration, causing a too coarse-grained analysis result in some scenarios. In fact, the existing information flow controls should integrate permissions to develop a more refined flow policy. Following this intuition, in this paper, we propose a permission-carrying secure information flow policy and accomplish a static enforcement mechanism for this policy. We first devise a small language to capture typical features of Android programs. On this base, we define the permission-carrying security policy using a subset lattice of permissions, and offer a group of rules to certify the security of information flows. Secondly, we implement a static enforcement mechanism for this policy, which allows us to detect potential insecure information flows by analysing programs in component-level. To illustrate the usefulness of this policy, we further examine two typical security threats, confused deputy and collusive data leaks, as the running cases to show how to detect security attacks in our theoretical framework. The final experiment shows that our approach is effective and scalable for real-world apps. Compare with several leading tools, our approach is applicable to checking both intra-app and inter-app vulnerabilities, and achieves a more precise detection result due to the superiority of our fine-grained security policy.

Early SoCs Information Flow Policies Validation using SystemC-based Virtual Prototypes at the ESL

Virtual Prototypes (VPs) at the Electronic System Level (ESL) are being increasingly adopted by the semiconductor industry and play an important role in modernizing the System-on-Chips (SoCs) design flow to raise design productivity and reduce time-to-market constraints. Due to their early availability and significantly faster simulation speed in comparison to Register Transfer Level (RTL) designs, VPs are used as reference models for lower levels of abstraction. Leveraging VPs and extending their use-cases for early security validation are shown as a promising direction. As the cost of fixing any security flaws increases with the stage of development, VP-based security validation can significantly avoid costly iterations. In this paper, we present a novel VP-based dynamic information flow analysis approach at the ESL, consisting of three main phases which are run-time behavior extraction (in terms of transactions), transactions transformation, and security validation. The proposed approach empowers designers to validate the information flow policies of a given VP-based SoC against the most occurring security threat models which are information leakage (confidentiality) and unauthorized access to data in a memory (integrity). Experimental results including an extensive set of standard benchmarks and two real-world VP-based SoCs demonstrate the scalability and applicability of the proposed approach.

Detecting violations of access control and information flow policies in data flow diagrams

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy.

Model-based configuration of access protection units for multicore processors in embedded systems

Multiprocessor system-on-chip platforms are becoming increasingly common in embedded systems. To facilitate a logical isolation of physically connected on-chip components, internal communication links of such platforms are often equipped with dedicated access protection units. When performed manually, the configuration of these units is both time-consuming and error-prone. Therefore, we present a model-based design methodology that allows designers to describe envisaged communication link transactions as well as the desired information flow policy in a platform-independent manner. After automatically verifying the consistency between specified transactions and the declared policy, the proposed toolchain delegates model instances to an extensible generation framework. This framework translates the envisaged transactions into configuration code for access protection units of particular platforms. We give a formal description of both the model and the verification procedure, describe the platform-specific generation framework, and evaluate the approach by applying it to an example scenario from the field of autonomous driving.

Proof-Carrying Hardware-Based Information Flow Tracking in Analog/Mixed-Signal Designs

Information flow tracking (IFT) is a widely used methodology for ensuring data confidentiality and/or integrity in electronic systems and many such methods have been developed at various software or hardware description levels. Among them, Proof-Carrying Hardware Intellectual Property (PCHIP) introduced an IFT methodology for digital hardware designs described in hardware description languages (HDLs). However, it is not only the digital domain that suffers from the risk of inadvertent information leakage. Indeed, analog signals originating from sources of sensitive information such as biometric sensors, as well as analog circuit outputs could also carry confidential information. Moreover, analog circuits are equally susceptible as their digital counterparts to malicious modifications, known as hardware Trojans, which could introduce covert channels for leaking such confidential information. Furthermore, in analog/mixed-signal circuits, such information leakage channels may cross the analog/digital or digital/analog interface, making their detection even harder and, thereby, intensifying this security concern. As a solution, we introduce a PCHIP-based methodology which enables systematic formal evaluation of information flow policies in analog/mixed-signal designs. This solution can reason on analog designs described at the transistor-level or at the block-level, where an abstract model of the analog circuit is considered. Additionally, it can handle analog circuit models developed in Verilog-A or Verilog-AMS, thereby enabling the use of circuit models developed in these HDLs for IFT purposes. By integrating IFT across the digital and analog domains, the proposed solution is able to detect sensitive data leakage from the digital domain to the analog domain and vice-versa, without requiring any modification of the current analog/mixed-signal circuit design flow.

