8/11/2006 PCC 2006 1
Toward MoreTyped Assembly Languages for
Confidentiality
Dachuan Yu
DoCoMo USA Labs
2
Information FlowGPS software on handset
Compute maps and directions and display on the device
Query for news and updates using the network
Location information
News & updates
• Question: is the location information kept private?• To prevent: flows from high data to low data
– High data: secret, confidential, sensitive– Low data: public, ok to disclose, insensitive
• Desired property: confidentiality– Attacker may observe low– Attacker may also observe timing– Attacker cannot learn high
?Maps & directions
Other query
3
Information Flow• Desirable for some applications
– Distributed by untrusted parties (e.g., downloaded apps)– Access both sensitive information and public channels– Flow of information must be restricted for confidentiality– Examples: GPS, personal accounting, billing, concierge,
document processor, task scheduler, ... (think: spyware)
• Must prevent many forms of bad flows– query=location+1; send(query);– if (location==USA) then query=1 else
query=0;– send(q1); if (location==USA) then Clong;
send(q2);– Many other implicit flows and covert channels
• Conventional security means are insufficient– Access control, firewalls, encryption, runtime checks, ...
• Language-based techniques are promising– E.g., security-type systems
4
Language-Based Information Flow• 10+ years, 100+ papers [Sabelfeld&Myers03Survey]
– High-level language features(procedures, functions, continuations, states, exceptions, objects, ...)
– Practical implementations(JFlow, Jif, ...)
– Concurrency and distribution(nondeterminism, threads, -calculus, program partitioning, ...)
– Security policies(lattice, declassification, admissibility, relative sec, quantitative sec...)
– Covert channels and abstract violation attacks(termination, timing, probabilistic, resource exhaustion, power, cache, ...)
• Little work at the level of assembly code– Core language features studied [Adriana et al 05-06] [Yu & Islam 05-06]
– Covert channels largely untouched– Difficult: lack of abstraction, extreme flexibility– Useful: higher assurance, source code may not be available
5
Today: Covert Channels on Timing
• Our previous work TALC
– Key features of RISC code– Type system compatible with TAL– Certifying compilation– Handles several implicit flows, but not covert channels on timing
• Extend TALC for external timing behaviors– Termination channels– Timing channels
• Extend TALC for internal timing behaviors(in concurrent settings)– Possibilistic channels– Probabilistic channels
6
Explicit and Implicit Flows• Main idea of source-level solutions
– Give security types to program constructs
• Explicit assignment– Example: query=location;– Annotate data with security types– Type mismatch not allowed
• Program structure– Example: if (location<>0) then query=1 else query=0;– Identify “sensitive regions” based on program structures– No change to public item in “sensitive regions”
• Memory aliasing• Code pointers• ...
… …
if f()
while
Conditional
While-loop
Indirect call
7
• Programs areless structured
if (location<>0)then query=1else query=0;
some more code;
• Registers reused atdifference security levels
• Assembly code is very flexible(hard to regulate: aliasing, code pointers, ...)
• Security types should come from compilation• Should not change the computation model
Difficulties for Assembly Code% rloc stores address of location% rqry stores address of query
lif: ld r, rloc(0); % read location
bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0jmp lmore
lthen: st rqry(0), 1; % the then:
query=1
jmp lmore
lmore: ... % some more code
Other difficulties:
8
% rloc stores address of location% rqry stores address of query
lif: ld r, rloc(0); % read location
bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0jmp lmore
lthen: st rqry(0), 1; % the then:
query=1
jmp lmore
lmore: ... % some more code
Recovering Missing Abstractions• Programs are
less structured
if (location<>0)then query=1else query=0;
some more code;
9
raise Hlmore % enter new context
lif: ld r, rloc(0); % read location
bnz r, lthen; % go to lthen if location0st rqry(0), 0; % the else: query=0lower lmore % exit context
lthen: st rqry(0), 1; % the then:
query=1
lower lmore % exit context
lmore: ... % some more code
Embed Structures in Annotations• Programs are
less structured
if (location<>0)then query=1else query=0;
some more code;
• Annotations are checked• Check upon raise:
(a) New level old level;(b) Current context will resume
• Check upon lower: valid exit point as specified in context
• Trick: to recover missing abstractions using annotations– Type system enforces structure and discipline– Verified program trivially erases to normal assembly code
< Hlmore >
< l >
< l >
[Yu&Islam06ESOP]
10
Termination Channels
• Nonterminating high loops– while (location<>0)
do skip;
• Nonterminating loops in high conditionals– if (location<>0)
then {while true do skip};
• Main idea of source-level solutions [Volpano&Smith97CSFW]
– Give minimum typings to potentially nonterminating constructs– while loops must have type low (i.e., only appear in low
regions)– Effectively, high regions always terminate– Similarly for abnormal termination (e.g., uncaught exceptions)
if
while
Conditional
While-loop
11
raise Hlmore % enter new context
lif: <4> ld r, rb(0); % read b
<3>bnz r, lthen; % go to lthen if b0<2>st rc(0), 0; % the else: c=0<1> lower lmore % exit context
lthen: <2>st rc(0), 1; % the then: c=1
<1> lower lmore % exit context
lmore: ... % some more code
Enforcing Termination
if (b<>0)then c=1else c=0;
• Give high regions descreasing counters– An upper bound of execution steps before exiting a region
