research-article

A type system for data-flow integrity on Windows Vista

Authors:

Avik Chaudhuri,

Prasad Naldurg,

Sriram RajamaniAuthors Info & Claims

ACM SIGPLAN Notices, Volume 43, Issue 12

Pages 9 - 20

https://doi.org/10.1145/1513443.1513447

Published: 28 February 2009 Publication History

Abstract

The Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically restricting trusted code. We formalize this model by designing a type system that can efficiently enforce data-flow integrity on Windows Vista. Typechecking guarantees that objects whose contents are statically trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Some of Windows Vista's runtime access checks are necessary for soundness; others are redundant and can be optimized away.

References

[1]

M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749--786, 1999.

Digital Library

[2]

M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In POPL'99: Principles of Programming Languages, pages 147--160. ACM, 1999.

Digital Library

[3]

M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and logic programs. In POPL'02: Principles of Programming Languages, pages 33--44. ACM, 2002.

Digital Library

[4]

M. Abadi, L. Cardelli, P.-L. Curien, and J.-J. Lévy. Explicit substitutions. In POPL'90: Principles of Programming Languages, pages 31--46. ACM, 1990.

Digital Library

[5]

M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In POPL'01: Principles of Programming Languages, pages 104--115. ACM, 2001.

Digital Library

[6]

M. Abadi, B. Lampson, and J.-J. Lévy. Analysis and caching of dependencies. In ICFP'96: Functional Programming, pages 83--91. ACM, 1996.

Digital Library

[7]

B. Alpern and F. B. Schneider. Defining liveness. Information Processing Letters, 21(5):181--185, 1985.

[8]

A. Banerjee and D. Naumann. Using access control for secure information flow in a Java-like language. In CSFW'03: Computer Security Foundations Workshop, pages 155--169. IEEE, 2003.

[9]

K. J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corporation, 1977.

[10]

G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(1-2):109--130, 2002.

Digital Library

[11]

L. Cardelli, G. Ghelli, and A. D. Gordon. Secrecy and group creation. Information and Computation, 196(2):127--155, 2005.

Digital Library

[12]

M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI'06: Operating Systems Design and Implementation, pages 147--160. USENIX, 2006.

Digital Library

[13]

A. Chaudhuri. Dynamic access control in a concurrent object calculus. In CONCUR'06: Concurrency Theory, pages 263--278. Springer, 2006.

Digital Library

[14]

A. Chaudhuri and M. Abadi. Secrecy by typing and file-access control. In CSFW'06: Computer Security Foundations Workshop, pages 112--123. IEEE, 2006.

Digital Library

[15]

A. Chaudhuri, P. Naldurg, and S. Rajamani. A type system for data-flow integrity on Windows Vista. Technical Report TR-2007-86, Microsoft Research, 2007. Also available as an arXiv e-print at http://arxiv.org/abs/0803.3230.

[16]

D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In SP'87: Symposium on Security and Privacy, pages 184--194. IEEE, 1987.

[17]

J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In ISSTA'07: International Symposium on Software Testing and Analysis, pages 196--206. ACM, 2007.

Digital Library

[18]

M. Conover. Analysis of the Windows Vista security model. Available at www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf.

[19]

D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977.

Digital Library

[20]

P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazi` eres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In SOSP'05: Symposium on Operating Systems Principles, pages 17--30. ACM, 2005.

Digital Library

[21]

M. Felleisen. The theory and practice of first-class prompts. In POPL'88: Principles of Programming Languages, pages 180--190. ACM, 1988.

Digital Library

[22]

C. Flanagan. Hybrid type checking. In POPL'06: Principles of Programming Languages, pages 245--256. ACM, 2006.

Digital Library

[23]

C. Fournet, A. D. Gordon, and S. Maffeis. A type discipline for authorization policies. In ESOP'05: European Symposium on Programming, pages 141--156. Springer, 2005.

Digital Library

[24]

J. A. Goguen and J. Meseguer. Security policies and security models. In SP'82: Symposium on Security and Privacy, pages 11--20. IEEE, 1982.

[25]

A. D. Gordon and P. D. Hankin. A concurrent object calculus: Reduction and typing. In HLCL'98: High-Level Concurrent Languages, pages 248--264. Elsevier, 1998.

[26]

A. D. Gordon and A. Jeffrey. Typing correspondence assertions for communication protocols. Theoretical Computer Science, 300(1-3): 379--409, 2003.

