Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
JFlow: Practical Mostly-Static Information Flow Control
Andrew C. MyersPresented by Shiyi Wei
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
JFlow
Java languagecertain features omitted
+
Information flow annotationsdecentralized label model
JFlowsource .javaJFlow
compiler
Static checking of flow annotations
Jflow.lang.LabelJflow.lang.Principal
Labeled types, classes, etc.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
MotivationBackground
Decentralized label modelLanguage description
Extended language Examples Limitations
JFlow compiler Static type and label checking
Overview
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Privacy data protection Statically check information flows within programs
that might manipulate the data• Fine-grained tracking of security classes• Without the run-time overhead
Previous work Not practical Too limited/restrictive
JFlow: a usable programming model
Motivation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Information leakage Explicit flow
Implicit flow
Motivation
boolean secret;…int pub = 0;if(secret) pub = 1;
int secret;…int pub = secret;
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Decentralized label model Form• L = {o1: r1 , r2 ; o2: r2 , r3 }
Assignment x/L2 := v/L1• Can be assigned iff
– L2 is at least as restrictive as L1
Joining of labels• Least upper bound
Declassification• Strict information flow control is too restrictive
Background
Reference: http://courses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Decentralized-Information-Flow.pdf
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Background
Information leakage Explicit flow
Implicit flow
7
boolean secret; //secret: L1…int pub = 0; //pub: L2if(secret) pub = 1; //1: ?
int secret; //secret: L1…int pub = secret; //pub: L2
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Labeled typesImplicit flowsRun-time labelsAuthority and declassificationRun-time principalsClassesMethods
Language Description
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Labeled type An ordinary Java type A label Written as: t{l} Examples• int{p:} x; //principal p owns and p can read x • int{x} y; //y is as restricted as x is• int z; //the label is inferred automatically or by default
Type checking vs. label checking
Labeled Types
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Implicit flows Channels created by the control flow structure
Program-counter label (pc) With every statement and expression Information learned from the statement or
expression evaluated
Implicit Flows
int{public} x; //pc = {}boolean{secret} b; //pc = {}…int x= 0; //pc = {}if(b) { //pc = {} x = 1; //pc = {b}}
The label of x({public}) is not at least as restrictive as the label of 1({secret})
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
New primitive type: label When the label cannot be determined statically E.g. static float{*lb} compute(int x{*lb}, label lb)• *lb: the label contained in the variable lb• Variables of type label are final
switch label statement The statement executed is the first whose
associated label is at least as restrictive as the expression label
Run-time Labels
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
switch label example Transfer an integer from the x to the y
Run-time Labels
label{L} lb;int{*lb} x;int{p:} y;switch label(x) { case (int{y} z) y = z; else throw new UnsafeTransfer();}
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Authority: The capability to act for some principals Controls the ability to declassify data
actsFor(p1, p2) S Execute S if p1 can act for p2; otherwise skipped
declassify(e, L) Relabel the result of e with the label L Relax policies owned by principals in the authority
Authority and Declassification
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
New primitive type: principal A policy may use final variable of type principal to
name an owner or reader• “Run-time principals are needed in order to model
systems that are heterogeneous with respect to the principals in the system, without resorting to declassification”
Run-time Principals
class Account { final principal customer; String{customer:} name; float{customer:} balance;}
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Parameterized classes Important for building reusable data structures E.g. Java Vector class is parameterized on label L
Classes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
{secret} {public} => Vector[{secret}] ≤ Vector[{public}] ? Covariant label
When the above relation is sound No method argument or mutable instance variable
may be labeled using the parameter Class implicit label parameter: {this}• A covariant parameter
Classes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
authority clause Name principals external to the program, or
principal parameters E.g. class passwordFile authority(root) { … }
Classes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
JFlow method delaration The return value, the arguments, and the
exceptions may each be individually labeled Arguments are always implicitly final
Methods
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
JFlow method declaration begin-label• Restriction on pc at the point of invocation of method
end-label• The final pc; information can be learned by observing
whether the method terminates normally
Methods
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Examples
Methods
static int{x;y} add(int x, int y) {return x + y; }
boolean compare_str(String name, String pwd):{name; pwd} throws(Null PointerException) {… }
boolean store{L}(int{} x) throws(NotFound) {… }
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
JFlow method declaration
Methods
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example: passwordFile
pc = {user; password; root}
return label: {user; password}
declassification: remove root
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example: Protected
Caller must have sufficient label to get the data
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Threads Single-threaded programs
Timing channels Gain information by timing code with system clock
HashCode JFlow class must implement its own hashCode
Finalizers Run in a separate thread from the main program
Limitations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Resource exhaustion OutOfMemoryError
Wall-clock timing channelsUnchecked exceptionsBackward compatibility
Not backward compatible with Java
Limitations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
26Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Label-checking rulesThrowing and catching exceptionsRun-time label checkingChecking method calls
Static Checking
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
27Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Label-checking Rules
X: path labelsn: normal terminationnv: normal valueA: enviromentT: a typeL: a label
A literal expression always terminates normally and that its value is labeled with the current pc
An empty statement always terminates normally, with the same pc as at its start
The value of a variable is labeled with both the label of the variable an the current pc
Assignment to a variable
Two statements S1 and S2 performed in sequence
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
28Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Translation
Most annotations are erased Type labels -> Java type Class parameters
Built-in types are translated label -> jflow.lang.Label principal -> jflow.lang.Principal
Two constructs translate to intersting code actsFor switch label