A derivation framework for dependent security label inference

Authors:
Peixuan Li

Pennsylvania State University, USA

Pennsylvania State University, USA
View Profile

,
Danfeng Zhang

Pennsylvania State University, USA

Pennsylvania State University, USA
View Profile

Proceedings of the ACM on Programming Languages Volume 2 Issue OOPSLAArticle No.: 115pp 1–26https://doi.org/10.1145/3276485

Published:24 October 2018Publication History

Related Artifact: Replication Package: A Derivation Framework for Dependent Security Label Inference September 2018 software https://doi.org/10.1145/3276916

Proceedings of the ACM on Programming Languages

Abstract

Dependent security labels (security labels that depend on program states) in various forms have been introduced to express rich information flow policies. They are shown to be essential in the verification of real-world software and hardware systems such as conference management systems, Android Apps, a MIPS processor and a TrustZone-like architecture. However, most work assumes that all (complex) labels are provided manually, which can both be error-prone and time-consuming.

In this paper, we tackle the problem of automatic label inference for static information flow analyses with dependent security labels. In particular, we propose the first general framework to facilitate the design and validation (in terms of soundness and/or completeness) of inference algorithms. The framework models label inference as constraint solving and offers guidelines for sound and/or complete constraint solving. Under the framework, we propose novel constraint solving algorithms that are both sound and complete. Evaluation result on sets of constraints generated from secure and insecure variants of a MIPS processor suggests that the novel algorithms improve the performance of an existing algorithm by orders of magnitude and offers better scalability.

