We present a domain-specific programming language for Secure Multiparty Computation (SMC).� Information is a resource of vital importance and considerable economic value to individuals, public administration, and private companies. This means that the confidentiality of information is crucial, but at the same time significant value can often be obtained by combining confidential information from various sources. This fundamental conflict between the benefits of confidentiality and the benefits of information sharing may be overcome using the cryptographic method of SMC where computations are performed on secret values and results are only revealed according to specific protocols� We identify the key linguistic concepts of SMC and bridge the gap between high-level security requirements and low-level cryptographic operations constituting an SMC platform, thus improving the efficiency and security of SMC application development. The language is implemented in a prototype compiler that generates Java code exploiting a distributed cryptographic runtime.
{"title":"A domain-specific programming language for secure multiparty computation","authors":"Janus Dam Nielsen, M. I. Schwartzbach","doi":"10.1145/1255329.1255333","DOIUrl":"https://doi.org/10.1145/1255329.1255333","url":null,"abstract":"We present a domain-specific programming language for Secure Multiparty Computation (SMC).\u0000 Information is a resource of vital importance and considerable economic value to individuals, public administration, and private companies. This means that the confidentiality of information is crucial, but at the same time significant value can often be obtained by combining confidential information from various sources. This fundamental conflict between the benefits of confidentiality and the benefits of information sharing may be overcome using the cryptographic method of SMC where computations are performed on secret values and results are only revealed according to specific protocols\u0000 We identify the key linguistic concepts of SMC and bridge the gap between high-level security requirements and low-level cryptographic operations constituting an SMC platform, thus improving the efficiency and security of SMC application development. The language is implemented in a prototype compiler that generates Java code exploiting a distributed cryptographic runtime.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127402955","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In secure information flow analysis, the classic Denning restrictions allow a programâ s termination to be affected by the values of its H variables, resulting in potential information leaks. In an effort to quantify such leaks, in this work we study a simple imperative language with random assignments. We consider a â strippingâ operation on programs and establish a fundamental relationship between the behavior of a well-typed program and of its stripped version; to prove this relationship, we introduce a new notion of fast probabilistic simulation on Markov chains. As an application, we prove that, under the Denning restrictions, well-typed probabilistic programs are guaranteed to satisfy an approximate probabilistic noninterference property, provided that their probability of nontermination is small
{"title":"Fast probabilistic simulation, nontermination, and secure information flow","authors":"Geoffrey Smith, Rafael Alpízar","doi":"10.1145/1255329.1255341","DOIUrl":"https://doi.org/10.1145/1255329.1255341","url":null,"abstract":"In secure information flow analysis, the classic Denning restrictions allow a programâ s termination to be affected by the values of its H variables, resulting in potential information leaks. In an effort to quantify such leaks, in this work we study a simple imperative language with random assignments. We consider a â strippingâ operation on programs and establish a fundamental relationship between the behavior of a well-typed program and of its stripped version; to prove this relationship, we introduce a new notion of fast probabilistic simulation on Markov chains. As an application, we prove that, under the Denning restrictions, well-typed probabilistic programs are guaranteed to satisfy an approximate probabilistic noninterference property, provided that their probability of nontermination is small","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121691427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
It is well known that there exist viruses whose set of infected programs is undecidable. If a virus detector is to err on the side of caution with respect to such a virus, then it must label some perfectly innocent programs as being infected by the virus. Can there exist a virus whose set of infected programs is so unwieldy that any cautious virus detector must label all but finitely many programs as being infected by the virus â even when infinitely many programs are not infected by the virus? Although such viruses can exist, strong theoretical evidence is presented that such a virus is unlikely to be encountered in the real world. Several of our proofs employ infinitary self-reference arguments
{"title":"Cautious virus detection in the extreme","authors":"J. Case, Samuel E. Moelius","doi":"10.1145/1255329.1255338","DOIUrl":"https://doi.org/10.1145/1255329.1255338","url":null,"abstract":"It is well known that there exist viruses whose set of infected programs is undecidable. If a virus detector is to err on the side of caution with respect to such a virus, then it must label some perfectly innocent programs as being infected by the virus. Can there exist a virus whose set of infected programs is so unwieldy that any cautious virus detector must label all but finitely many programs as being infected by the virus â even when infinitely many programs are not infected by the virus? Although such viruses can exist, strong theoretical evidence is presented that such a virus is unlikely to be encountered in the real world. Several of our proofs employ infinitary self-reference arguments","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123817854","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security-typed languages such as Jif require the programmer to label variables with information flow security policies as part of application development. The compiler then flags errors wherever information leaks may occur. Resolving these information leaks is a critical task in security-typed language application development. Unfortunately, because information flows can be quite subtle, simple error messages tend to be insufficient for finding and resolving the source of information leaks; more sophisticated development tools are needed for this task. To this end we provide a set of principles to guide the development of such tools. Furthermore, we implement a subset of these principles in an integrated development environment (IDE) for Jif, called Jifclipse, which is built on the Eclipse extensible development platform. Our plug-in provides a Jif programmer with additional tools to view hidden information generated by a Jif compilation, to suggest fixes for errors, and to get more specific information behind an error message. Better development tools are essential for making security-typed application development practical; Jifclipse is a first step in this process
