Information Flow Control

redlemonbalmΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

71 εμφανίσεις

Information Flow
Control

Kurt
Stenzel
,
Kuzman

Katkalov

Overview

1.


Motivation

2.
Multi
-
level Security

3.
Noninterference

4.
Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

2

Mobile Devices



GPS


attitude

and

acceleration

sensor


c
ompass


address

book


contacts


calendar


p
asswords


credit

card


online
banking

Information Flow Control

3

Privacy in the Mobile Age


June 2010: “
iPad

app transmits login data in the clear”


Aug. 2010: “Leaky Apps”


Oct. 2010: “
TaintDroid

detects sneaky Android Apps”


Nov. 2010: “More Security Flaws in Banking Apps”


Dec. 2010: “Your Apps are Watching You”

Information Flow Control

4

Privacy in the Mobile Age


Feb. 2011: “Snooping Apps



Apr. 2011
:
“iPhone
Stored Location in Test Even if
Disabled”


May
2011: “Personal Firewall for Android



Aug. 2011: „
Accelerometer used to log smartphone
keystrokes”



Information Flow Control

5

Privacy today


Feb.
2012: “Path uploads your entire iPhone address book
to its
servers”


June
2012: “Researchers devise hack that sneaks Android
malware into Google
market”


June
2012: “LinkedIn
iOS

app gathers and transmits user
calendar
data”


October 2012: “
PlaceRaider
: Virtual Theft in Physical Spaces
with
Smartphones”


December 2012: “
Zitmo

Botnet Steals $47 Million”


Information Flow Control

6

Your apps are watching you
-

Pandora

Information Flow Control

7

S. Thrum and Y. Kane. Your apps are watching you. Wall Street
Journal,
http
://
online.wsj.com
, 2010.

Pandora:

personalized online radio
for music streaming

Application reads this
personal information

Application sends this
information to third
parties

A
Typical

Android

App

Permissions

it

needs


take

pictures

and

videos


coarse

(network
-
based
)
location


fine

(GPS)
location


full

Internet
access


read phone state and
identity


control

flashlight


view

network

state


prevent tablet from sleeping
prevent phone from sleeping


disable or modify status
bar


modify/delete USB storage
contents modify/delete SD card
contents


What

it

does

Flashlight

XL
Deluxe

Bright Edition™

Information Flow Control

8

Dec. 2011: Facebook glitch gave access to other users' private
pictures


Facebook (2011)

9

Information Flow Control

Privacy in the Mobile Age


Today’s reality: Everybody stores
personal and confidential data on


Personal computers


Mobile phones


Servers (in the cloud)


Web
-
applications (social networks)


Also today’s reality: This information is
leaked to villains and misused for


Advertising


Espionage


Current threats


Apps for mobile phones


Facebook apps


What went wrong?



Information Flow Control

10

Why

Information Flow
Control
?


Problem: Applications accidentally/intentionally allow
publication of sensitive data


Introducing security policies for information flow
control


Enforce
that

confidential

data

is

not
published


Enforce

that

data

is

changed

by

trusted

entities

only


Protection

for


Developer
against

introducing

information

leaks


User
against

using

malicious

software


Information Flow Control

11

Information Flow
Control


Information
flow

in Apps, Services, …


Control

is

necessary

for



Private
data

(e.g.
CreditCardNumber

or

PIN
1234
)


derived

information

(e.g.
rebmuNdraCtiderC

or

2345
)

Information Flow Control

12

[Kreditkartennummer]

[Suchanfrage]

Overview

1.
Motivation

2.


Multi
-
level Security

3.
Noninterference

4.
Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

13

Bell
-
LaPadula


developed 1973 for multi
-
user Computers


formalizes US
DoD

multilevel
s
ecurity
p
olicy


Information (object) is
classified (security domain)


Subjects are assigned a clearance
level (security domain)


Information Flow Control

14

Top Secret

Secret

Confidential

Unclassified

Properties:


no read
-
up


no write
-
down

Problem:


too restricted for

“normal” applications

Overview

1.
Motivation

2.
Multi
-
level Security

3.


Noninterference

4.
Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

15

Noninterference

Information Flow Control

16

S
ystem

High Input

High Output

Low Output

Low Input

System

High Actions

Low Actions

Noninterference

Information Flow Control

17

High Input

High Output

Low Output

Low Input

High Actions

Low Actions

Noninterference


i
nformation/actions
have security domains

(e.g. High, Low)


IF Policy can be expressed by


interference

( )
or



noninterference

(  

)

relations

(e.g.
Low



High, High



Low
)


security domains form a lattice


a System is
secure

if it satisfies the IF

Information Flow Control

18

Noninterference

d
efinition

Information Flow Control

19


Define

with

a „
purge

-
function
:






Intuitively
: A
low

observer

cannot

know

whether

high
actions


have

happened

or

not, i.e.
she

cannot

distinguish

the

two

traces
.