References

Alexander Aiken. 1999. Introduction to set constraint-based program analysis. Science of Computer Programming 35, 2-3 (1999), 79–111. Google ScholarDigital Library
Alexander Aiken, Edward L Wimmers, and TK Lakshman. 1994. Soft typing with conditional types. In Proceedings of the 21st ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 163–173. Google ScholarDigital Library
Owen Arden, Michael D. George, Jed Liu, K. Vikram, Aslan Askarov, and Andrew C. Myers. 2012. Sharing Mobile Code Securely With Information Flow Control. In Proc. IEEE Symp. on Security and Privacy (S&P). 191–205. Google ScholarDigital Library
Lennart Augustsson. 1998. Cayenne—a language with dependent types. In Proc. 3 rd ACM SIGPLAN Int’l Conf. on Functional Programming (ICFP). 239–250. Google ScholarDigital Library
D Elliott Bell and Leonard J LaPadula. 1973. Secure Computer Systems: mathematical foundations and model. Technical Report M74-244. MITRE Corp., Bedford, MA.Google Scholar
Hongxu Chen, Alwen Tiu, Zhiwu Xu, and Yang Liu. 2018. A permission-dependent type system for secure information flow analysis. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF). IEEE, 218–232.Google ScholarCross Ref
Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving Compilation of End-to-end Verification of Security Enforcement. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI). 412–423. Google ScholarDigital Library
Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C. Necula. 2007. Dependent types for low-level programming. In Proc. European Symposium on Programming (ESOP). 520–535. Google ScholarDigital Library
Jeffrey S Fenton. 1974. Memoryless subsystems. Comput. J. 17, 2 (1974), 143–147.Google ScholarCross Ref
Andrew Ferraiuolo, Rui Xu, Danfeng Zhang, Andrew C. Myers, and G. Edward Suh. 2017. Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis. In Proc. Int’l Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 555–568. Google ScholarDigital Library
Joseph A. Goguen and Jose Meseguer. 1982. Security Policies and Security Models. In Proc. IEEE Symp. on Security and Privacy (S&P). 11–20.Google Scholar
Robert Grabowski and Lennart Beringer. 2009. Noninterference with Dynamic Security Domains and Policies. In Advances in Computer Science – ASIAN 2009. Information Security and Privacy. 54–68. LNCS 5913. Google ScholarDigital Library
Sebastian Hunt and David Sands. 2006. On Flow-sensitive Security Types. In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’06). ACM, New York, NY, USA, 79–90. Google ScholarDigital Library
Limin Jia, Jeffrey A. Vaughan, Karl Mazurak, Jianzhou Zhao, Luke Zarko, Joseph Schorr, and Steve Zdancewic. 2008. AURA: A Programming Language for Authorization and Audit. In Proc. 13 th ACM SIGPLAN Int’l Conf. on Functional Programming (ICFP). 27–38. Google ScholarDigital Library
Gurvan Le Guernic and Thomas Jensen. 2005. Monitoring Information Flow. In Workshop on Foundations of Computer Security - FCS’05. 19–30.Google Scholar
Peixuan Li and Danfeng Zhang. 2017. Towards a Flow- and Path-Sensitive Information Flow Analysis. In Proceedings of the 30th IEEE Computer Security Foundations Symposium (CSF). 53–67.Google ScholarCross Ref
Jed Liu, Michael D. George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers. 2009. Fabric: A Platform For Secure Distributed Computation and Storage. In Symp. on Operating Systems Principles (SOSP). 321–334. Google ScholarDigital Library
Luísa Lourenço and Luís Caires. 2015. Dependent Information Flow Types. In Proceedings of the 42Nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 317–328. Google ScholarDigital Library
Per Martin-Löf. 1982. Constructive mathematics and computer programming. Studies in Logic and the Foundations of Mathematics 104 (1982), 153–175.Google ScholarCross Ref
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proc. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Google ScholarDigital Library
Toby Murray, Robert Sison, Edward Pierzchalski, and Christine Rizkallah. 2016. Compositional verification and refinement of concurrent value-dependent noninterference. In Computer Security Foundations Symposium (CSF), 2016 IEEE 29th. IEEE, 417–431.Google ScholarCross Ref
Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proc. 26 th ACM Symposium on Principles of Programming Languages (POPL). 228–241. http://www.cs.cornell.edu/andru/papers/popl99/popl99.pdf Google ScholarDigital Library
Andrew C. Myers, G. Edward Suh, Danfeng Zhang, Yao Wang, , Andrew Ferraiuolo, Rui Xu, and Ian Thompson. 2015. SecVerilog 1.0: Verilog + Information Flow. (2015). Software release, http://www.cs.cornell.edu/projects/secverilog .Google Scholar
Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. 2006. Jif 3.0: Java Information Flow. (July 2006). Software release, http://www.cs.cornell.edu/jif .Google Scholar
Nadia Polikarpova, Jean Yang, Shachar Itzhaky, Travis Hance, and Armando Solar-Lezama. 2018. Enforcing Information Flow Policies with Type-Targeted Program Synthesis. arXiv preprint arXiv:1607.03445v2 (2018).Google Scholar
François Pottier and Vincent Simonet. 2002. Information flow inference for ML. In Proc. 29 th ACM Symposium on Principles of Programming Languages (POPL). 319–330. Google ScholarDigital Library
Jakob Rehof et al. 1999. Tractable constraints in finite semilattices. Science of Computer Programming 35, 2-3 (1999), 191–221. Google ScholarDigital Library
Patrick M. Rondon, Ming Kawaguci, and Ranjit Jhala. 2008. Liquid Types. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI). 159–169. Google ScholarDigital Library
Andrei Sabelfeld and Alejandro Russo. 2010. From dynamic to static and back: Riding the roller coaster of information-flow control research. Perspectives of Systems Informatics (2010), 352–365. Google ScholarDigital Library
Paritosh Shroff, Scott Smith, and Mark Thober. 2007. Dynamic dependency monitoring to secure information flow. In Computer Security Foundations Symposium, 2007. CSF’07. 20th IEEE. IEEE, 203–217. Google ScholarDigital Library
Vincent Simonet. 2003. The Flow Caml System: documentation and user’s manual. Technical Report 0282. Institut National de Recherche en Informatique et en Automatique (INRIA).Google Scholar
Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and Jean Yang. 2011. Secure Distributed Programming with Value-dependent Types. In Proc. 16 th ACM SIGPLAN Int’l Conf. on Functional Programming (ICFP). 266–278. Google ScholarDigital Library
Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. 2008. Fable: A Language for Enforcing User-defined Security Policies. In Proc. IEEE Symp. on Security and Privacy (S&P). 369–383. Google ScholarDigital Library
Stephen Tse and Steve Zdancewic. 2007. Run-Time Principals in Information-Flow Type Systems. ACM Trans. on Programming Languages and Systems 30, 1 (2007), 6. Google ScholarDigital Library
Jeffrey A Vaughan and Stephen Chong. 2011. Inference of expressive declassification policies. In Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, 180–195. Google ScholarDigital Library
Niki Vazou, Eric L Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014. Refinement types for Haskell. In ACM SIGPLAN Notices, Vol. 49. ACM, 269–282. Google ScholarDigital Library
Dennis Volpano, Geoffrey Smith, and Cynthia Irvine. 1996. A Sound Type System for Secure Flow Analysis. Journal of Computer Security 4, 3 (1996), 167–187. Google ScholarDigital Library
Hongwei Xi. 2000. Imperative programming with dependent types. In Proc. IEEE Symposium on Logic in Computer Science. 375–387. Google ScholarDigital Library
Hongwei Xi and Frank Pfenning. 1999. Dependent Types in Practical Programming. In Proc. ACM Symp. on Principles of Programming Languages (POPL). 214–227. Google ScholarDigital Library
Danfeng Zhang and Andrew C. Myers. 2014. Toward General Diagnosis of Static Errors. In Proc. 14 th ACM Symposium on Principles of Programming Languages (POPL). 569–581. http://www.cs.cornell.edu/andru/papers/diagnostic Google ScholarDigital Library
Danfeng Zhang, Yao Wang, G. Edward Suh, and Andrew C. Myers. 2015. A Hardware Design Language for Timing-Sensitive Information-Flow Security. In Proc. 20 th Int’l Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 503–516. Google ScholarDigital Library
Lantian Zheng and Andrew C. Myers. 2007. Dynamic Security Labels and Static Information Flow Control. Intl’ J. of Information Security 6, 2–3 (March 2007). Google ScholarDigital Library

