ABSTRACT
We present a new technique for determining how much information about a program's secret inputs is revealed by its public outputs. In contrast to previous techniques based on reachability from secret inputs (tainting), it achieves a more precise quantitative result by computing a maximum flow of information between the inputs and outputs. The technique uses static control-flow regions to soundly account for implicit flows via branches and pointer operations, but operates dynamically by observing one or more program executions and giving numeric flow bounds specific to them (e.g., "17 bits"). The maximum flow in a network also gives a minimum cut (a set of edges that separate the secret input from the output), which can be used to efficiently check that the same policy is satisfied on future executions. We performed case studies on 5 real C, C++, and Objective C programs, 3 of which had more than 250K lines of code. The tool checked multiple security policies, including one that was violated by a previously unknown bug.
- R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung. Network information flow. IEEE Transactions on Information Theory, 46(4):1204--1216, 2000.]] Google ScholarDigital Library
- A. Askarov and A. Sabelfeld. Security-typed languages for implementation of cryptographic protocols: A case study. In Proceedings of the 10th European Symposium On Research In Computer Security (LNCS 3679), pages 197--221, Milan, Italy, September 12-14, 2005.]] Google ScholarDigital Library
- G. D. Battista and R. Tamassia. Incremental planarity testing. In 30th Annual Symposium on Foundations of Computer Science, pages 436--441, Research Triangle Park, NC, USA, October 30-November 1, 1989.]] Google ScholarDigital Library
- M. D. Bond and K. S. McKinley. Probabilistic calling context. In Object-Oriented Programming Systems, Languages, and Applications (OOPSLA 2007), pages 97--112, Montreal, Canada, October 23--25, 2007.]] Google ScholarDigital Library
- M. Budiu, M. Sakr, K. Walker, and S. C. Goldstein. BitValue inference: Detecting and exploiting narrow bitwidth computations. In European Conference on Parallel Processing, pages 969--979, Munich, Germany, August 29-September 1, 2000.]] Google ScholarDigital Library
- D. Chandra and M. Franz. Fine-grained information flow analysis and enforcement in a Java virtual machine. In 23rd Annual Computer Security Applications Conference, pages 463--475, Miami Beach, FL, USA, December 10-14, 2007.]]Google ScholarCross Ref
- J.-D. Choi, M. Burke, and P. Carini. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In Proceedings of the Twentieth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 232--245, Charleston, SC, January 1993.]] Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In 13th USENIX Security Symposium, pages 321--336, San Diego, CA, USA, August 11-13, 2004.]] Google ScholarDigital Library
- D. Clark, S. Hunt, and P. Malacaria. Quantified interference for a while language. In Proceedings of the 2nd Workshop on Quantitative Aspects of Programming Languages (ENTCS 112), pages 149--159, Barcelona, Spain, March 27-28, 2004.]]Google Scholar
- J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In ISSTA 2007, Proceedings of the 2007 International Symposium on Software Testing and Analysis, pages 196--206, London, UK, July 10-12, 2007.]] Google ScholarDigital Library
- T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to Algorithms. MIT Electrical Engineering and Computer Science Series. MIT Press and McGraw-Hill, Cambridge, Massachusetts and New York, New York, 1990.]] Google ScholarDigital Library
- T.M. Cover and J. A. Thomas. Elements of Information Theory. John Wiley, 1991.]] Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976.]] Google ScholarDigital Library
- D. E. R. Denning. Secure Information Flow in Computer Systems. PhD thesis, Purdue University, May 1975.]] Google ScholarDigital Library
- Department of Defense Computer Security Center. Trusted Computer System Evaluation Criteria, August 1983. CSC-STD-001-83.]]Google Scholar
- A. Di Pierro, C. Hankin, and H. Wiklicky. Approximate noninterference. In 15th IEEE Computer Security Foundations Workshop, pages 3--17, Cape Breton, Nova Scotia, Canada, June 24-26, 2002.]] Google ScholarDigital Library
- W. Drewry and T. Ormandy. Flayer: Exposing application internals. In First USENIX Workshop on Offensive Technologies, Boston, MA, USA, August 6, 2007.]] Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazieres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, pages 17--30, Brighton, UK, October 32-26, 2005.]] Google ScholarDigital Library
