Advertisement

Flexible Manipulation of Labeled Values for Information-Flow Control Libraries

  • Marco VassenaEmail author
  • Pablo Buiras
  • Lucas Waye
  • Alejandro Russo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)

Abstract

The programming language Haskell plays a unique, privileged role in Information-Flow Control (IFC) research: it is able to enforce information security via libraries. Many state-of-the-art libraries (e.g., LIO, HLIO, and MAC) allow computations to manipulate data with different security labels by introducing the notion of labeled values, which protect values with explicit labels by means of an abstract data type. While computations have an underlying algebraic structure in such libraries (i.e. monads), there is no research on structures for labeled values and their impact on the programming model. In this paper, we add the functor structure to labeled values, which allows programmers to conveniently and securely perform computations without side-effects on such values, and an applicative operator, which extends this feature to work on multiple labeled values combined by a multi-parameter function. This functionality simplifies code, as it does not force programmers to spawn threads to manipulate sensitive data with side-effect free operations. Additionally, we present a relabel primitive which securely modifies the label of labeled values. This operation also helps to simplify code when aggregating data with heterogeneous labels, as it does not require spawning threads to do so. We provide mechanized proofs of the soundness our contributions for the security library MAC, although we remark that our ideas apply to LIO and HLIO as well.

Keywords

Sensitive Data Sequential Calculus Public Computation Covert Channel Abstract Data Type 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgement

This work was supported in part by the Swedish research agencies VR and STINT, The Sloan Foundation, and by NSF grant 1421770.

