Recently, much progress has been made on achieving information-flow security via secure multi-execution. Secure multi-execution () is an elegant way to enforce security by executing a given program multiple times, once for each security level, while carefully dispatching inputs and ensuring that an execution at a given level is responsible for producing outputs for information sinks at that level. Secure multi-execution guarantees noninterference, in the sense of no dependencies from secret inputs to public outputs, and transparency, in the sense that if a program is secure then its secure multi-execution does not disable any of its original behavior.
This paper pushes the boundary of what can be achieved with secure multi-execution. First, we lift the assumption from the original secure multi-execution work on the totality of the input environment (that there is always assumed to be input) and on cooperative scheduling. Second, we generalize secure multi-execution to distinguish between security levels of presence and content of messages. Third, we introduce a declassification model for secure multi-execution that allows expressing what information can be released and where it can be released. Fourth, we establish a full transparency result showing how secure multi-execution can preserve the original order of messages in secure programs. We demonstrate that full transparency is a key enabler for discovering attacks with secure multi-execution.
J.Agat, Transforming out timing leaks, in: Proc. ACM Symp. on Principles of Programming Languages, 2000, pp. 40–53.
2.
A.Askarov and A.Sabelfeld, Gradual release: Unifying declassification, encryption and key release policies, in: Proc. IEEE Symp. on Security and Privacy, 2007, pp. 207–221.
3.
A.Askarov and A.Sabelfeld, Tight enforcement of information-release policies for dynamic languages, in: Proc. IEEE Computer Security Foundations Symposium, 2009.
4.
A.Askarov, D.Zhang and A.C.Myers, Predictive black-box mitigation of timing channels, in: CCS, 2010.
5.
T.H.Austin and C.Flanagan, Efficient purely-dynamic information flow analysis, in: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2009.
6.
T.H.Austin and C.Flanagan, Permissive dynamic information flow analysis, in: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2010.
7.
T.H.Austin and C.Flanagan, Multiple facets for dynamic information flow, in: Proc. ACM Symp. on Principles of Programming Languages, 2012, pp. 165–178.
8.
T.H.Austin, J.Yang, C.Flanagan and A.Solar-Lezama, Faceted execution of policy-agnostic programs, in: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), ACM, New York, NY, USA, 2013, pp. 15–26.
9.
A.Banerjee, D.Naumann and S.Rosenberg, Expressive declassification policies and modular static enforcement, in: Proc. IEEE Symp. on Security and Privacy, 2008.
10.
J.Barnes, High Integrity Software: The SPARK Approach to Safety and Security, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2003.
11.
G.Barthe, J.M.Crespo, D.Devriese, F.Piessens and E.Rivas, Secure multi-execution through static program transformation, in: Formal Techniques for Distributed Systems (FMOODS/FORTE 2012), LNCS, Vol. 7273, 2012, pp. 186–202.
12.
N.Bielova, D.Devriese, F.Massacci and F.Piessens, Reactive non-interference for a browser model, in: Proc. 5th International Conference on Network and System Security (NSS), 2011.
13.
N.Bielova, D.Devriese, F.Massacci and F.Piessens, Reactive non-interference for the browser: Extended version, Technical Report CW602, CS Dept., K.U. Leuven, 2011.
14.
A.Bohannon and B.C.Pierce, Featherweight Firefox: Formalizing the core of a web browser, in: Proc. USENIX Conference on Web Application Development, 2010.
15.
A.Bohannon, B.C.Pierce, V.Sjöberg, S.Weirich and S.Zdancewic, Reactive noninterference, in: ACM Conference on Computer and Communications Security, 2009, pp. 79–90.
16.
R.Capizzi, A.Longo, V.N.Venkatakrishnan and A.Prasad Sistla, Preventing information leaks through shadow executions, in: Annual Computer Security Applications Conference (ACSAC), 2008, pp. 322–331.
17.
D.Clark and S.Hunt, Noninterference for deterministic interactive programs, in: Workshop on Formal Aspects in Security and Trust (FAST’08), 2008.
18.
W.De Groef, D.Devriese, N.Nikiforakis and F.Piessens, FlowFox: A web browser with flexible and precise information flow control, in: ACM Conference on Computer and Communications Security, 2012.
19.
D.E.Denning, A lattice model of secure information flow, Comm. of the ACM19(5) (1976), 236–243.
20.
D.Devriese and F.Piessens, Non-interference through secure multi-execution, in: Proc. IEEE Symp. on Security and Privacy, 2010.
21.
C.Dima, C.Enea and R.Gramatovici, Nondeterministic nointerference and deducible information flow, Technical Report 2006-01, LACL, University of Paris 12, 2006.
22.
J.A.Goguen and J.Meseguer, Security policies and security models, in: Proc. IEEE Symp. on Security and Privacy, 1982, pp. 11–20.
23.
D.Hedin and A.Sabelfeld, Information-flow security for a core of Javascript, in: Proc. IEEE Computer Security Foundations Symposium, 2012, pp. 3–18.
24.
M.Jaskelioff and A.Russo, Secure multi-execution in Haskell, in: Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS, Vol. 7162, Springer-Verlag, 2011, pp. 170–178.
25.
V.Kashyap, B.Wiedermann and B.Hardekopf, Timing- and termination-sensitive secure information flow: Exploring a new approach, in: Proc. IEEE Symp. on Security and Privacy, 2011.
26.