MLSNet: A Policy Complying Multilevel Security Framework for Software Defined Networking

Ensuring that information flowing through a network is secure from manipulation and eavesdropping by unauthorized parties is an important task for network administrators. Many cyber attacks rely on a lack of network-level information flow controls to successfully compromise a victim network. Once an adversary exploits an initial entry point, they can eavesdrop and move laterally within the network (e.g., scan and penetrate internal nodes) to further their malicious goals. In this article, we propose a novel multilevel security (MLS) framework to enforce a secure inter-node information flow policy within the network and therein vastly reduce the attack surface available to an adversary who has penetrated it. In contrast to prior work on multilevel security in computer networks which relied on enforcing the policy at network endpoints, we leverage the centralization of software-defined networks (SDNs) by moving the task to the controller and providing this service transparently to all network nodes. Our framework, MLSNet , formalizes the generation of a policy compliant network configuration (i.e., set of flow rules on the SDN switches) as network optimization problems, with the objectives of (1) maximizing the number of flows satisfying all security constraints and (2) minimizing the security cost of routing any remaining flows to guarantee availability. We demonstrate that MLSNet can securely and efficiently route flows that satisfy the security constraints and route the remaining flows with a minimal security cost (e.g., route >85% of flows, where the heuristic achieves 89% and 87% of the optimal solutions for the optimization problems).

Synthesis from hyperproperties

We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or hbox {CTL}^*. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the exists ^*, exists ^*forall ^1, and the {{ linear }};forall ^* fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.

Tool Support for Confidentiality-by-Construction

In many software applications, it is necessary to preserve confidentiality of information. Therefore, security mechanisms are needed to enforce that secret information does not leak to unauthorized users. However, most language-based techniques that enable information flow control work post-hoc, deciding whether a specific program violates a confidentiality policy. In contrast, we proposed in previous work a refinement-based approach to derive programs that preserve confidentiality-by-construction. This approach follows the principles of Dijkstra's correctness-by-construction. In this extended abstract, we present the implementation and tool support of that refinement-based approach allowing to specify the information flow policies first and to create programs in a simple while language which comply to these policies by construction. In particular, we present the idea of confidentiality-by-construction using an example and discuss the IDE C-CorC supporting this development approach.

Security validation of VP-based SoCs using dynamic information flow tracking

Abstract Modern System-on-Chips (SoCs) are notoriously insecure. Hence, the fundamental security feature of IP isolation is heavily used, e. g., secured Memory Mapped IOs (MMIOs), or secured address ranges in case of memories, are marked as non-accessible. One way to provide strong assurance of security is to define isolation as information flow policy in hardware using the notion of non-interference. Since, an insecure hardware opens up the door for attacks across the entire system stack (from software down to hardware), the security validation process should start as early as possible in the SoC design cycle, i. e. at Electronic System Level (ESL). Hence, in this paper we propose the first dynamic information flow analysis at ESL. Our approach allows to validate the run-time behavior of a given SoC implemented using Virtual Prototypes (VPs) against security threat models, such as information leakage (confidentiality) and unauthorized access to data in a memory (integrity). Experiments show the applicability and efficacy of the proposed method on various VPs including a real-world system.

LWeb: information flow security for multi-tier web applications

This paper presents LWeb, a framework for enforcing label-based, information flow policies in database-using web applications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod’s core monad. Second, we extend Yesod’s table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb’s policy language is expressive, permitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the λ LWeb calculus and mechanize the proof of noninterference in Liquid Haskell. This mechanization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build a substantial web site hosting the Build it, Break it, Fix it security-oriented programming contest. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too).

A derivation framework for dependent security label inference

Dependent security labels (security labels that depend on program states) in various forms have been introduced to express rich information flow policies. They are shown to be essential in the verification of real-world software and hardware systems such as conference management systems, Android Apps, a MIPS processor and a TrustZone-like architecture. However, most work assumes that all (complex) labels are provided manually, which can both be error-prone and time-consuming. In this paper, we tackle the problem of automatic label inference for static information flow analyses with dependent security labels. In particular, we propose the first general framework to facilitate the design and validation (in terms of soundness and/or completeness) of inference algorithms. The framework models label inference as constraint solving and offers guidelines for sound and/or complete constraint solving. Under the framework, we propose novel constraint solving algorithms that are both sound and complete. Evaluation result on sets of constraints generated from secure and insecure variants of a MIPS processor suggests that the novel algorithms improve the performance of an existing algorithm by orders of magnitude and offers better scalability.