References

  1. 1.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in Chromium. In: Annual Network & Distributed System Security Symposium. Internet Society (2015)Google Scholar
  3. 3.
    Bell, D.E., La Padula, L.: Secure computer system: unified exposition and multics interpretation. Technical report MTR-2997, Rev. 1, MITRE Corporation, Bedford, MA (1976)Google Scholar
  4. 4.
    Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: USENIX Conference on Security, SEC. USENIX Association (2013)Google Scholar
  6. 6.
    Buiras, P., Vytiniotis, D., Russo, A.: HLIO: Mixing static and dynamic typing for information-flow control in Haskell. In: ACM SIGPLAN International Conference on Functional Programming. ACM (2015)Google Scholar
  7. 7.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefzbMATHGoogle Scholar
  8. 8.
    Devriese, D., Piessens, F.: Information flow enforcement in monadic libraries. In: ACM SIGPLAN Workshop on Types in Language Design and Implementation. ACM (2011)Google Scholar
  9. 9.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the asbestos operating system. In: ACM Symposium on Operating Systems Principles, SOSP. ACM (2005)Google Scholar
  10. 10.
    Goguen, J., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy. IEEE Computer Society (1982)Google Scholar
  11. 11.
    Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: Tracking information flow in JavaScript and its APIs. In: ACM Symposium on Applied Computing. ACM (2014)Google Scholar
  12. 12.
    Honda, K., Vasconcelos, V.T., Yoshida, N.: Secure information flow as typed process behaviour. In: Smolka, G. (ed.) ESOP 2000. LNCS, vol. 1782, pp. 180–199. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Hritcu, C., Greenberg, M., Karel, B., Peirce, B.C., Morrisett, G.: All your IFCexception are belong to us. In: IEEE Symposium on Security and Privacy. IEEE Computer Society (2013)Google Scholar
  14. 14.
    Hughes, J.: Why functional programming matters. Comput. J. 32, 98–107 (1984)CrossRefGoogle Scholar
  15. 15.
    Jaskelioff, M., Russo, A.: Secure multi-execution in Haskell. In: Clarke, E., Virbitskaite, I., Voronkov, A. (eds.) PSI 2011. LNCS, vol. 7162, pp. 170–178. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. 16.
    Jia, L., Aljuraidan, J., Fragkaki, E., Bauer, L., Stroucken, M., Fukushima, K., Kiyomoto, S., Miyake, Y.: Run-time enforcement of information-flow properties on android (extended abstract). In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 775–792. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SIGOPS Symposium on Operating Systems Principles, SOSP. ACM (2007)Google Scholar
  18. 18.
    Li, P., Zdancewic, S.: Encoding information flow in Haskell. In: IEEE Workshop on Computer Security Foundations. IEEE Computer Society (2006)Google Scholar
  19. 19.
    Li, P., Zdancewic, S.: Arrows for secure information flow. Theoret. Comput. Sci. 411(19), 1974–1994 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Mcbride, C., Paterson, R.: Applicative programming with effects. J. Funct. Program. 18(1), 1–13 (2008)CrossRefzbMATHGoogle Scholar
  21. 21.
    Meurer, S., Wismüller, R.: APEFS: an infrastructure for permission-based filtering of android apps. In: Schmidt, A.U., Russello, G., Krontiris, I., Lian, S. (eds.) MobiSec 2012. LNICST, vol. 107, pp. 1–11. Springer, Heidelberg (2012)Google Scholar
  22. 22.
    Moggi, E.: Notions of computation and monads. Inf. Comput. 93(1), 55–92 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: sel4: from general purpose to a proof of information flow enforcement. In: 2012 IEEE Symposium on Security and Privacy (2013)Google Scholar
  24. 24.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: ACM Symposium on Principles of Programming Languages, pp. 228–241 (1999)Google Scholar
  25. 25.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001). http://www.cs.cornell.edu/jif
  26. 26.
    Pottier, F., Simonet, V.: Information flow inference for ML. In: ACM Symposium on Principles of Programming Languages, pp. 319–330 (2002)Google Scholar
  27. 27.
    Pottier, F.: A simple view of type-secure information flow in the \(\pi \)-calculus. In: IEEE Computer Security Foundations Workshop, pp. 320–330 (2002)Google Scholar
  28. 28.
    Rafnsson, W., Garg, D., Sabelfeld, A.: Progress-sensitive security for SPARK. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 20–37. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_2 CrossRefGoogle Scholar
  29. 29.
    Roy, I., Porter, D.E., Bond, M.D., McKinley, K.S., Witchel, E.: Laminar: practical fine-grained decentralized information flow control. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI. ACM (2009)Google Scholar
  30. 30.
    Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in Haskell. In: ACM SIGPLAN Symposium on Haskell. ACM (2008)Google Scholar
  31. 31.
    Russo, A.: Functional pearl: two can keep a secret, if one of them uses Haskell. In: ACM SIGPLAN International Conference on Functional Programming, ICFP. ACM (2015)Google Scholar
  32. 32.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  33. 33.
    Schmitz, T., Rhodes, D., Austin, T.H., Knowles, K., Flanagan, C.: Faceted dynamic information flow via control and data monads. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 3–23. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_1 CrossRefGoogle Scholar
  34. 34.
    Simonet, V.: The Flow Caml system (2003), software release at http://cristal.inria.fr/~simonet/soft/flowcaml/
  35. 35.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: ACM symposium on Principles of Programming Languages (1998)Google Scholar
  36. 36.
    Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J.C., Maziéres, D.: Addressing covert termination and timing channels in concurrent information flow systems. In: ACM SIGPLAN International Conference on Functional Programming. ACM (2012)Google Scholar
  37. 37.
    Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in Haskell. In: ACM SIGPLAN Haskell Symposium (2011)Google Scholar
  38. 38.
    Stefan, D., Yang, E.Z., Marchenko, P., Russo, A., Herman, D., Karp, B., Mazières, D.: Protecting users by confining JavaScript with COWL. In: USENIX Symposium on Operating Systems Design and Implementation. USENIX Association (2014)Google Scholar
  39. 39.
    Tsai, T.C., Russo, A., Hughes, J.: A library for secure multi-threaded information flow in Haskell. In: IEEE Computer Security Foundations Symposium (2007)Google Scholar
  40. 40.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: USENIX Symposium on Operating Systems Design and Implementation. USENIX (2006)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Marco Vassena
    • 1
    Email author
  • Pablo Buiras
    • 1
  • Lucas Waye
    • 2
  • Alejandro Russo
    • 1
  1. 1.Chalmers University of TechnologyGothenburgSweden
  2. 2.Harvard UniversityCambridgeUSA

Personalised recommendations