Index Terms

A derivation framework for dependent security label inference
1. Security and privacy
  1. Systems security
    1. Information flow control
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features
        Constraints
      2. Language types
        Constraint and logic languages
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

Transductive Multilabel Learning via Label Set Propagation

The problem of multilabel classification has attracted great interest in the last decade, where each instance can be assigned with a set of multiple class labels simultaneously. It has a wide variety of real-world applications, e.g., automatic image ...
Read More
Learning Label-Specific Features and Class-Dependent Labels for Multi-Label Classification

Binary Relevance is a well-known framework for multi-label classification, which considers each class label as a binary classification problem. Many existing multi-label algorithms are constructed within this framework, and utilize identical data ...
Read More
Semi-supervised multi-label classification using incomplete label information
Highlights
- An inductive semi-supervised method called Smile is proposed for multi-label classification using incomplete label information.
Abstract
Classifying multi-label instances using incompletely labeled instances is one of the fundamental tasks in multi-label learning. Most existing methods regard this task as supervised weak-label learning problem and assume sufficient ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Proceedings of the ACM on Programming Languages Volume 2, Issue OOPSLA
November 2018
1656 pages
EISSN:2475-1421
DOI:10.1145/3288538
Issue’s Table of Contents

Copyright © 2018 Owner/Author
This work is licensed under a Creative Commons Attribution-NoDerivs International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2018
Published in pacmpl Volume 2, Issue OOPSLA

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
Author Tags
Dependent Types
Information Flow Analysis
Security Label Inference
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 405
  Total Downloads
- Downloads (Last 12 months)45
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A derivation framework for dependent security label inference

Proceedings of the ACM on Programming Languages

Abstract

References

Cited By

Index Terms

Recommendations

Transductive Multilabel Learning via Label Set Propagation

Learning Label-Specific Features and Class-Dependent Labels for Multi-Label Classification

Semi-supervised multi-label classification using incomplete label information