8/11/2006 PCC 2006 1

Toward MoreTyped Assembly Languages for

Confidentiality

Dachuan Yu

DoCoMo USA Labs

2

Information FlowGPS software on handset

Compute maps and directions and display on the device

Query for news and updates using the network

Location information

News & updates

• Question: is the location information kept private?• To prevent: flows from high data to low data

– High data: secret, confidential, sensitive– Low data: public, ok to disclose, insensitive

• Desired property: confidentiality– Attacker may observe low– Attacker may also observe timing– Attacker cannot learn high

?Maps & directions

Other query

3

Information Flow• Desirable for some applications

– Distributed by untrusted parties (e.g., downloaded apps)– Access both sensitive information and public channels– Flow of information must be restricted for confidentiality– Examples: GPS, personal accounting, billing, concierge,

document processor, task scheduler, ... (think: spyware)

• Must prevent many forms of bad flows– query=location+1; send(query);– if (location==USA) then query=1 else

query=0;– send(q1); if (location==USA) then Clong;

send(q2);– Many other implicit flows and covert channels

• Conventional security means are insufficient– Access control, firewalls, encryption, runtime checks, ...

• Language-based techniques are promising– E.g., security-type systems

4

Language-Based Information Flow• 10+ years, 100+ papers [Sabelfeld&Myers03Survey]

– High-level language features(procedures, functions, continuations, states, exceptions, objects, ...)

– Practical implementations(JFlow, Jif, ...)

– Concurrency and distribution(nondeterminism, threads, -calculus, program partitioning, ...)

– Security policies(lattice, declassification, admissibility, relative sec, quantitative sec...)

– Covert channels and abstract violation attacks(termination, timing, probabilistic, resource exhaustion, power, cache, ...)

• Little work at the level of assembly code– Core language features studied [Adriana et al 05-06] [Yu & Islam 05-06]

– Covert channels largely untouched– Difficult: lack of abstraction, extreme flexibility– Useful: higher assurance, source code may not be available

5

Today: Covert Channels on Timing

• Our previous work TALC

– Key features of RISC code– Type system compatible with TAL– Certifying compilation– Handles several implicit flows, but not covert channels on timing

• Extend TALC for external timing behaviors– Termination channels– Timing channels

• Extend TALC for internal timing behaviors(in concurrent settings)– Possibilistic channels– Probabilistic channels

6

Explicit and Implicit Flows• Main idea of source-level solutions

– Give security types to program constructs

• Explicit assignment– Example: query=location;– Annotate data with security types– Type mismatch not allowed

• Program structure– Example: if (location<>0) then query=1 else query=0;– Identify “sensitive regions” based on program structures– No change to public item in “sensitive regions”

• Memory aliasing• Code pointers• ...

… …

if f()

while

Conditional

While-loop

Indirect call

7

• Programs areless structured

if (location<>0)then query=1else query=0;

some more code;

• Registers reused atdifference security levels

• Assembly code is very flexible(hard to regulate: aliasing, code pointers, ...)

• Security types should come from compilation• Should not change the computation model

Difficulties for Assembly Code% rloc stores address of location% rqry stores address of query

lif: ld r, rloc(0); % read location

bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0jmp lmore

lthen: st rqry(0), 1; % the then:

query=1

jmp lmore

lmore: ... % some more code

Other difficulties:

8

% rloc stores address of location% rqry stores address of query

lif: ld r, rloc(0); % read location

bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0jmp lmore

lthen: st rqry(0), 1; % the then:

query=1

jmp lmore

lmore: ... % some more code

Recovering Missing Abstractions• Programs are

less structured

if (location<>0)then query=1else query=0;

some more code;

9

raise Hlmore % enter new context

lif: ld r, rloc(0); % read location

bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0lower lmore % exit context

lthen: st rqry(0), 1; % the then:

query=1

lower lmore % exit context

lmore: ... % some more code

Embed Structures in Annotations• Programs are

less structured

if (location<>0)then query=1else query=0;

some more code;

• Annotations are checked• Check upon raise:

(a) New level old level;(b) Current context will resume

• Check upon lower: valid exit point as specified in context

• Trick: to recover missing abstractions using annotations– Type system enforces structure and discipline– Verified program trivially erases to normal assembly code

< Hlmore >

< l >

< l >

[Yu&Islam06ESOP]

10

Termination Channels

• Nonterminating high loops– while (location<>0)

do skip;

• Nonterminating loops in high conditionals– if (location<>0)

then {while true do skip};

• Main idea of source-level solutions [Volpano&Smith97CSFW]

– Give minimum typings to potentially nonterminating constructs– while loops must have type low (i.e., only appear in low

regions)– Effectively, high regions always terminate– Similarly for abnormal termination (e.g., uncaught exceptions)

if

while

Conditional

While-loop

11

raise Hlmore % enter new context

lif: <4> ld r, rb(0); % read b

<3>bnz r, lthen; % go to lthen if b0<2>st rc(0), 0; % the else: c=0<1> lower lmore % exit context

lthen: <2>st rc(0), 1; % the then: c=1

<1> lower lmore % exit context

lmore: ... % some more code

Enforcing Termination

if (b<>0)then c=1else c=0;

• Give high regions descreasing counters– An upper bound of execution steps before exiting a region

