Security preserving program translations.
Supervisor(es): Pardo, Alberto
Resumen:
The analysis of information flow has become a popular technique for ensuring the confidentiality of data. It is in this context that confidentiality policies arise for giving guarantees that private data cannot be inferred by the inspection of public data. Non-interference is an example of a security policy. It is a semantic condition that ensures the absence of illicit information flow during program execution by not allowing to distinguish the results of two computations when they only vary in their confidential inputs. A remarkable feature of non-interference is that it can be enforced statically by the definition of an information flow type system. In such a type system, if a program type-checks, then it means that it meets the security policy. In this thesis we focus on an important usage of the non-interference property: its preservation through program translation. We are interested in analysing techniques that make it possible the development of security preserving program translations in the sense of code conversions that produce non-interfering output programs out of non-interfering input programs. This is a topic with significant practical relevance as can be seen in, for example, the context of program compilation: if for certain applications it is essential that the source code meets the security property, it is even more important that the corresponding compiled, low-level code, which is the one that will be actually executed, is also secure. We pursue a formal methods approach to this topic, performing an analysis of type-based, security-preserving program translations in the context of dependently-typed programming. We use Agda, a functional language with dependent types, as the formalization language. In Agda we represent the (abstract syntax of the) object languages, their security type systems, as well as the translations between them. The importance of using Agda resides in its powerful type system that makes it possible to encode object invariants. In our case this is reflected in the ability to define the security type systems of the involved languages in terms of Agda’s inductive families thus reducing the verification of security preservation by translation to type-checking. We analyse the formalization of two cases. First, we develop a compiler between a simple imperative language and a semi-structured machine code. For each language, we define a sound information flow type system and we prove that the compiler preserves non-interference. The type systems of both languages are flow-insensitive in the sense that the security level of program variables is not allowed to change during program execution. Second, we perform the formalization of Hund & Sands security-preserving translation that transforms programs in a high-level language typable in a flow-sensitive type system into equivalent high-level programs typable in a flow-insensitive type system. Since the source language of the compiler coincides with the target language of Hund & Sands translation, by composing the two components we get as result a security-preserving compiler for a language with a flowsensitive type system.
2018 | |
Inglés | |
Universidad de la República | |
COLIBRI | |
https://hdl.handle.net/20.500.12008/37362 | |
Acceso abierto | |
Licencia Creative Commons Atribución - No Comercial - Sin Derivadas (CC - By-NC-ND 4.0) |
Sumario: | The analysis of information flow has become a popular technique for ensuring the confidentiality of data. It is in this context that confidentiality policies arise for giving guarantees that private data cannot be inferred by the inspection of public data. Non-interference is an example of a security policy. It is a semantic condition that ensures the absence of illicit information flow during program execution by not allowing to distinguish the results of two computations when they only vary in their confidential inputs. A remarkable feature of non-interference is that it can be enforced statically by the definition of an information flow type system. In such a type system, if a program type-checks, then it means that it meets the security policy. In this thesis we focus on an important usage of the non-interference property: its preservation through program translation. We are interested in analysing techniques that make it possible the development of security preserving program translations in the sense of code conversions that produce non-interfering output programs out of non-interfering input programs. This is a topic with significant practical relevance as can be seen in, for example, the context of program compilation: if for certain applications it is essential that the source code meets the security property, it is even more important that the corresponding compiled, low-level code, which is the one that will be actually executed, is also secure. We pursue a formal methods approach to this topic, performing an analysis of type-based, security-preserving program translations in the context of dependently-typed programming. We use Agda, a functional language with dependent types, as the formalization language. In Agda we represent the (abstract syntax of the) object languages, their security type systems, as well as the translations between them. The importance of using Agda resides in its powerful type system that makes it possible to encode object invariants. In our case this is reflected in the ability to define the security type systems of the involved languages in terms of Agda’s inductive families thus reducing the verification of security preservation by translation to type-checking. We analyse the formalization of two cases. First, we develop a compiler between a simple imperative language and a semi-structured machine code. For each language, we define a sound information flow type system and we prove that the compiler preserves non-interference. The type systems of both languages are flow-insensitive in the sense that the security level of program variables is not allowed to change during program execution. Second, we perform the formalization of Hund & Sands security-preserving translation that transforms programs in a high-level language typable in a flow-sensitive type system into equivalent high-level programs typable in a flow-insensitive type system. Since the source language of the compiler coincides with the target language of Hund & Sands translation, by composing the two components we get as result a security-preserving compiler for a language with a flowsensitive type system. |
---|