- J. S. Fenton. Memoryless subsytems. The Computer Journal, 17(2):143--147, May 1974.]]Google ScholarCross Ref
- E. Ferrari, P. Samarati, E. Bertino, and S. Jajodia. Providing flexibility in information flow control for object-oriented systems. In 1997 IEEE Symposium on Security and Privacy, pages 130--140, Oakland, CA, USA, May 4-7, 1997.]] Google ScholarDigital Library
- I. Gat and H. J. Saal. Memoryless execution: A programmer's viewpoint. Software: Practice and Experience, 6(4):463--471, 1976.]]Google ScholarCross Ref
- J. A. Goguen and J. Meseguer. Security policies and security models. In 1982 IEEE Symposium on Security and Privacy, pages 11--20, Oakland, CA, USA, April 26-28, 1982.]]Google ScholarCross Ref
- J. W. Gray III. Toward a mathematical foundation for information flow security. In 1991 IEEE Symposium on Research in Security and Privacy, pages 21--34, Oakland, CA, USA, May 20-22, 1991.]]Google Scholar
- M. Herrb. X.org security advisory: multiple integer overflows in DBE and Render extensions, January 2007. http://lists.freedesktop.org/archives/xorg-announce/2007-January/000235.html.]]Google Scholar
- B. Hicks, K. Ahmadizadeh, and P. McDaniel. From languages to systems: Understanding practical application development in security-typed languages. In Proceedings of the 2006 Annual Computer Security Applications Conference, pages 153--164, Miami Beach, FL, USA, December 11-15, 2006.]] Google ScholarDigital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In 11th USENIX Security Symposium, pages 191--206, San Francisco, CA, USA, August 7-9, 2002.]] Google ScholarDigital Library
- P. Li and S. Zdancewic. Encoding information flow in Haskell. In 19th IEEE Computer Security Foundations Workshop, pages 16--27, Venice, Italy, July 5-6, 2006.]] Google ScholarDigital Library
- G. Lowe. Quantifiying information flow. In 15th IEEE Computer Security Foundations Workshop, pages 18--31, Cape Breton, Nova Scotia, Canada, June 24-26, 2002.]] Google ScholarDigital Library
- P. Malacaria. Assessing security threats of looping constructs. In Proceedings of the 34rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 225--235, Nice, France, January 17-19, 2007.]] Google ScholarDigital Library
- W. Masri, A. Podgurski, and D. Leon. Detecting and debugging insecure information flows. In Fifteenth International Symposium on Software Reliability Engineering, pages 198--209, Saint-Malo, France, November 3-5, 2004.]] Google ScholarDigital Library
- S. McCamant. Quantitative Information-Flow Tracking for Real Systems. PhD thesis, MIT Department of Electrical Engineering and Computer Science, Cambridge, MA, June 2008.]] Google ScholarDigital Library
- S. McCamant and M. D. Ernst. Quantitative information-flow tracking for C and related languages. Technical Report MIT-CSAILTR- 2006-076, MIT Computer Science and Artificial Intelligence Laboratory, Cambridge, MA, November 17, 2006.]]Google Scholar
- S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. Technical Report MIT-CSAIL-TR-2007-057, MIT Computer Science and Artificial Intelligence Laboratory, Cambridge, MA, December 10, 2007.]]Google Scholar
- S. McCamant and M. D. Ernst. A simulation-based proof technique for dynamic information flow. In PLAS 2007: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 41--46, San Diego, California, USA, June 14, 2007.]] Google ScholarDigital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228--241, San Antonio, TX, January 20-22, 1999.]] Google ScholarDigital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 129--142, St. Malo, France, October 5-8, 1997.]] Google ScholarDigital Library
- S. K. Nair, P. N. Simpson, B. Crispo, and A. S. Tannenbaum. A virtual machine based information flow control system for policy enforcement. In The First International Workshop on Run Time Enforcement for Mobile and Distributed Systems, pages 3--16, Dresden, Germany, September 27, 2007.]]Google Scholar
- G. C. Necula, S. McPeak, S. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Compiler Construction: 11th International Conference, CC 2002, pages 213--228, Grenoble, France, April 8-12, 2002.]] Google ScholarDigital Library
- N. Nethercote and A. Mycroft. Redux: A dynamic dataflow tracer. In Proceedings of the Third Workshop on Runtime Verification, Boulder, CO, USA, July 13, 2003.]]Google Scholar
- N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary insrumentation. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, pages 89--100, San Diego, CA, USA, June 11-13, 2007.]] Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Annual Symposium on Network and Distributed System Security, San Diego, CA, USA, February 3-4, 2005.]]Google Scholar
- J. Newsome and D. Song. Influence: A quantitative approach for data integrity. Technical Report CMU-CyLab-08-005, Carnegie Mellon University CyLab, February 2008.]]Google Scholar
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Information Security Conference, pages 295--307, Chiba, Japan, May 30-June 1, 2005.]]Google ScholarCross Ref
- J. Qian, B. Xu, and H. Min. Interstatement must aliases for data dependence analysis of heap locations. In ACM SIGPLAN/SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2007), pages 17--23, San Diego, CA, USA, June 13-14, 2007.]] Google ScholarDigital Library
- F. Qin, C. Wang, Z. Li, H.-S. Kim, Y. Zhou, and Y. Wu. LIFT: A low-overhead practical information flow tracking system for detecting general security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, pages 135--148, Orlando, FL, USA, December 9-13, 2006.]] Google ScholarDigital Library
- A. Salcianu and M. C. Rinard. Purity and side-effect analysis for Java programs. In VMCAI'05, Sixth International Conference on Verification, Model Checking and Abstract Interpretation, pages 199--215, Paris, France, January 17-19, 2005.]] Google ScholarDigital Library
- J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the 2005 USENIX Annual Technical Conference, pages 17--30, Anaheim, CA, USA, April 10-15, 2005.]] Google ScholarDigital Library
- V. Simonet. Flow Caml in a nutshell. In First Applied Semantics II (APPSEM-II) Workshop, pages 152--165, Nottingham, UK, May 26-28, 2003.]]Google Scholar
- S. Smith and M. Thober. Refactoring programs to secure information flows. In PLAS 2006: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 75--84, Ottawa, Canada, June 10, 2006.]] Google ScholarDigital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 85--96, Boston, Massachusetts, USA, October 7-13, 2004.]] Google ScholarDigital Library
- G. T. Sullivan, D. L. Bruening, I. Baron, T. Garnett, and S. Amarasinghe. Dynamic native optimization of interpreters. In ACM SIGPLAN 2003 Workshop on Interpreters, Virtual Machines and Emulators, pages 50--57, San Diego, California, USA, June 12, 2003.]] Google ScholarDigital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, pages 243--254, Portland, OR, USA, December 4-8, 2004.]] Google ScholarDigital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167--187, December 1996.]] Google ScholarDigital Library
- L. Wall and R. L. Schwartz. Programming Perl. O'Reilly & Associates, 1991.]] Google ScholarDigital Library
- D. P. Wiggins. Security Extension Specification. X Consortium, Inc., November 1996.]]Google Scholar
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, pages 121--136, Vancouver, BC, Canada, August 2-4, 2006.]] Google ScholarDigital Library
- A. R. Yumerfendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In 4th USENIX Symposium on Networked Systems Design and Implementation, pages 159--172, Cambridge, MA, USA, April 11-13, 2007.]] Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In USENIX 7th Symposium on OS Design and Implementation, pages 263--278, Seattle, WA, USA, November 6-8, 2006.]] Google ScholarDigital Library
Index Terms
- Quantitative information flow as network flow capacity
Recommendations
Symbolic quantitative information flow
Quantitative Information Flow (QIF) is a powerful approach to quantify leaks of confidential information in a software system. Here we present a novel method that precisely quanties information leaks. In order to mitigate the state-space explosion ...
Quantitative information flow as network flow capacity
PLDI '08We present a new technique for determining how much information about a program's secret inputs is revealed by its public outputs. In contrast to previous techniques based on reachability from secret inputs (tainting), it achieves a more precise ...
A simulation-based proof technique for dynamic information flow
PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for securityInformation-flow analysis can prevent programs from improperly revealing secret information, and a dynamic approach can make such analysis more practical, but there has been relatively little work verifying that such analyses are sound (account for all ...
Comments