Sound and Precise Cross-Layer Data Flow Tracking

Abstract

We connect runtime monitors for data flow tracking at different abstraction layers (a browser, a mail client, an operating system) and prove the soundness of this generic model w.r.t. a formal notion of explicit information flow. This allows us to (1) increase the precision of the analysis by exploiting the high-level semantics of events at higher levels of abstraction and (2) provide system-wide guarantees at the same time. For instance, using our model, we can soundly reason about the flow of a picture from the network through a browser into a cache file or a window on the screen by combining analyses at multiple layers.

Appendices

Appendix

A Serialized Events

Let \(t^S(e):\mathcal {E}\rightarrow \mathbb {N}\) and \(t^E(e):\mathcal {E}\rightarrow \mathbb {N}\) be two functions that return, respectively, the time at which a certain event e starts and ends. In the context of multiple layers, we assume that for any event \(e_\dagger \in \mathcal {E}_\dagger \) it holds that \(e_\dagger \) terminates only after starting (\(t^S(e_\dagger )<t^E(e_\dagger )\)) and that for every event e observed, the single layer monitors report an event \(e^{S}\) at time \(t^S(e)\) to notify the beginning of e and an event \(e^{E}\) at time \(t^E(e)\) to notify its end. In concrete implementations it is usually possible to observe or approximate these two aspects of any event.

For \(\dagger \in \mathcal {L}\), let \({\mathcal {E}^{-}_{\dagger }}\subseteq \mathcal {E}_\dagger \times \{S,E\}\) be the set of such indexed events that denote when events in \(\mathcal {E}_\dagger \) start and end. Let \( ser :seq(\mathcal {E}_\dagger ) \rightarrow seq({\mathcal {E}^{-}_{\dagger }})\) the operator that converts a trace of events \(t_\dagger \in seq(\mathcal {E}_\dagger )\) into its indexed equivalent \(t^{-}_\dagger \in seq({\mathcal {E}^{-}_{\dagger }})\) by replacing every event \(e_\dagger \in t_\dagger \) with the sequence \(\langle e^S_\dagger , e^E_\dagger \rangle \).

Lemma 1

For each monitor \(\mathcal {R}_\dagger \) (\(\dagger \in \mathcal {L}\)), there always exists a monitor \(\mathcal {R}^{-}_\dagger :\varSigma _\dagger \times {\mathcal {E}^{-}_{\dagger }} \rightarrow \varSigma _\dagger \) such that \(\forall \sigma _\dagger \in \varSigma _\dagger , \forall t_\dagger \in seq(\mathcal {E}_\dagger ): \mathcal {R}_\dagger (\sigma ,t_\dagger )=\mathcal {R}^{-}_\dagger (\sigma , ser (t_\dagger ))\).

Proof

Given \(\mathcal {R}_\dagger \), the monitor \(\mathcal {R}^{-}_{\dagger }\), defined as \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\sigma \) if \(i=S\) and \(\mathcal {R}^{-}_{\dagger }(\sigma ,(e_\dagger ,i))=\mathcal {R}_\dagger (\sigma ,e_\dagger )\) if \(i=E\), respects the property. \(\quad \square \)

It is hence safe to assume, without loss of generality, that every monitor for a layer \(\dagger \) is defined over events in \({\mathcal {E}^{-}_{\dagger }}\). We denote such a monitor \(\mathcal {R}^{-}_{\dagger }\).

Definition 9

(Serializable Trace). A trace \(t=(t_A,t_B)\) is serializable if for every pair of events \(e_A\in t_A, e_B\in t_B\), \(t^S(e_A)\not =t^S(e_B)\) and \(t^E(e_A)\not =t^E(e_B)\).

Let \(\mathcal {E}_{A \otimes B}=\mathcal {E}_A\cup \mathcal {E}_B\) and \({\mathcal {E}^{-}_{{A \otimes B}}}=\mathcal {E}_{A \otimes B}\times \{S,E\}\). If a trace \(t=(t_A,t_B)\in seq(\mathcal {E}_A)\times seq(\mathcal {E}_B)\) is serializable, then it is possible to construct a trace \(t^{-} \in seq({\mathcal {E}^{-}_{{A \otimes B}}})\) that is equivalent to t, in the sense that it is possible to reconstruct each one given the other. \(t^{-}\) is given by the events in \( ser (t_A) \bowtie _t ser (t_B)\) sorted by timestamp. The monitor for the composed system \({\dot{\mathcal {R}}_{{A \otimes B}}}\) described in step 7 of this work assumes the trace of input events \(t=(t_A,t_B)\) to be serializable and provided as a sequence of events in \({\mathcal {E}^{-}_{{A \otimes B}}}\) (\({\dot{\mathcal {R}}_{{A \otimes B}}}:\varSigma _{{A \otimes B}}\times {\mathcal {E}^{-}_{{A \otimes B}}}\rightarrow \varSigma _{{A \otimes B}}\)).

Note that we can relax the assumption on the serializable traces because any trace of events \(t_{A \otimes B}=(t_A,t_B)\) in \({{A \otimes B}}\) can be seen as longest possible concatenation of subtraces \(t_i=(t_{iA},t_{iB})\), such that any event starting in \(t_i\) also terminates within \(t_i\) and viceversa and such that \((t_{1A}::t_{2A}::..::t_{nA})=t_A\) and \((t_{1B}::t_{2B}::..::t_{nB})=t_B\). Then, for each \(t_i\),

$$\begin{aligned} \mathcal {R}_{{A \otimes B}}(\sigma ,t_i)=\left\{ \begin{array}{ll} {\dot{\mathcal {R}}_{(}}\sigma ,t_i) &{} \text {if}\ t_i \ \text {is serializable}\\ {\hat{\mathcal {R}}_{(}}\sigma ,t_i) &{} \text {otherwise} \end{array} \right. \end{aligned}$$

\(\mathcal {R}_{{A \otimes B}}\) is a sound monitor that is no less precise than \({\hat{\mathcal {R}}_{(}}\sigma ,t)\) and does not require t to be serializable.