[Colloq] Talk - Willard Thor Rafnsson - End-to-End Information-Flow Security for Interactive Systems - Monday, September 22nd, 9:45am, 166 WVH

Biron, Jessica j.biron at neu.edu
Thu Sep 18 15:10:52 EDT 2014


Speaker: Willard Thor Rafnsson 

Title: End-to-End Information-Flow Security for Interactive Systems

Monday, September 22nd
9:45am - 10:45am
166 WVH

Abstract: 

We provide means to achieve end-to-end information-flow security in 
interactive systems. The elusiveness of this problem stems from the 
fact that interaction patterns, primitives, synchronous communication 
and nondeterminism combine in ways where seemingly innocuous systems 
compromise security in unexpected ways under interaction.
 
We study what it means for systems to preserve confidentiality in a 
nondeterministic interactive setting. We focus on two properties:
progress-sensitive noninterference (PSNI), requiring that observable 
behavior is invariant to confidential input, and progress-insensitive 
noninterference (PINI), permitting confidential input to impede the 
ability of a system to make progress on its observable output. The 
latter is a popular target of information-flow security enforcement 
mechanisms, e.g. JSFlow, Jif, and sequential LIO. To identify the 
essence of interactive systems security, we explore classes of attacks 
in this setting, and find previous work ignores e.g. attacks powered 
by varied input presence -- a high-bandwidth channel in our setting.

To address this, we devise a new, preservation-based, formalization of 
noninterference, which guarantees secure systems interact securely.
Our formalization is thereby compositional; we prove this for a core 
of combinators, and derive a rich language of security-preserving 
combinators from it. While both PSNI and PINI are preserved under 
arbitrary wirings, PINI relies fundamentally on the lack of scheduling 
fairness to guarantee security of interactions. This makes PINI unfit 
for autonomous interactive systems security.
 
To facilitate building secure systems in parts, we advance secure 
multi-execution (SME): a combinator which repairs insecurities. SME 
thus makes any interactive system, secure or not, readily pluggable 
into a secure composed system. We prove soundness for all fair 
schedulers, and redesign SME to enforce PSNI, obtaining a more 
semantics-preserving combinator. We give a language-independent model 
for information release in SME. For scenarios where semantics must be 
preserved, we present type-based enforcements of PSNI and PINI.




More information about the Colloq mailing list