Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation

Tamara RezkINDES Project, INRIA Sophia Antipolis Mediterranee

Joint work with Gilles Barthe, Alejandro Russo, Andrei Sabelfeld

Torino, April 21st

Matyss COLOR Project

In this talk:

• Security of mobile code (proof carrying code)

• Verification of confidentiality in low level languages

• Connection between different type systems

• A modular approach to verification of multithreaded code and its connection to low level multithreaded code

In this talk:

• Security of mobile code (proof carrying code)

• Verification of confidentiality in low level languages

• Connection between different type systems

• A modular approach to verification of multithreaded code and its connection to low level multithreaded code

Proof Carrying Code scenarios

PRODUCER SIDE CONSUMER SIDE

Mobile Codeexample: Java applets

program program

PRODUCER SIDE CONSUMER SIDE

Mobile Codeexample: Java applets

program program

PRODUCER SIDE CONSUMER SIDE

NETWORK

compiler

security guarantees?

program program

PRODUCER SIDE CONSUMER SIDE

NETWORK

compiler

iflow type inference

difficult!

program program

PRODUCER SIDE CONSUMER SIDE

NETWORK

compiler

iflow type inference

difficult!

accepted

rejected

iflow type checking

easy

Proof Carrying Code

program program

PRODUCER SIDE CONSUMER SIDE

NETWORK

compiler

iflow type inference

difficult!

accepted

rejected

iflow type checking

easy

TCB

Motivation of this work

• Insecure flows in mobile code can be prevented by program analysis but

• Information flow for multithreaded low-level

code has not been addressed so far

Contribution of this work

We propose a framework to enforce security for multithreaded low-level programs and extends it for security-type preserving

compilation

In this talk:

• Security of mobile code (proof carrying code)

• Verification of confidentiality in low level languages

• Connection between different type systems for iflow

• A modular approach to verification of multithreaded code and its connection to low level multithreaded code

Verification of iflow for low level code

Verification of iflow for low level code

High-level code Low-level code

Verification of iflow for low level code

High-level code• Typing rules are syntax

directed

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

Verification of iflow for low level code

High-level code• Typing rules are syntax

directed

• Memory model includes a store

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

• Memory model includes a store and an operand stack

Verification of iflow for low level code

High-level code• Typing rules are syntax

directed

• Memory model includes a store

• Typability: given by the typing rule of sequential composition

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

• Memory model includes a store and an operand stack

• Typability : composition is given by the successor relation between program points

18

• Tracking information flow via control flow in high-level languages is syntax-directed:

Control dependence regions are given by control structureif (y==0) then

x :=3;else x:=1;

Control dependence region includes program points x:=3; and x:=1 (dependent on expression y==0)

Verification of iflow for low level code

|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2

if (y==0) then x :=3;else x:=1;

|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2

if (y==0) then x :=3;else x:=1;

1 load y

2 ifeq 6

3 push 3

4 store x

5 goto 8

6 push 1

7 store x

8…

|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2

if (y==0) then x :=3;else x:=1;

1 load y

2 ifeq 6

3 push 3

4 store x

5 goto 8

6 push 1

7 store x

8…

region(2)

22

|- If e then c else c’: ke:k c:k1 c’:k2 k≤k1 k ≤ k2

if (y==0) then x :=3;else x:=1;

1 load y

2 ifeq 6

3 push 3

4 store x

5 goto 8

6 push 1

7 store x

8…

region(2)

se |- k :: st => st

Instr[pc]=ifeq j i in region(pc) k≤ se(i)

k1

k1

k

k2

k2

se

Observation: low level verification is more general….

High-level code• Typing rules are syntax

directed

• Memory model includes a store

• Typability of programs: given by the typing rule of sequential composition

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

• Memory model includes a store and an operand stack

• Typability of programs: composition is given by the successor relation between program points

In this talk:

• Security of mobile code (proof carrying code)

• Verification of confidentiality in low level languages

• Connection between different type systems for iflow

• A modular approach to verification of multithreaded code and its connection to low level multithreaded code

How to connect two different type systems

High-level code• Typing rules are syntax

directed

• Memory model includes a store

• Typability of programs: given by the typing rule of sequential composition

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

• Memory model includes a store and an operand stack

• Typability of programs: composition is given by the successor relation between program points

How to connect two different type systems

High-level code• Typing rules are syntax

directed

• Memory model includes a store

• Typability of programs: given by the typing rule of sequential composition

Low-level code• Code is unstructured.

Typing rules are not based on structure of the syntax

• Memory model includes a store and an operand stack

• Typability of programs: composition is given by the successor relation between program points

How to connect two different type systems

• We annotate high level code with labels and keep these labels for compilation.

• The compiler generate low level control dependence regions for high-level control dependence regions

• We compile types of expressions in high level typing derivation trees into stack types

• Typability does not require further work.

In this talk:

• Security of mobile code (proof carrying code)

• Verification of confidentiality in low level languages

• Connection between different type systems for iflow

• A modular approach to verification of multithreaded code and its connection to low level multithreaded code

A modular approach: from sequential to multithreaded code verification…

• Barthe, Naumann, and Rezk (S&P 06) noticed that low-level type system generalized high-level type systems , and could be connected by specific compilers for information flow

• Russo and Sabelfeld (CSF 06) observed that verification of multithreaded code for a while language with a “fork” feature for thread creation could be done by a non-interference property not based on bisimulations

Feature of our framework

Security guaranteed is not more restrictive than ones of sequential programs

Example of an internal timing leak:

if hi {sleep(100)}; lo:=1 || sleep(50); lo:=0

Approach of multithreaded verification

Security guaranteed is not more restrictive than ones of sequential programs

Example of an internal timing leak:

if hi {sleep(100)}; lo:=1 || sleep(50); lo:=0 The scheduler treats the first thread as “hidden”

from the second thread!!

Modularity is the consequence of the approach

• The framework modularly extends sequential semantics (language independence from the sequential part)

• Modular extension of sequential type systems

• Security type preserving compilation is also a modular extension of the sequential counterpart

A program consists of:

• A set of program points (including entry, exit)

• An instruction map from program points to Ins where Ins= SeqIns U {start pc}

Concurrent Semantics

• A state s consists of a mapping from threads to local states , plus a global state

• A configuration includes an execution history h

Hypothesis on the scheduler

Extended concurrent type system

Extended concurrent type system

In the paper:

• We prove soundness:

by assuming soundness of the sequential type system

• We show how this result directly extends to type-preserving compilation schemes

• We instantiate the framework to a case study: the JAVA-like language to multithreaded JVM

Type-preserving compilation

Type-preserving compilation

Type-preserving compilation

Conclusion

• We have proposed a framework for controlling information flow in multithreaded code

• Thanks to modularity and language-independence, results for sequential languages can be reused.