Secure multi-execution through static program transformation: extended version

نویسندگان

  • Gilles Barthe
  • Juan Manuel Crespo
  • Dominique Devriese
  • Frank Piessens
  • Exequiel Rivas
چکیده

Secure multi-execution (SME) is a dynamic technique to ensure secure information ow. In a nutshell, SME enforces security by running one execution of the program per security level, and by reinterpreting input/output operations w.r.t. their associated security level. SME is sound, in the sense that the execution of a program under SME is non-interfering, and precise, in the sense that for programs that are non-interfering in the usual sense, the semantics of a program under SME coincides with its standard semantics. A further virtue of SME is that its core idea is languageindependent; it can be applied to a broad range of languages. A downside of SME is the fact that existing implementation techniques require modi cations to the runtime environment, e.g. the browser for Web applications. In this article, we develop an alternative approach where the e ect of SME is achieved through program transformation, without modi cations to the runtime, thus supporting server-side deployment on the web. We show on an exemplary language with input/output and dynamic code evaluation (modeled after JavaScript's eval) that our transformation is sound and precise. The crux of the proof is a simulation between the execution of the transformed program and the SME execution of the original program. This proof has been machine-checked using the Agda proof assistant. We also report on prototype implementations for a small fragment of Python and a substantial subset of JavaScript. This report is an extended version of a paper published at FMOODS/FORTE 2012. It extends the conference version with technical details about the formalization and the proofs. Secure multi-execution through static program transformation: extended version Gilles Barthe, Juan Manuel Crespo, Dominique Devriese, Frank Piessens, and Exequiel Rivas 1 IMDEA Software Institute, Madrid, Spain 2 IBBT-DistriNet Research Group, KU Leuven, Belgium Abstract. Secure multi-execution (SME) is a dynamic technique to ensure secure information flow. In a nutshell, SME enforces security by running one execution of the program per security level, and by reinterpreting input/output operations w.r.t. their associated security level. SME is sound, in the sense that the execution of a program under SME is non-interfering, and precise, in the sense that for programs that are non-interfering in the usual sense, the semantics of a program under SME coincides with its standard semantics. A further virtue of SME is that its core idea is language-independent; it can be applied to a broad range of languages. A downside of SME is the fact that existing implementation techniques require modifications to the runtime environment, e.g. the browser for Web applications. In this article, we develop an alternative approach where the effect of SME is achieved through program transformation, without modifications to the runtime, thus supporting server-side deployment on the web. We show on an exemplary language with input/output and dynamic code evaluation (modeled after JavaScript’s eval) that our transformation is sound and precise. The crux of the proof is a simulation between the execution of the transformed program and the SME execution of the original program. This proof has been machine-checked using the Agda proof assistant. We also report on prototype implementations for a small fragment of Python and a substantial subset of JavaScript.This report is an extended version of a paper published at FMOODS/FORTE 2012. It extends the conference version with technical details about the formalization and the proofs. Secure multi-execution (SME) is a dynamic technique to ensure secure information flow. In a nutshell, SME enforces security by running one execution of the program per security level, and by reinterpreting input/output operations w.r.t. their associated security level. SME is sound, in the sense that the execution of a program under SME is non-interfering, and precise, in the sense that for programs that are non-interfering in the usual sense, the semantics of a program under SME coincides with its standard semantics. A further virtue of SME is that its core idea is language-independent; it can be applied to a broad range of languages. A downside of SME is the fact that existing implementation techniques require modifications to the runtime environment, e.g. the browser for Web applications. In this article, we develop an alternative approach where the effect of SME is achieved through program transformation, without modifications to the runtime, thus supporting server-side deployment on the web. We show on an exemplary language with input/output and dynamic code evaluation (modeled after JavaScript’s eval) that our transformation is sound and precise. The crux of the proof is a simulation between the execution of the transformed program and the SME execution of the original program. This proof has been machine-checked using the Agda proof assistant. We also report on prototype implementations for a small fragment of Python and a substantial subset of JavaScript.This report is an extended version of a paper published at FMOODS/FORTE 2012. It extends the conference version with technical details about the formalization and the proofs.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Secure Multi-Execution through Static Program Transformation

Secure multi-execution (SME) is a dynamic technique to ensure secure information flow. In a nutshell, SME enforces security by running one execution of the program per security level, and by reinterpreting input/output operations w.r.t. their associated security level. SME is sound, in the sense that the execution of a program under SME is non-interfering, and precise, in the sense that for pro...

متن کامل

Metagene: a C++ meta-program generation tool

The C++ language offers a two layer evaluation model. Thus, it is possible to evaluate a program in two steps: the so-called static and dynamic evaluations. Static evaluation is used for reducing the amount of work done at execution-time. Programs executed statically (called metaprograms) are written in C++ through an intensive use of template classes. Due to the complexity of these structures,...

متن کامل

Enforcing secure information flow in client-side Web applications. (Vers l'établissement du flux d'information sûr dans les applications Web côté client)

During the last decade, Web applications have evolved from static pages presented by Web servers which centralised all computations to multi-tier applications in which computations are shared between the client and the server. In addition to this, current client-side Web applications often combine code dynamically loaded from different origins to create new functionalities. As it happens, this ...

متن کامل

Bus-Aware Multicore WCET Analysis through TDMA Offset Bounds (Extended Version)

In the domain of real-time systems, the analysis of the timing behavior of programs is crucial for guaranteeing the schedulability and thus the safeness of a system. Static analyses of the WCET (Worst-Case Execution Time) have proven to be a key element for timing analysis, as they provide safe upper bounds on a program’s execution time. For single-core systems, industrial-strength WCET analyze...

متن کامل

Language-based Security: Access Control and Static Analysis

We study security of mobile code at a linguistic level. In particular, we tackle the problem of designing expressive and efficient models for access control, as well as improving the performance of existing mechanisms. Static analysis is the main technical tool we use in order to enforce and optimise the security of programs. We begin our study with stack inspection, the access control model ad...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2012