12
raise Hlmore % enter new context
lwhile: <>ld r, rb(0); % read b
<>bnz r, ldone; % go to ldone if b0<>st rc(0), 1; % the do: c<>jmp lwhile % loop
ldone: <1> lower lmore % exit context
lmore: ... % some more code
Enforcing Termination
while (b==0)do c=1;
• Give high regions descreasing counters– An upper bound of execution steps before exiting a region– Or in case of potential nontermination (e.g., loops)
13
Enforcing Termination• Give high regions descreasing counters
– An upper bound of execution steps before exiting a region– Or in case of potential nontermination (e.g., loops)
• The type system– Extends “regions” of TALC with counters (timing annotations)
– Checks that counters are decreasing– In high regions, checks that branches have finite counters
• Certifying compilation– Sufficient for the source-level solution [Volpano&Smith97CSFW]
– Loop: always compiled conservatively with – Conditional: finite timing iff both branches yield finite timing
14
Timing Channels
• Extend the machine model with– Execution time: t– Output actions: output(n)– Sequence of observable events: s::=(t | n)*
– P * P’ producing s
• Unbalanced high conditionals– if (location<>0)
then {time consuming operation}else skip;
output(n);
• Idea of solution– To make previous timing annotations more “accurate”– Effectively, branches in high regions have same execution time– In addition, to disallow low output actions in high regions
tlong ntskip n
15
raise Hlmore % enter new context
lif: ld r, rb(0); % read b
bnz r, lthen; % go to lthen if b0<tst tlower> st rc(0), 0; % the else: c=0<tlower> lower lmore % exit context
lthen: <tst tlower> st rc(0), 1; % the then: c=1
<tlower> lower lmore % exit context
lmore: ... % some more
code
Enforcing Timing
if (b<>0)then c=1else c=0;
• In high regions, branches must have matching timing– The observable execution time before exiting a region– Assumption: primitive operations execute in constant time
16
Enforcing Timing
• In high regions, branches must have matching timing– The observable execution time before exiting a region– Assumption: primitive operations execute in constant time
• The type system– Extends “regions” of TALC with “exact” counters (execution time)
– Checks that counters match instructions– In high regions, checks that branches have matching timings– Disallows low output actions in high regions
17
Certifying Compilation• Agat’s source-level type system [Agat00POPL]
– For a high conditional, two branches shall have the same “externally observable behavior”
– Example: if (h<>0) then (l=1) else (l=1);– Based on undecidable -bisimulation
• “Padding transformation” for practical use of the system– Example: if (h<>0) then (h’=1) else skip;
if (h<>0) then (h’=1) else (skipAsn h’ 1);– Does not accept low updates in high regions
• Our timing-based system– Accepts transformed programs– Can be extended following -bisimulation
18
Multi-Threading• From external timing to internal timing
– Threads interaction as a channel of information flow
Initially: t=0;
Thread 0: if h then t=1 else t=2;
Thread 1: while t<>1 do skip;l = false;t=2;
Thread 2: while t<>2 do skip;l = true;t=1;
19
Possibilistic Channels
• Observable program behaviors– Set of possible execution results
• Main idea of source-level solutions [Smith&Volpano98POPL]
– Loops must have low guards– Loops cannot occur in high branches– Essentially, loops must have type low– The same as for closing termination channels!
• Adaptation at the assembly level– Use the same technique of “counter in high regions”– Type checking carried out in thread-modular way
20
More Multi-Threading
• From possible output to probable output– Probability distribution of possible execution results
Thread 0: if h then Clong else skip;l = true;
Thread 1: if h then skip else Clong;l = false;
• Under most schedulers, it is likely that l==h– Potential context switches in branches
21
Closing Probabilistic Channels• Balance potential context switches in branches
– Advance “time” by 1 at a potential context switch– Use same analysis for closing timing channels
raise Hlmore % enter new context
lif: ld r, rb(0); % read b
bnz r, lthen; % go to lthen if b0<2> st rc(0), 0; % the else: c=0<1> lower lmore % exit context
lthen: <2> st rc(0), 1; % the then: c=1
<1> lower lmore % exit context
lmore: ... % some more code
if (b<>0)then c=1else c=0;
22
Certifying Compilation
• Source-level type system (1) [Sabelfeld&Sands00CSFW]
– Related to Agat’s transformation for closing timing channels– Use “padding” to equalize “internal timing” of branches
– Example: if (h<>0) then {(h’=1); (h’=2)};
if (h<>0) then {(h’=1); (h’=2)} else {skip; skip};
– Same number of atomic commands in branches
• Source-level type system (2) [Volpano&Smith98CSFW]
– To protect high branches so that they execute atomically
• Our timing-based system– Supports programs from both systems– Must take care when implementing atomic commands, etc
23
Future Work
• Termination channels– Terminating loops– Well-founded recursion
• Timing channels -bisimulation (e.g., if (h<>0) then (l=1) else (l=1);)
• Possibilistic and probabilistic channels– Thread synchronization (e.g., semaphore [Sabelfeld01PSI])
• Others– Advanced policies– Practical issues
24
Conclusion
• Information-flow security– Desirable for many applications– Language-based techniques are promising
• Existing work– Much on high-level languages– Little on assembly code
• This work: covert channels in assembly code– Inspired by work for high-level languages– Annotations for termination/timing of branches– Termination, timing, possibilistic, probabilistic
http://www.docomolabs-usa.com/