Many-to-many information flow policies

Information flow techniques typically classify information according to suitable security levels and enforce policies that are based on binary relations between individual levels, e.g., stating that information is allowed to flow from one level to another. We argue that some information flow properties of interest naturally require coordination patterns that involve sets of security levels rather than individual levels: some secret information could be safely disclosed to a set of confidential channels of incomparable security levels, with individual leaks considered instead illegal; a group of competing agencies might agree to disclose their secrets, with individual disclosures being undesired, etc. Motivated by this, we study a semantic foundation for such properties based on causal models of computation. We propose a simple language for expressing information flow policies where the usual admitted flow relation between individual security levels is replaced by a relation between sets of security levels, thus allowing to capture coordinated flows of information. The flow of information is expressed in terms of causal dependencies and the satisfaction of a policy is defined with respect to an event structure that is assumed to capture the causal structure of system computations. We also preliminarily explore possibilities for practical applicability of our approach by focusing on systems specified as safe Petri nets, a formalism with a well-established causal semantics. We show how unfolding-based verification techniques for Petri nets can be adopted for solving the problem of checking policy satisfaction. • A policy language for controlling flows of information in concurrent systems. • Regulation of flows among sets of security levels instead of just individual levels. • A causality-based semantics, defined on event structures. • Expressivity and decidability properties of the semantics. • A verification technique for safe Petri nets, based on finite net unfoldings.

On transparent value-sensitive run-time monitoring for information flow policies

Run-time monitoring proves to be a successful mechanism for enforcing information flow policies. The main challenge, however, is to achieve transparency which generally demands that monitors should make as minimal changes to program executions as possible. We investigate the level of transparency a monitor can attain when it uses static and dynamic information about possible values of program variables. To study such value-sensitive monitors, we consider two paradigms of corrective enforcement that indeed formulate the ultimate transparency. Then, we propose a number of purely dynamic and hybrid value-sensitive monitors for some known noninterference policies. Although value sensitivity leads to more transparent monitors, it can hardly provide the ultimate transparency. This motivates us to give partial orders reflecting the level of transparency a monitor may achieve and to locate monitors on the proposed partial orders. It is shown that hybrid value-sensitive monitors can correctively enforce so-called termination-insensitive noninterference only if they can compute the set of possible values of certain variables. We also prove that such an ideal monitor is the only hybrid monitor, in the large class of monitors identified in this paper, that can be more transparent than purely dynamic monitors.

A secrecy-preserving language for distributed and object-oriented systems

In modern systems it is often necessary to distinguish between confidential (low-level) and non-confidential (high-level) information. Confidential information should be protected and not communicated or shared with low-level users. The non-interference policy is an information flow policy stipulating that low-level viewers should not be able to observe a difference between any two executions with the same low-level inputs. Only high-level viewers may observe confidential output. This is a non-trivial challenge when considering modern distributed systems involving concurrency and communication.The present paper addresses this challenge, by choosing language mechanisms that are both useful for programming of distributed systems and allow modular system analysis. We consider a general concurrency model for distributed systems, based on concurrent objects communicating by asynchronous methods. This model is suitable for modeling of modern service-oriented systems, and gives rise to efficient interaction avoiding active waiting and low-level synchronization primitives such as explicit signaling and lock operations. This concurrency model has a simple semantics and allows us to focus on information flow at a high level of abstraction, and allows realistic analysis by avoiding unnecessary restrictions on information flow between confidential and non-confidential data.Due to the non-deterministic nature of concurrent and distributed systems, we define a notion of interaction non-interference policy tailored to this setting. We provide two kinds of static analysis: a secrecy-type system and a trace analysis system, to capture inter-object and network level communication, respectively. We prove that interaction non-interference is satisfied by the combination of these analysis techniques. Thus any deviation from the policy caused by implicit information leakage visible through observation of network communication patterns, can be detected. The contribution of the paper lies in the definition of the notion of interaction non-interference, and in the formalization of a secrecy type system and a static trace analysis that together ensure interaction non-interference. We also provide several versions of a main example (a news subscription service) to demonstrate network leakage.

Thinging Machine Applied to Information Leakage

This paper introduces a case study that involves data leakage in a bank applying the so-called Thinging Machine (TM) model. The aim is twofold: (1) Presenting a systematic conceptual framework for the leakage problem that provides a foundation for the description and design of a data leakage system. (2) The aim in (1) is developed in the context of experimentation with the TM as a new methodology in modeling. The TM model is based on slicing the domain of interest (a part of the world) to reveal data leakage. The bank case study concentrates on leakage during internal operations of the bank. The leakage spots are exposed through surveying data territory throughout the bank. All streams of information flow are identified, thus points of possible leakage can be traced with appropriate evidence. The modeling of flow may uncover possible hidden points of leakage and provide a base for a comprehensive information flow policy. We conclude that a TM based on the Heideggerian notion of thinging can serve as a foundation for early stages of software development and as an alternative approach to the dominant object-orientation paradigm.

A Verified Capability-Based Model for Information Flow Security With Dynamic Policies

Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.