Abstract
Information-flow policies can express strong security requirements for programs run by distributed parties with different levels of trust. However, this security is hard to preserve as programs get compiled to distributed systems with (potentially) compromised machines. For instance, many programs involve computations too sensitive to be trusted to any of those machines. Also, many programs are not perfectly secure (non-interferent); as they selectively endorse and declassify information, their relative security becomes harder to preserve.
We develop a secure compiler for distributed information flows. To minimize trust assumptions, we rely on cryptographic protection, and we exploit hardware and software mechanisms available on modern architectures, such as secure boots, trusted platform modules, and remote attestation.
We present a security model for these mechanisms in an imperative language with dynamic code loading. We define program transformations to generate trusted virtual hosts and to run them on untrusted machines. We obtain confidentiality and integrity theorems under realistic assumptions, showing that the compiled distributed system is at least as secure as the source program.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M., Wobber, T.: A logical account of NGSCB. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 1–12. Springer, Heidelberg (2004)
AMD. AMD64 virtualization: Secure virtual machine architecture reference manual
Askarov, A., Myers, A.: A semantic framework for declassification and endorsement. Prog. Languages and Systems, 64–84 (2010)
Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: CSF (2009)
Balfe, S., Paterson, K.G.: e-EMV: Emulating EMV for internet payments using trusted computing technology. In: STC 2008, pp. 81–92 (2008)
Chong, S., Myers, A.C.: Decentralized robustness. In: 19th IEEE CSFW 2006, p. 12 (2006)
Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: CACM (2009)
Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its application to trusted computing. In: S&P 2009, pp. 221–236 (2009)
Denning, D.E.: A lattice model of secure information flow. In: CACM (1976)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE TIT (1976)
Fournet, C., Rezk, T.: Cryptographically sound implementations for typed information-flow security. In: POPL 2008, pp. 323–335 (January 2008)
Fournet, C., Le Guernic, G., Rezk, T.: A security-preserving compiler for distributed programs: from information-flow policies to cryptographic mechanisms. In: CCS 2009, ACM, New York (2009)
Grawrock, D.: TCG Specification Architecture Overview, Rev. 1.4 (2007)
Gürgens, S., Rudolph, C., Scheuermann, D., Atts, M., Plaga, R.: Security evaluation of scenarios based on the TCGs TPM specification. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 438–453. Springer, Heidelberg (2007)
Halderman, J., Schoen, S., Heninger, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: cold-boot attacks on encryption keys. In: CACM (2009)
Intel. Intel Trusted Execution Technology Software Development Guide (2009)
McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: 3rd ACM SIGOPS/EuroSys, pp. 315–328. ACM, New York (2008)
McCune, J., Qu, N., Li, Y., Datta, A., Gligor, V., Perrig, A.: Efficient TCB Reduction and Attestation. CMU-CyLab-09-003 9 (2009)
Microsoft. Windows BitLocker drive encryption (2006)
Millen, J., Guttman, J., Ramsdell, J., Sheehy, J., Sniffen, B., Bedford, M.: Analysis of a measured launch. In: MITRE (2007)
Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: 19th IEEE Symposium on Research in Security and Privacy (RSP), Oakland, California (May 1998)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. In: TOSEM (2000)
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001)
Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. JCS 14(2), 157–196 (2006)
Pottier, F., Simonet, V.: Information flow inference for ML. In: ACM TOPLAS (2003)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. In: IEEE J-SAC (2003)
Sabelfeld, A., Myers, A.C.: A model for delimited information release. Software Security-Theories and Systems, 174–191 (2004)
Trusted Computing Group. Client Specific TPM Interface Specification (TIS), Version 1.2 (2005)
Trusted Computing Group. TCG Software Stack (TSS 1.2). Trusted Computing Group (2006)
Zdancewic, S., Myers, A.C.: Robust declassification. In: CSFW 2001, pp. 15–23 (2001)
Zdancewic, S., Zheng, L., Nystrom, N., Myers, A.C.: Secure program partitioning. In: TOCS (2002)
Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using replication and partitioning to build secure distributed systems. In: 15th IEEE Symposium on Security and Privacy (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fournet, C., Planul, J. (2011). Compiling Information-Flow Security to Minimal Trusted Computing Bases. In: Barthe, G. (eds) Programming Languages and Systems. ESOP 2011. Lecture Notes in Computer Science, vol 6602. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19718-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-19718-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19717-8
Online ISBN: 978-3-642-19718-5
eBook Packages: Computer ScienceComputer Science (R0)