Stateful Declassification Policies

for Event-Driven Programs

M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk

CSF 2014

Observation

“The browser is the new OS”

2

But… browser security?

3

XSS

Firefox: no protection

4

Previous work(s) offer protection against this!

What are we protecting?

5

Event-driven (reactive) programs:

All inputs to the program are events

Output is produced using API calls

What are we protecting?

6

Event-driven (reactive) programs:

All inputs to the program are events

Output is produced using API calls

Public output Private input

Currently: Noninterference

7

𝐼 ≈𝐿 𝐼′ → 𝑂 ≈𝐿 𝑂′

Equal after high

input removed low output identical

Security levels: H (private) and L (public)

Enforce using Secure Multi Execution (SME)

Secure

Precise

Implemented in FlowFox

8

With proper policy, attack is blocked!

Keys pressed, but request blocked

The problem…

9

Noninterference is too strict!

Examples:

Leak only occurrence of key presses?

Leak specific shortcut keys only?

Leak approximate location (mouse, GPS)?

Example: online slideshow

10

Uses arrow keys to navigate:

We need declassification support!

Our Contributions

11

Declassification in untrusted programs

Policy specification

SME enforcement

Implementation in FlowFox

Policy specification

What does the policy define?

“The info leaked public observers”

We consider two cases:

1. Leaking approximate information about one event

2. Leaking aggregate or statistical info over several events

12

Policy specification

How to formally specify both cases?

Using a functional, declarative program.

On each input, define the (new) public info.

13

Leaking over one event Leaking over several events

(1) Event projection (2) Information release

1. Event projection

14

Leaks info about one event (stateless):

π ev n = Nothing | Project n′

Nothing : Event not visible to low observers

ev n′ : Low observers can depend on (ev n′)

Other events project to Nothing

1. Event projection

15

Leaks info about one event (stateless):

π ev n = Nothing | Project n′

Generalizes security labels:

Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛

High event: 𝜋 𝑒𝑣 𝑛 = Nothing

And separation of content and presence:

Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0

1. Event projection

16

Leaks info about one event (stateless):

π ev n = Nothing | Project n′

Must be idempotent to guarantee precision:

𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛)

In line with the idea of removing sensitive info!

2. Information release

17

Leaks info about multiple events (stateful):

𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′, Unchanged | Release 𝑛′

𝑠, 𝑠′: old and new state

Release 𝑛′: low observers can depend on 𝑛′

Unchanged: no new info released

2. Information release

18

Leaks info about multiple events (stateful):

𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′, Unchanged | Release 𝑛′

Can specify type and initial value of the state:

State :: Bool = False

Released value is put on a release channel

Enforcement mechanism can obtain latest released value

2. Info release: example

19

Leak if shotcut key was used at least once

State :: Bool = False

Release function 𝑟:

Updated noninterference

20

Noninterference (old):

𝐼 ≈𝐿 𝐼′ → 𝑂 ≈𝐿 𝑂′

𝒟∗ 𝐼 = all info low observers can depend

on according to policy 𝒟

Noninterference with declassification:

𝒟∗ 𝐼 = 𝒟∗ 𝐼′ → 𝑂 ≈𝐿 𝑂′

Equal according to policy 𝒟 Low outputs identical

Our Contributions

21

Declassification in untrusted programs

Policy specification

SME enforcement

Implementation in FlowFox

Secure Multi Execution (SME)

Runs a copy for each security level:

Low

High High

Low

Program (H)

Program (L)

22

SME Example: high input

Low run

KeyPress ‘e’

High run

23

SME Example: high input

Low run

KeyPress ‘e’

High run

24

SME Example: high input

Low run

KeyPress ‘e’

High run

25

SME Example: low input

Low run

High run

MouseClick 10

26

SME Example: low input

Low run

High run

MouseClick 10

27

SME Example: low input

Low run

High run

MouseClick 10

28

SME Example: low input

Low run

High run

MouseClick 10

29

SME Example: low input

Low run

High run

MouseClick 10

30

Declassification in SME?

31

Projections generalize security labellings!

Low

High High

Low

Program (H)

Program (L)

Declassification in SME?

32

Low

High

Input Program (H)

𝜋 Program (L)

Projections generalize security labellings!

Declassification in SME?

33

Information release?

Low

High

Input Program (H)

𝜋 Program (L)

Declassification in SME?

34

Information release?

Low

High

Input Program (H)

𝜋 Program (L)

SME state

Declassification in SME?

35

Information release?

Low

High

Input Program (H)

𝜋

?

Program (L)

SME state

Access to release channel

36

Using annotations

Important remarks:

Annotations are seen as untrusted, security does not depend on them (hence attacker cannot abuse them).

Only used to assure precision!

Idea: browser vendor sets default policies, motivating programmers to use annotates.

Declassification in SME

37

Properties:

Security: OK!

Precision for projections: OK!

Full precision more tedious:

Program must run under expected policy

All leaks should happen through annotations

Projections are powerful!

Our Contributions

38

Declassification in untrusted programs

Policy specification

SME enforcement

Implementation in FlowFox

Revealing Occurrence

39

Keylogger in chrome (no protection):

Revealing Occurrence

40

Keylogger in FlowFox (policy):

Revealing Occurrence

41

Keylogger in FlowFox (attack blocked):

Leak approximate info

42

Imagine mouse tracking software:

Leak approximate info

43

Imagine mouse tracking software:

Leak approximate info

44

Mouse tracking under FlowFox (policy):

Leak approximate info

45

Mouse tracking under FlowFox (high output):

Leak approximate info

46

Mouse tracking under FlowFox (low output):

Questions?