{"title":"Jifclipse: development tools for security-typed languages","authors":"Boniface Hicks, Dave King, P. Mcdaniel","doi":"10.1145/1255329.1255331","DOIUrl":"https://doi.org/10.1145/1255329.1255331","url":null,"abstract":"Security-typed languages such as Jif require the programmer to label variables with information flow security policies as part of application development. The compiler then flags errors wherever information leaks may occur. Resolving these information leaks is a critical task in security-typed language application development. Unfortunately, because information flows can be quite subtle, simple error messages tend to be insufficient for finding and resolving the source of information leaks; more sophisticated development tools are needed for this task. To this end we provide a set of principles to guide the development of such tools. Furthermore, we implement a subset of these principles in an integrated development environment (IDE) for Jif, called Jifclipse, which is built on the Eclipse extensible development platform. Our plug-in provides a Jif programmer with additional tools to view hidden information generated by a Jif compilation, to suggest fixes for errors, and to get more specific information behind an error message. Better development tools are essential for making security-typed application development practical; Jifclipse is a first step in this process","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"209 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131420767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Format-string bugs are a relatively common security vulnerability, and can lead to arbitrary code execution. In collaboration with others, we designed and implemented a system to eliminate format string vulnerabilities from an entire Linux distribution, using type-qualifier inference, a static analysis technique that can find taint violations.� We successfully analyze 66% of C/C++ source packages in the Debian 3.1 Linux distribution. Our system finds 1,533 format string taint warnings. We estimate that 85% of these are true positives, i.e., real bugs; ignoring duplicates from libraries, about 75% are real bugs.� We suggest that the technology exists to render format string vulnerabilities extinct in the near future.
{"title":"Large-scale analysis of format string vulnerabilities in Debian Linux","authors":"K. Chen, D. Wagner","doi":"10.1145/1255329.1255344","DOIUrl":"https://doi.org/10.1145/1255329.1255344","url":null,"abstract":"Format-string bugs are a relatively common security vulnerability, and can lead to arbitrary code execution. In collaboration with others, we designed and implemented a system to eliminate format string vulnerabilities from an entire Linux distribution, using type-qualifier inference, a static analysis technique that can find taint violations.\u0000 We successfully analyze 66% of C/C++ source packages in the Debian 3.1 Linux distribution. Our system finds 1,533 format string taint warnings. We estimate that 85% of these are true positives, i.e., real bugs; ignoring duplicates from libraries, about 75% are real bugs.\u0000 We suggest that the technology exists to render format string vulnerabilities extinct in the near future.","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122331930","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Information release (or declassification) policies are the key challenge for language-based information security. Although much progress has been made, different approaches to information release tend to address different aspects of information release. In a recent classification, these aspects are referred to as what, who, where, and when dimensions of declassification. In order to avoid information laundering, it is important to combine defense along the different dimensions. As a step in this direction, this paper presents a combination of what and where information release policies. Moreover, we show that a minor modification of a security type system from the literature (which was designed for treating the what dimension) in fact enforces the combination of what and where policies
{"title":"Localized delimited release: combining the what and where dimensions of information release","authors":"Aslan Askarov, A. Sabelfeld","doi":"10.1145/1255329.1255339","DOIUrl":"https://doi.org/10.1145/1255329.1255339","url":null,"abstract":"Information release (or declassification) policies are the key challenge for language-based information security. Although much progress has been made, different approaches to information release tend to address different aspects of information release. In a recent classification, these aspects are referred to as what, who, where, and when dimensions of declassification. In order to avoid information laundering, it is important to combine defense along the different dimensions. As a step in this direction, this paper presents a combination of what and where information release policies. Moreover, we show that a minor modification of a security type system from the literature (which was designed for treating the what dimension) in fact enforces the combination of what and where policies","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130976137","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper focuses on improving the usability of information flow type systems. We present a static information flow type inference system for Middleweight Java (MJ) which automatically infers information flow labels, thus avoiding the need for a multitude of program annotations. Additionally, policies need only be specified on IO channels, the critical flow boundary. Our type system includes a high degree of parametric polymorphism, necessary to allow classes to be used in multiple security contexts, and to properly distinguish the security policies of different IO channels. We prove a noninterference property for programs that interactively input and output data. We then describe a mechanism that allows users to define top-level policies, which automatically inserts the security policies at the proper points in the program. This provides the further benefit that whomever is defining the policy does not necessarily need intimate knowledge of the program source