12

raise Hlmore % enter new context

lwhile: <>ld r, rb(0); % read b

<>bnz r, ldone; % go to ldone if b0<>st rc(0), 1; % the do: c<>jmp lwhile % loop

ldone: <1> lower lmore % exit context

lmore: ... % some more code

Enforcing Termination

while (b==0)do c=1;

• Give high regions descreasing counters– An upper bound of execution steps before exiting a region– Or in case of potential nontermination (e.g., loops)

13

Enforcing Termination• Give high regions descreasing counters

– An upper bound of execution steps before exiting a region– Or in case of potential nontermination (e.g., loops)

• The type system– Extends “regions” of TALC with counters (timing annotations)

– Checks that counters are decreasing– In high regions, checks that branches have finite counters

• Certifying compilation– Sufficient for the source-level solution [Volpano&Smith97CSFW]

– Loop: always compiled conservatively with – Conditional: finite timing iff both branches yield finite timing

14

Timing Channels

• Extend the machine model with– Execution time: t– Output actions: output(n)– Sequence of observable events: s::=(t | n)*

– P * P’ producing s

• Unbalanced high conditionals– if (location<>0)

then {time consuming operation}else skip;

output(n);

• Idea of solution– To make previous timing annotations more “accurate”– Effectively, branches in high regions have same execution time– In addition, to disallow low output actions in high regions

tlong ntskip n

15

raise Hlmore % enter new context

lif: ld r, rb(0); % read b

bnz r, lthen; % go to lthen if b0<tst tlower> st rc(0), 0; % the else: c=0<tlower> lower lmore % exit context

lthen: <tst tlower> st rc(0), 1; % the then: c=1

<tlower> lower lmore % exit context

lmore: ... % some more

code

Enforcing Timing

if (b<>0)then c=1else c=0;

• In high regions, branches must have matching timing– The observable execution time before exiting a region– Assumption: primitive operations execute in constant time

16

Enforcing Timing

• In high regions, branches must have matching timing– The observable execution time before exiting a region– Assumption: primitive operations execute in constant time

• The type system– Extends “regions” of TALC with “exact” counters (execution time)

– Checks that counters match instructions– In high regions, checks that branches have matching timings– Disallows low output actions in high regions

17

Certifying Compilation• Agat’s source-level type system [Agat00POPL]

– For a high conditional, two branches shall have the same “externally observable behavior”

– Example: if (h<>0) then (l=1) else (l=1);– Based on undecidable -bisimulation

• “Padding transformation” for practical use of the system– Example: if (h<>0) then (h’=1) else skip;

if (h<>0) then (h’=1) else (skipAsn h’ 1);– Does not accept low updates in high regions

• Our timing-based system– Accepts transformed programs– Can be extended following -bisimulation

18

Multi-Threading• From external timing to internal timing

– Threads interaction as a channel of information flow

Initially: t=0;

Thread 0: if h then t=1 else t=2;

Thread 1: while t<>1 do skip;l = false;t=2;

Thread 2: while t<>2 do skip;l = true;t=1;

19

Possibilistic Channels

• Observable program behaviors– Set of possible execution results

• Main idea of source-level solutions [Smith&Volpano98POPL]

– Loops must have low guards– Loops cannot occur in high branches– Essentially, loops must have type low– The same as for closing termination channels!

• Adaptation at the assembly level– Use the same technique of “counter in high regions”– Type checking carried out in thread-modular way

20

More Multi-Threading

• From possible output to probable output– Probability distribution of possible execution results

Thread 0: if h then Clong else skip;l = true;

Thread 1: if h then skip else Clong;l = false;

• Under most schedulers, it is likely that l==h– Potential context switches in branches

21

Closing Probabilistic Channels• Balance potential context switches in branches

– Advance “time” by 1 at a potential context switch– Use same analysis for closing timing channels

raise Hlmore % enter new context

lif: ld r, rb(0); % read b

bnz r, lthen; % go to lthen if b0<2> st rc(0), 0; % the else: c=0<1> lower lmore % exit context

lthen: <2> st rc(0), 1; % the then: c=1

<1> lower lmore % exit context

lmore: ... % some more code

if (b<>0)then c=1else c=0;

22

Certifying Compilation

• Source-level type system (1) [Sabelfeld&Sands00CSFW]

– Related to Agat’s transformation for closing timing channels– Use “padding” to equalize “internal timing” of branches

– Example: if (h<>0) then {(h’=1); (h’=2)};

if (h<>0) then {(h’=1); (h’=2)} else {skip; skip};

– Same number of atomic commands in branches

• Source-level type system (2) [Volpano&Smith98CSFW]

– To protect high branches so that they execute atomically

• Our timing-based system– Supports programs from both systems– Must take care when implementing atomic commands, etc

23

Future Work

• Termination channels– Terminating loops– Well-founded recursion

• Timing channels -bisimulation (e.g., if (h<>0) then (l=1) else (l=1);)

• Possibilistic and probabilistic channels– Thread synchronization (e.g., semaphore [Sabelfeld01PSI])

• Others– Advanced policies– Practical issues

24

Conclusion

• Information-flow security– Desirable for many applications– Language-based techniques are promising

• Existing work– Much on high-level languages– Little on assembly code

• This work: covert channels in assembly code– Inspired by work for high-level languages– Annotations for termination/timing of branches– Termination, timing, possibilistic, probabilistic

http://www.docomolabs-usa.com/