Noninterference

proofs

Information Flow Control

20


many
noninterference
models exist, e.g.


Goguen
/
Meseguer
,
Rushby
, Sutherland,
McCullough
,
McLean,
Mantel,

van der
Meyden
,




for confidentiality & integrity


transitive & intransitive noninterference


Compositional
verification
with “unwinding”
theorems


Conditions that have to hold for all states, actions and
domains


Proofs consider single actions, not traces


Declassification


Problem:
sometimes

confidential

information

should

be

released

anyway

(in a
controlled

manner
)


d
eclassification
, intransitive
n
oninterference









only

after Review/
Confirmation
/
Filtering
/Encryption …

Downgrading channel

Top Secret

Secret

Confidential

Unclassified

Information Flow Control

21

Overview

1.
Motivation

2.
Multi
-
level Security

3.
Noninterference

4.


Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

22

Information
flow

in
programs

Does

this

also
work

for

p
rograms
?
Yes
:


define

s
ecurity

domains

for

variables/
fields


Noninterference
: The
values

of

low

variables do not
depend

on (
the

values

of
) high variables.



low

= high+3;

high =
low
;



low

= high;

low

= 0;



if

(high == 0)


low

= 0;

else

low

= 1;

low

= x;

x

= high;



x1 = high;

x2 = x1;

low

= x2;

Information Flow Control

23

Volpano
-
Smith

Idea
:



Variables
have

security

domains


extend

security

domains

to

expressions

and

statements


define

information

flow

type check



I
f

the

program

IF type
checks
,
then

the

values

of

low


variables do not
depend

on high
values

Information Flow Control

24

IF Type
checking

rules


Expression e1 + e2:
dom
(e1) ≤
dom
(e1 + e2)
and



dom
(e2) ≤
dom
(e1 + e2)


Assignment

x := e:
dom
(e) ≤
dom
(x)
and


dom
(x := e)

dom
(x)


Sequential

s1;s2:
dom
(s1;s2)

dom
(s1)
and


dom
(s1;s2
) ≤
dom
(s2)


If

(e) s1
else

s2:
dom
(e)

dom
(s1)
and


dom
(e) ≤
dom
(s2)
and


dom
(
if

(e) s1
else

s2)

dom
(e)


while
, ….:


Information Flow Control

25

Properties
of

the

type check


IF type check
is

correct
:





IF type check
is

not
complete
:





IF
types

can

be

derived

by

type
inference

or

explicit
annotation

by

the

programmer


type
inference
/check
can

become

undecidable

If

the

program

IF type
checks
,
then

the

values

of


low

variables
do not
depend

on high
values
.

There

are

programs

without

illegal
information

flow

that

do not type check.

Information Flow Control

26

Jif

(Java +
information

flow
)




Security
-
typed

extension

of

Java
based

on
the

Distributed
Label Model
theory


IF
typecheck

(
static

via
Jif

compiler

&
dynamic

via
Jif

runtime
)


Supports
confidentiality
,
integrity

and

declassification


Security
types
:
Labels

composed

of

principles


Information Flow Control

27

int
{
Owner
-
>Alice} high = 1;

int
{
Owner
-
>
Alice,Bob
}
low

= 2;


high =
low
;


low

= high;

[Myers et al., Cornell University]

Class

holding

the

authority

of


Owner


is

able

to

declassify

this

data

{
Owner
-
>
Alice
,
Bob
;
Owner
<
-
Alice
}

Reader
principles

defining

the

confidentiality

of

this

data
;
information

is

only

allowed

to

flow

to

more

restrictively

labeled

program

statements
/variables
(e.g. {
Owner
-
>Alice})

JIF
-
Code (Release of CC Details)

Information Flow Control

28

public

CreditCardData
{User
-
>
receiver;PCreditCardCenter
-
>
receiver;User
<
-
}


releaseCCD
{User
-
>;User<
-
} (



principal
{User
-
>;User<
-
} receiver)


where
authority
(
PCreditCardCenter
),
caller

(User)

{



boolean

confirmed =
ui
==
null

?
false

:



ui.confirmDeclassification
(
ccd
, receiver);


//
declassify confirmation for receiver


boolean

confirmed_decl

=
declassify
(confirmed,



{
confirmed} to {User
-
>
receiver;User
<
-
});



CreditCardData

ccd_decl

=
null
;



//
in order to declassify for receiver,


// the
condition must be readable for receiver


if
(
confirmed_decl
)


ccd_decl

=
declassify
(



ccd
,



{
User
-
>;
PCreditCardCenter
-
>;User<
-
} to



{
User
-
>
receiver;PCreditCardCenter
-
>
receiver;User
<
-
});



return

ccd_decl
;

}

Overview

1.
Motivation

2.
Multi
-
level Security

3.
Noninterference

4.
Language
-
based

IFC
with

type
systems

5.


Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

29

PDGs


PDG =
Program

Dependence

Graph


=
Control

Dependence

Graph (CDG)


+ Data
Dependence

Graph (DDG)


CDG: Edge X


Y:
It

depends

on X
w
hether



Y
is

executed

or

not


DDG: Edge X


Y: Y
reads

a variable
that

is

assigned

in X

Information Flow Control

30

IFC
with

PDGs


There

exists

an IF
from

X (
source
)
to

Y (sink)
iff

there

exists

a
path

from

X
to

Y in
the

PDG


For

variables h, l:
mark

all
nodes

where

h
is

read

as

source
,
and

where

l
is

assigend

as

sink


with

methods
:
extension

to

System
Dependence

Graph

Information Flow Control

31

high

low

Joana


developed

in Karlsruhe (KIT,
Snelting

et al.)


Static

IFC
for

Java
byte

code

based

on
PDGs
&
SDGs


improvements

with

path

conditions

etc.


n
odes

marked

as

sources
/
sinks

with

security

levels


from

a user
-
defined

lattice



automatic

security

level

inference

for

non
-
marked

nodes


support

for

confidentiality

&
declassification


Information Flow Control

32

Comparison


Jif
:


Complex
,
unusable

for

beginners


Security
level

inference

is

lacking

(Travel
P
lanner
:
over

100
annotations

needed
)


Offers

additional
functionality
:
Ownership

(
constraint

on
the

who
-
dimension
of

declassification
),
dynamic

typechecking

&
data

integrity



Joana
:


Annotation
of

sink/
source

nodes

only

(Travel
Planner
: same
annotations

as

in
the

abstract

model
)


Analysis
of

Java (
bytecode
)


In
active

development


In
some

cases


too

precise


Information Flow Control

33

Overview

1.
Motivation

2.
Multi
-
level Security

3.
Noninterference

4.
Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.


Application

to

mobile Apps

7.
IFlow
: Model
-
driven

Development
of

Systems with
Secure Information Flow

Information Flow Control

34

Example: Travel Planner App

Information Flow Control

35

Credit

card

details

(What) are
sent

only

after confirmation
(When) and
only

to

the

airline/hotel (Who).


Private calendar entries (What) are not visible
to

the

Travel
Planner App (Who).


Travel planner app
on mobile


Developed

by

travel

agency


Access to offers via agency


Booking
directly

with airline/
hotel


Agency
gets

commission


Integration
of

calendar

and

credit

card

app on mobile

1.

2.

2.

3.

3.

4.

5.

5.

Calendar App: Add appointment

Information Flow Control

36

Travel Planner App

Information Flow Control

37

IF
properties

for

the

travel

planner


Noninterference


„The
travel

agency

never

learns

my

credit

card

details
.“



where



Only

the

CreditCardCenter

may

release

credit

card

details
.“



when



Credit

card

details

are

transmitted

only

after I
have



confirmed

the

booking
.“



what


„The
travel

agency

only

learns

that

I
booked

a
journey

(
and

that

my

credit

card

details

are

valid).“

Information Flow Control

38

Overview

1.
Motivation

2.
Multi
-
level Security

3.
Noninterference

4.
Language
-
based

IFC
with

type
systems

5.
Language
-
based

IFC
with

PDGs

6.
Application

to

mobile Apps

7.


IFlow
: Model
-
driven

Development
of

Systems
with Secure Information Flow

Information Flow Control

39

public
OK
bookFlightOffer
(
BookFlightOffer

inmsg
){



int

id = inmsg.id;


CreditCardData

ccd_decl

=
inmsg.ccd
;


Manual.processBooking
(id
,
ccd_decl
);


return
new
OK
();

}

The
IFlow

Approach

Information Flow Control

40

t
ransformation

formal
model

Code Skeleton
(Java)

code generation

UML
model

Java Code

implementation

Android

Code

adding a wrapper