{"title":"Improving usability of information flow security in java","authors":"Scott F. Smith, M. Thober","doi":"10.1145/1255329.1255332","DOIUrl":"https://doi.org/10.1145/1255329.1255332","url":null,"abstract":"This paper focuses on improving the usability of information flow type systems. We present a static information flow type inference system for Middleweight Java (MJ) which automatically infers information flow labels, thus avoiding the need for a multitude of program annotations. Additionally, policies need only be specified on IO channels, the critical flow boundary. Our type system includes a high degree of parametric polymorphism, necessary to allow classes to be used in multiple security contexts, and to properly distinguish the security policies of different IO channels. We prove a noninterference property for programs that interactively input and output data. We then describe a mechanism that allows users to define top-level policies, which automatically inserts the security policies at the proper points in the program. This provides the further benefit that whomever is defining the policy does not necessarily need intimate knowledge of the program source","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127012018","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Information-flow analysis can prevent programs from improperly revealing secret information, and a dynamic approach can make such analysis more practical, but there has been relatively little work verifying that such analyses are sound (account for all flows in a given execution). We describe a new technique for proving the soundness of dynamic information-flow analyses for policies such as end-to-end confidentiality. The proof technique simulates the behavior of the analyzed program with a pair of copies of the program: one has access to the secret information, and the other is responsible for output. The two copies are connected by a limited-bandwidth communication channel, and the amount of information passed on the channel bounds the amount of information disclosed, allowing it to be quantified. We illustrate the technique by application to a model of a practical checking tool based on binary instrumentation, which had not previously been shown to be sound
{"title":"A simulation-based proof technique for dynamic information flow","authors":"Stephen McCamant, Michael D. Ernst","doi":"10.1145/1255329.1255336","DOIUrl":"https://doi.org/10.1145/1255329.1255336","url":null,"abstract":"Information-flow analysis can prevent programs from improperly revealing secret information, and a dynamic approach can make such analysis more practical, but there has been relatively little work verifying that such analyses are sound (account for all flows in a given execution). We describe a new technique for proving the soundness of dynamic information-flow analyses for policies such as end-to-end confidentiality. The proof technique simulates the behavior of the analyzed program with a pair of copies of the program: one has access to the secret information, and the other is responsible for output. The two copies are connected by a limited-bandwidth communication channel, and the amount of information passed on the channel bounds the amount of information disclosed, allowing it to be quantified. We illustrate the technique by application to a model of a practical checking tool based on binary instrumentation, which had not previously been shown to be sound","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125805142","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Host-based intrusion detection systems that monitor an application execution and report any deviation from its statically built model have seen tremendous progress in recent years. However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called â mimicry attacksâ . Authors of these models have argued that capturing more of the data flow characteristics of a program is necessary to prevent a large class of attacks, in particular, non-control-data attacks. In this paper, we present the guarded model, a novel model that addresses the various deficiencies of the state-of-the-art intrusion detection systems. Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. Our model detects mimicry attacks by combining control flow and data flow analysis, but can also tackle the ever increasingly threatening non-control-data flow attacks. Our model is the first model built automatically by combining control flow and data flow analysis using state-of-the-art tools for automatic generation and propagation of invariants. Our model not only prevents intrusions, but allows in some cases the detection of application logic bugs. Such bugs are beyond the reach of current intrusion detection systems
{"title":"Guarded models for intrusion detection","authors":"Hassen Saïdi","doi":"10.1145/1255329.1255345","DOIUrl":"https://doi.org/10.1145/1255329.1255345","url":null,"abstract":"Host-based intrusion detection systems that monitor an application execution and report any deviation from its statically built model have seen tremendous progress in recent years. However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called â mimicry attacksâ . Authors of these models have argued that capturing more of the data flow characteristics of a program is necessary to prevent a large class of attacks, in particular, non-control-data attacks. In this paper, we present the guarded model, a novel model that addresses the various deficiencies of the state-of-the-art intrusion detection systems. Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. Our model detects mimicry attacks by combining control flow and data flow analysis, but can also tackle the ever increasingly threatening non-control-data flow attacks. Our model is the first model built automatically by combining control flow and data flow analysis using state-of-the-art tools for automatic generation and propagation of invariants. Our model not only prevents intrusions, but allows in some cases the detection of application logic bugs. Such bugs are beyond the reach of current intrusion detection systems","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124424952","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a quantitative analysis of information flow for a multi-threaded language based on a probabilistic scheduler. The analysis consists of two steps. First, multi-threaded programs are translated into single-thread looping programs with a probabilistic operator. Then an information theoretical semantics of loops with probabilistic operators is used to derive the leakage. Using this analysis classical examples of multi-threaded programs are revisited: it is shown how the analysis is able to deal with, among other, probabilistic leakage, internally observable timing leakage and leakage originated by observing intermediate states of computation
{"title":"Quantitative analysis of leakage for multi-threaded programs","authors":"Han Chen, P. Malacaria","doi":"10.1145/1255329.1255335","DOIUrl":"https://doi.org/10.1145/1255329.1255335","url":null,"abstract":"We present a quantitative analysis of information flow for a multi-threaded language based on a probabilistic scheduler. The analysis consists of two steps. First, multi-threaded programs are translated into single-thread looping programs with a probabilistic operator. Then an information theoretical semantics of loops with probabilistic operators is used to derive the leakage. Using this analysis classical examples of multi-threaded programs are revisited: it is shown how the analysis is able to deal with, among other, probabilistic leakage, internally observable timing leakage and leakage originated by observing intermediate states of computation","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126468782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: