Lecture 011

Trace property:

Liveness property require P \to <\alpha>Q, which needs a proof of termination (which is not decidable in general).

Information Flow Policies

Information Flow Policies: cannot be determined by analyzing program trace.

Reading from a high security variable and writing the value to a low security variable would be a violation of our information flow policy.

Let's say we have x being high security while y, z are low security. Then the two program:

def first() {
  x := 1;
  y := x + 5;
  z := y - 1;
}

def second() {
  x := 1;
  y := 6;
  z := 5;
}

Both program have exactly the same trace, but first one violate the policy while no information flows at all on the right. This shows that information flow can't be determined by trace.

Tracking Security Levels

\Sigma: map from variables to security levels. \Sigma(x) \sqsubseteq l means variable x is at most low security level.

We use the following notation for partial order of security levels:

And we have the following rules:

\begin{align*} \bot \sqcup \ell = \ell \sqcup \bot = \ell \\ \bot \sqsubseteq \ell \\ \ell_1 \sqsubseteq \ell_1 \sqcup \ell_2 \\ \ell_2 \sqsubseteq \ell_1 \sqcup \ell_2 \\ \ell_1 \sqsubseteq \ell \land \ell_2 \sqsubseteq \ell \implies \ell_1 \sqcup \ell_2 \sqsubseteq \ell \end{align*}

We can use these rules for taint analysis. If tainted value reaches low-security value, it is a violation (either statically or dynamically with taint bits attached to memory locations). But taint analysis can't discover all information flow.

Branching: we attach a ghost variable pc to track the security of program flow caused by branching. Security of pc always go up (or backtrack to outside of conditional branch).

\begin{align*} &\frac{\Sigma(x) = l}{\Sigma \models x : l} \text{ var } F\\ &\frac{}{\Sigma \models c: \bot} \text{ const } F\\ &\frac{\Sigma \models e_1 : l_1 \quad \Sigma \models e_2 : l_2}{\Sigma \models e_1 + e_2 : l_1 \sqcup l_2} + F\\ &\frac{\Sigma \models e : l \quad l' = \Sigma(pc) \sqcup l \quad l' \sqsubseteq \Sigma(x)}{\Sigma \models x := e \ \text{ secure }} := F\\ &\frac{\Sigma \models \alpha \text{ secure } \quad \Sigma \models \beta \text{ secure }}{\Sigma \models \alpha; \beta \text{ secure }} ; F\\ &\frac{\Sigma \models P : l \quad l' = \Sigma(pc) \sqcup l \quad \Sigma' = \Sigma[pc \mapsto l'] \quad \Sigma' \models \alpha \text{ secure } \quad \Sigma' \models \beta \text{ secure }}{\Sigma \models \text{ if } P \text{ then } \alpha \text{ else } \beta \text{ secure }} \text{ if } F\\ &\frac{}{\Sigma \models \text{ test } P \text{ secure }} \text{ test } F\\ &\frac{\Sigma \models P : l \quad l' = \Sigma(pc) \sqcup l \quad \Sigma' = \Sigma[pc \mapsto l'] \quad \Sigma' \models \alpha \text{ secure }}{\Sigma \models \text{ while } P \text{ do } \alpha \text{ secure }} \text{ while } F\\ &\frac{\Sigma \models e_1 : l_1 \quad \Sigma \models e_2 : l_2}{\Sigma \models e_1 \leq e_2 : l_1 \sqcup l_2} \leq F\\ &\frac{}{\Sigma \models \top : \bot} \top F\\ &\frac{\Sigma \models P : l_1 \quad \Sigma \models Q : l_2}{\Sigma \models P \land Q : l_1 \sqcup l_2} \land F\\ \end{align*}

Expression Read Level:

(\Sigma \models e : l) \implies (\forall x \in \text{ use } e)(\Sigma(x) \sqsubseteq l)

Formula Read Level:

(\Sigma \models P : l) \implies (\forall x \in \text{ use } P)(\Sigma(x) \sqsubseteq l)

Confinement:

(\Sigma \models \alpha \text{ secure }) \implies (\forall x \in \text{ maydef } \alpha)(\Sigma(pc) \sqsubseteq \Sigma(x))

We define \text{maydef}(\alpha) as the set of variables that a program may assign a value to—just all the left-hand sides of assignments in \alpha. This can include more variables than the set \text{def}(\alpha) which includes only those variables that \alpha must write to.

We define \text{use}(e) as the set of variables that an expression e may read from. For example, \text{use}(x + y) would be \{x, y\}.

Table of Content