Skip to main content

Asymmetric Secure Multi-execution with Declassification

  • Conference paper
Principles of Security and Trust (POST 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9635))

Included in the following conference series:

  • 726 Accesses

Abstract

Secure multi-execution (SME) is a promising black-box technique for enforcing information flow properties. Unlike traditional static or dynamic language-based techniques, SME satisfies noninterference (soundness) by construction and is also precise. SME executes a given program twice. In one execution, called the high run, the program receives all inputs, but the program’s public outputs are suppressed. In the other execution, called the low run, the program receives only public inputs and declassified or, in some cases, default inputs as a replacement for the secret inputs, but its private outputs are suppressed. This approach works well in theory, but in practice the program might not be prepared to handle the declassified or default inputs as they may differ a lot from the regular secret inputs. As a consequence, the program may produce incorrect outputs or it may crash. To avoid this problem, existing work makes strong assumptions on the ability of the given program to robustly adapt to the declassified inputs, limiting the class of programs to which SME applies.

To lift this limitation, we present a modification of SME, called asymmetric SME or A-SME. A-SME gives up on the pretense that real programs are inherently robust to modified inputs. Instead, A-SME requires a variant of the original program that has been adapted (by the programmer or automatically) to react properly to declassified or default inputs. This variant, called the low slice, is used in A-SME as a replacement for the original program in the low run. The original program and its low slice must be related by a semantic correctness criteria, but beyond adhering to this criteria, A-SME offers complete flexibility in the construction of the low slice. A-SME is provably sound even when the low slice is incorrect and when the low slice is correct, A-SME is also precise. Finally, we show that if the program is policy compliant, then its low slice always exists, at least in theory. On the side, we also improve the state-of-the-art in declassification policies by supporting policies that offer controlled choices to untrustworthy programs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Askarov, A., Sabelfeld, A.: Gradual release: unifying declassification, encryption and key release policies. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20–23 May 2007, Oakland, pp. 207–221 (2007)

    Google Scholar 

  3. Askarov, A., Sabelfeld, A.: Localized delimited release: combining the what and where dimensions of information release. In: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security (PLAS 2007), pp. 53–60 (2007)

    Google Scholar 

  4. Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2012), pp. 165–178 (2012)

    Google Scholar 

  5. Austin, T.H., Yang, J., Flanagan, C., Solar-Lezama, A.: Faceted execution of policy-agnostic programs. In: Proceedings of the Eighth ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS 2013), pp. 15–26 (2013)

    Google Scholar 

  6. Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for a browser model. In: 5th International Conference on Network and System Security (NSS 2011), pp. 97–104 (2011)

    Google Scholar 

  7. Broberg, N., Sands, D.: Paralocks: role-based information flow control and beyond. In: Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2010), pp. 431–444 (2010)

    Google Scholar 

  8. Capizzi, R., Longo, A., Venkatakrishnan, V.N., Sistla, A.P.: Preventing information leaks through shadow executions (ACSAC 2008). In: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 322–331 (2008)

    Google Scholar 

  9. Chong, S., Myers, A.C.: Security policies for downgrading. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 198–209 (2004)

    Google Scholar 

  10. Chong, S., Myers, A.C.: Language-based information erasure. In: 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005), pp. 241–254 (2005)

    Google Scholar 

  11. Chong, S., Myers, A.C.: End-to-end enforcement of erasure and declassification. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), pp. 98–111 (2008)

    Google Scholar 

  12. Clarkson, M.R., Schneider, F.B.: Hyperproperties. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), Pittsburgh, Pennsylvania, 23–25 June 2008, pp. 51–65 (2008)

    Google Scholar 

  13. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 31st IEEE Symposium on Security and Privacy (S&P 2010), pp. 109–124 (2010)

    Google Scholar 

  14. Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure information flow: exploring a new approach. In: 32nd IEEE Symposium on Security and Privacy (S&P 2011), 22–25 May 2011, Berkeley, pp. 413–428 (2011)

    Google Scholar 

  15. Khatiwala, T., Swaminathan, R., Venkatakrishnan, V.N.: Data sandboxing: a technique for enforcing confidentiality policies. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 223–234 (2006)

    Google Scholar 

  16. Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POpPL 2005), pp. 158–170 (2005)

    Google Scholar 

  17. Magazinius, J., Askarov, A., Sabelfeld, A.: Decentralized delimited release. In: Yang, H. (ed.) APLAS 2011. LNCS, vol. 7078, pp. 220–237. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Moore, S., Askarov, A., Chong, S.: Precise enforcement of progress-sensitive security. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 881–893 (2012)

    Google Scholar 

  19. Ngo, M., Massacci, F., Milushev, D., Piessens, F.: Runtime enforcement of security policies on black box reactive programs. In: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POpPL 2015), pp. 43–54 (2015)

    Google Scholar 

  20. Rafnsson, W., Hedin, D., Sabelfeld, A.: Securing interactive programs. In: 25th IEEE Computer Security Foundations Symposium (CSF 2012), pp. 293–307 (2012)

    Google Scholar 

  21. Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. In: 2013 IEEE 26th Computer Security Foundations Symposium, pp. 33–48 (2013)

    Google Scholar 

  22. Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. J. Comput. Secur. (2015). to appear

    Google Scholar 

  23. Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  24. Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005), pp. 255–269 (2005)

    Google Scholar 

  25. Swamy, N., Hicks, M.: Verified enforcement of stateful information release policies. In: Proceedings of the 2008 Workshop on Programming Languages and Analysis for Security (PLAS 2008), pp. 21–32 (2008)

    Google Scholar 

  26. Vanhoef, M., Groef, W.D., Devriese, D., Piessens, F., Rezk, T.: Stateful declassification policies for event-driven programs. In: IEEE 27th Computer Security Foundations Symposium (CSF 2014), pp. 293–307 (2014)

    Google Scholar 

  27. Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POpPL 2012), pp. 85–96 (2012)

    Google Scholar 

  28. Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: 2013 IEEE 26th Computer Security Foundations Symposium, pp. 18–32 (2013)

    Google Scholar 

Download references

Acknowledgments

This work was partially supported by the DFG grant “Information Flow Control for Browser Clients” under the priority program “Reliably Secure Software Systems” (RS\(^3\)).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Deepak Garg .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Boloşteanu, I., Garg, D. (2016). Asymmetric Secure Multi-execution with Declassification. In: Piessens, F., Viganò, L. (eds) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science(), vol 9635. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49635-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49635-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49634-3

  • Online ISBN: 978-3-662-49635-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics