Towards a Type System for Security APIs
Security API analysis typically only considers a subset of an API’s functions, with results bounded by the number of function calls. Furthermore, attacks involving partial leakage of sensitive information are usually not covered.
Type-based static analysis has the potential to alleviate these shortcomings. To that end, we present a type system for secure information flow based upon the one of Volpano, Smith and Irvine , extended with types for cryptographic keys and ciphertext similar to those in Sumii and Pierce . In contrast to some other type systems, the encryption and decryption of keys does not require special treatment.
We show that a well-typed sequence of commands is non-interferent, based upon a definition of indistinguishability where, in certain circumstances, the adversary can distinguish between ciphertexts that correspond to encrypted public data.
- 3.IBM 4758 PCI Cryptographic Coprocessor, http://www-03.ibm.com/security/cryptocards/pcicc/overview.shtml
- 4.nCipher nShield Hardware Security Module, http://www.ncipher.com/en/Products/Hardware%20Security%20Modules/nShield.aspx
- 6.Courant, J., Monin, J.F.: Defending the Bank with a Proof Assistant. In: Proceedings of the 6th International Workshop on Issues in the Theory of Security (WITS 2006), pp. 87–98 (2006)Google Scholar
- 7.Delaune, S., Kremer, S., Steel, G.: Formal Analysis of PKCS #11. In: , pp. 331–344Google Scholar
- 8.Youn, P.: The Analysis of Cryptographic APIs using the Theorem Prover Otter. Master’s thesis, Massachusetts Institute of Technology (May 2004)Google Scholar
- 9.Youn, P., Adida, B., Bond, M.K., Clulow, J., Herzog, J., Lin, A., Rivest, R.L., Anderson, R.J.: Robbing the Bank with a Theorem Prover. Technical Report 644, University of Cambridge Computer Laboratory (August 2005)Google Scholar
- 15.Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement Types for Secure Implementations. In: , pp. 17–32Google Scholar
- 19.Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008). IEEE Computer Society Press, Los Alamitos (June 2008)Google Scholar
- 20.PKCS #11: Cryptographic Token Interface Standard, http://www.rsa.com/rsalabs/node.asp?id=2133