Stateful Declassification Policies for Event-Driven Programs
description
Transcript of Stateful Declassification Policies for Event-Driven Programs
Stateful Declassification Policies
for Event-Driven Programs
M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk
CSF 2014
Observation
“The browser is the new OS”
2
But… browser security?
3
XSS
Firefox: no protection
4
Previous work(s) offer protection against this!
What are we protecting?
5
Event-driven (reactive) programs:
All inputs to the program are events
Output is produced using API calls
What are we protecting?
6
Event-driven (reactive) programs:
All inputs to the program are events
Output is produced using API calls
Public output Private input
Currently: Noninterference
7
𝐼 ≈𝐿 𝐼′ → 𝑂 ≈𝐿 𝑂′
Equal after high
input removed low output identical
Security levels: H (private) and L (public)
Enforce using Secure Multi Execution (SME)
Secure
Precise
Implemented in FlowFox
8
With proper policy, attack is blocked!
Keys pressed, but request blocked
The problem…
9
Noninterference is too strict!
Examples:
Leak only occurrence of key presses?
Leak specific shortcut keys only?
Leak approximate location (mouse, GPS)?
Example: online slideshow
10
Uses arrow keys to navigate:
We need declassification support!
Our Contributions
11
Declassification in untrusted programs
Policy specification
SME enforcement
Implementation in FlowFox
Policy specification
What does the policy define?
“The info leaked public observers”
We consider two cases:
1. Leaking approximate information about one event
2. Leaking aggregate or statistical info over several events
12
Policy specification
How to formally specify both cases?
Using a functional, declarative program.
On each input, define the (new) public info.
13
Leaking over one event Leaking over several events
(1) Event projection (2) Information release
1. Event projection
14
Leaks info about one event (stateless):
π ev n = Nothing | Project n′
Nothing : Event not visible to low observers
ev n′ : Low observers can depend on (ev n′)
Other events project to Nothing
1. Event projection
15
Leaks info about one event (stateless):
π ev n = Nothing | Project n′
Generalizes security labels:
Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛
High event: 𝜋 𝑒𝑣 𝑛 = Nothing
And separation of content and presence:
Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0
1. Event projection
16
Leaks info about one event (stateless):
π ev n = Nothing | Project n′
Must be idempotent to guarantee precision:
𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛)
In line with the idea of removing sensitive info!
2. Information release
17
Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′, Unchanged | Release 𝑛′
𝑠, 𝑠′: old and new state
Release 𝑛′: low observers can depend on 𝑛′
Unchanged: no new info released
2. Information release
18
Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′, Unchanged | Release 𝑛′
Can specify type and initial value of the state:
State :: Bool = False
Released value is put on a release channel
Enforcement mechanism can obtain latest released value
2. Info release: example
19
Leak if shotcut key was used at least once
State :: Bool = False
Release function 𝑟:
Updated noninterference
20
Noninterference (old):
𝐼 ≈𝐿 𝐼′ → 𝑂 ≈𝐿 𝑂′
𝒟∗ 𝐼 = all info low observers can depend
on according to policy 𝒟
Noninterference with declassification:
𝒟∗ 𝐼 = 𝒟∗ 𝐼′ → 𝑂 ≈𝐿 𝑂′
Equal according to policy 𝒟 Low outputs identical
Our Contributions
21
Declassification in untrusted programs
Policy specification
SME enforcement
Implementation in FlowFox
Secure Multi Execution (SME)
Runs a copy for each security level:
Low
High High
Low
Program (H)
Program (L)
22
SME Example: high input
Low run
KeyPress ‘e’
High run
23
SME Example: high input
Low run
KeyPress ‘e’
High run
24
SME Example: high input
Low run
KeyPress ‘e’
High run
25
SME Example: low input
Low run
High run
MouseClick 10
26
SME Example: low input
Low run
High run
MouseClick 10
27
SME Example: low input
Low run
High run
MouseClick 10
28
SME Example: low input
Low run
High run
MouseClick 10
29
SME Example: low input
Low run
High run
MouseClick 10
30
Declassification in SME?
31
Projections generalize security labellings!
Low
High High
Low
Program (H)
Program (L)
Declassification in SME?
32
Low
High
Input Program (H)
𝜋 Program (L)
Projections generalize security labellings!
Declassification in SME?
33
Information release?
Low
High
Input Program (H)
𝜋 Program (L)
Declassification in SME?
34
Information release?
Low
High
Input Program (H)
𝜋 Program (L)
SME state
Declassification in SME?
35
Information release?
Low
High
Input Program (H)
𝜋
?
Program (L)
SME state
Access to release channel
36
Using annotations
Important remarks:
Annotations are seen as untrusted, security does not depend on them (hence attacker cannot abuse them).
Only used to assure precision!
Idea: browser vendor sets default policies, motivating programmers to use annotates.
Declassification in SME
37
Properties:
Security: OK!
Precision for projections: OK!
Full precision more tedious:
Program must run under expected policy
All leaks should happen through annotations
Projections are powerful!
Our Contributions
38
Declassification in untrusted programs
Policy specification
SME enforcement
Implementation in FlowFox
Revealing Occurrence
39
Keylogger in chrome (no protection):
Revealing Occurrence
40
Keylogger in FlowFox (policy):
Revealing Occurrence
41
Keylogger in FlowFox (attack blocked):
Leak approximate info
42
Imagine mouse tracking software:
Leak approximate info
43
Imagine mouse tracking software:
Leak approximate info
44
Mouse tracking under FlowFox (policy):
Leak approximate info
45
Mouse tracking under FlowFox (high output):
Leak approximate info
46
Mouse tracking under FlowFox (low output):
Questions?