G.Le Guernic, Confidentiality enforcement using dynamic information flow analyses, PhD thesis, Kansas State University, 2007.
27.
G.Le Guernic, Automaton-based confidentiality monitoring of concurrent programs, in: Proc. IEEE Computer Security Foundations Symposium, 2007, pp. 218–232.
28.
G.Le Guernic, A.Banerjee, T.Jensen and D.Schmidt, Automata-based confidentiality monitoring, in: Proc. Asian Computing Science Conference (ASIAN’06), LNCS, Vol. 4435, Springer-Verlag, 2006.
29.
P.Li and S.Zdancewic, Downgrading policies and relaxed noninterference, in: Proc. ACM Symp. on Principles of Programming Languages, 2005, pp. 158–170.
30.
H.Mantel, Information flow control and applications – Bridging a gap, in: Proc. Formal Methods Europe, LNCS, Vol. 2021, Springer-Verlag, 2001, pp. 153–172.
31.
H.Mantel and D.Sands, Controlled downgrading based on intransitive (non)interference, in: Proc. Asian Symp. on Programming Languages and Systems, LNCS, Vol. 3302, Springer-Verlag, 2004, pp. 129–145.
32.
A.C.Myers, A.Sabelfeld and S.Zdancewic, Enforcing robust declassification, in: Proc. IEEE Computer Security Foundations Workshop, 2004, pp. 172–186.
33.
A.C.Myers, A.Sabelfeld and S.Zdancewic, Enforcing robust declassification and qualified robustness, J. Computer Security14(2) (2006), 157–196.
34.
A.C.Myers, L.Zheng, S.Zdancewic, S.Chong and N.Nystrom, Jif: Java information flow. Software release, 2001, available at: http://www.cs.cornell.edu/jif.
35.
N.Nikiforakis, L.Invernizzi, A.Kapravelos, S.Van Acker, W.Joosen, C.Kruegel, F.Piessens and G.Vigna, You are what you include: Large-scale evaluation of remote Javascript inclusions, in: ACM Conference on Computer and Communications Security, 2012, pp. 736–747.
36.
K.O’Neill, M.Clarkson and S.Chong, Information-flow security for interactive programs, in: Proc. IEEE Computer Security Foundations Workshop, 2006, pp. 190–201.
37.
W.Rafnsson, D.Hedin and A.Sabelfeld, Securing interactive programs, in: Proc. IEEE Computer Security Foundations Symposium, 2012.
38.
W.Rafnsson and A.Sabelfeld, Limiting information leakage in event-based communication, in: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2011.
39.
W.Rafnsson and A.Sabelfeld, Secure multi-execution: Fine-grained, declassification-aware, and transparent, in: Proc. IEEE Computer Security Foundations Symposium, 2013, pp. 3–18.
40.
A.Russo, J.Hughes, D.Naumann and A.Sabelfeld, Closing internal timing channels by transformation, in: Proc. Asian Computing Science Conference (ASIAN’06), LNCS, Vol. 4435, Springer-Verlag, 2007.
41.
A.Russo and A.Sabelfeld, Securing timeout instructions in web applications, in: Proc. IEEE Computer Security Foundations Symposium, 2009.
42.
A.Russo and A.Sabelfeld, Dynamic vs. static flow-sensitive security analysis, in: Proc. IEEE Computer Security Foundations Symposium, 2010.
43.
A.Sabelfeld and A.C.Myers, Language-based information-flow security, IEEE J. Selected Areas in Communications21(1) (2003), 5–19.
44.
A.Sabelfeld and A.C.Myers, A model for delimited information release, in: Proc. International Symp. on Software Security (ISSS’03), LNCS, Vol. 3233, Springer-Verlag, 2004, pp. 174–191.
45.
A.Sabelfeld and A.Russo, From dynamic to static and back: Riding the roller coaster of information-flow control research, in: Proc. Andrei Ershov International Conference on Perspectives of System Informatics, LNCS, Vol. 5947, Springer-Verlag, 2009.
46.
A.Sabelfeld and D.Sands, Declassification: Dimensions and principles, J. Computer Security17(5) (2009), 517–548.
47.
P.Shroff, S.Smith and M.Thober, Dynamic dependency monitoring to secure information flow, in: Proc. IEEE Computer Security Foundations Symposium, 2007, pp. 203–217.
48.
V.Simonet, The Flow Caml system. Software release, 2003, available at: http://cristal.inria.fr/~simonet/soft/flowcaml.
H.Unno, N.Kobayashi and A.Yonezawa, Combining type-based analysis and model checking for finding counterexamples against non-interference, in: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2006, pp. 17–26.
52.
M.Vanhoef, W.De Groef, D.Devriese, F.Piessens and T.Rezk, Stateful declassification policies for event-driven programs, in: CSF, 2014.
53.
D.Volpano, G.Smith and C.Irvine, A sound type system for secure flow analysis, J. Computer Security4(3) (1996), 167–187.
54.
J.Yang, K.Yessenov and A.Solar-Lezama, A language for automatically enforcing privacy policies, in: POPL, 2012, pp. 85–96.
55.
D.Zanarini, M.Jaskelioff and A.Russo, Precise enforcement of confidentiality for reactive system, in: Proc. IEEE Computer Security Foundations Symposium, 2013.
56.
S.Zdancewic and A.C.Myers, Robust declassification, in: Proc. IEEE Computer Security Foundations Workshop, 2001, pp. 15–23.