Digital Library

[27]

A. D. Gordon and A. Jeffrey. Secrecy despite compromise: Types, cryptography, and the pi-calculus. In CONCUR'05: Concurrency Theory, pages 186--201. Springer, 2005.

Digital Library

[28]

M. Hennessy, J. Rathke, and N. Yoshida. SafeDpi: A language for controlling mobile code. Acta Informatica, 42(4-5):227--290, 2005.

Digital Library

[29]

M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous pi-calculus. ACM Transactions on Programming Languages and Systems, 24(5):566--591, 2002.

Digital Library

[30]

K. Honda and N. Yoshida. A uniform type structure for secure information flow. In POPL'02: Principles of Programming Languages, pages 81--92. ACM, 2002.

Digital Library

[31]

D. Hoshina, E. Sumii, and A. Yonezawa. A typed process calculus for fine-grained resource access control in distributed computation. In TACS'01: Theoretical Aspects of Computer Software, pages 64--81. Springer, 2001.

Digital Library

[32]

M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 2007.

Digital Library

[33]

N. Kobayashi. Type-based information flow analysis for the pi-calculus. Acta Informatica, 42(4-5):291--347, 2005.

Digital Library

[34]

L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125--143, 1977.

Digital Library

[35]

B. W. Lampson. Protection. ACM Operating Systems Review, 8(1):18--24, Jan 1974.

Digital Library

[36]

J.-J. Lévy. Réductions correctes et optimales dans le lambdacalcul. PhD thesis, Université Paris 7, 1978.

[37]

P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In POPL'05: Principles of Programming Languages, pages 158--170. ACM, 2005.

Digital Library

[38]

L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O'Reilly, 1996.

Digital Library

[39]

A. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In CSFW'04: Computer Security Foundations Workshop, pages 172--186. IEEE, 2004.

Digital Library

[40]

G. C. Necula. Proof-carrying code. In POPL'97: Principles of Programming Languages, pages 106--119. ACM, 1997.

Digital Library

[41]

M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond stack inspection: A unified access-control and information-flow security model. In SP'07: Symposium on Security and Privacy, pages 149--163. IEEE, 2007.

Digital Library

[42]

F. Pottier and S. Conchon. Information flow inference for free. In ICFP'00: Functional Programming, pages 46--57. ACM, 2000.

Digital Library

[43]

F. Pottier, C. Skalka, and S. Smith. A systematic approach to static access control. ACM Transactions on Programming Languages and Systems, 27(2):344--382, 2005.

Digital Library

[44]

M. Russinovich. Inside Windows Vista User Access Control. Microsoft Technet Magazine, June 2007. Available at http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/.

[45]

A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), 2003.

Digital Library

[46]

D. Sangiorgi, N. Kobayashi, and E. Sumii. Environmental bisimulations for higher-order languages. In LICS'07: Logic in Computer Science, pages 293--302. IEEE, 2007.

Digital Library

[47]

U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In NDSS'06: Network and Distributed System Security Symposium. ISOC, 2006.

[48]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS'04: Architectural Support for Programming Languages and Operating Systems, pages 85--96. ACM, 2004.

Digital Library

[49]

S. Tse and S. Zdancewic. Run-time principals in information-flow type systems. In SP'04: Symposium on Security and Privacy, pages 179--193. IEEE, 2004.

[50]

P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Network and Distributed System Security Symposium. ISOC, 2007.

[51]

D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167--187, 1996.

Digital Library

[52]

P. Wadler and R. B. Findler. Well-typed programs can't be blamed. In Scheme'07: Workshop on Scheme and Functional Programming, 2007.

[53]

Windows Vista TechCenter. Understanding and configuring User Account Control in Windows Vista. Available at http://technet.microsoft.com/en-us/windowsvista/aa905117.aspx.

[54]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS'07: Computer and Communications Security, pages 116--127. ACM, 2007.

Digital Library

[55]

N. Yoshida. Channel dependent types for higher-order mobile processes. In POPL'04: Principles of Programming Languages, pages 147--160. ACM, 2004.

Digital Library

[56]

S. Zdancewic and A. C. Myers. Robust declassification. In CSFW'01: Computer Security Foundations Workshop, pages 5--16. IEEE, 2001.

Digital Library

[57]

S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. Higher Order and Symbolic Computation, 15(2/3):209--234, 2002.

Digital Library

[58]

S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSFW'03: Computer Security Foundations Workshop, pages 29--43. IEEE, 2003.

[59]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI'06: Operating Systems Design and Implementation, pages 19--19. USENIX, 2006.

Digital Library

[60]

L. Zheng. Personal communication, July 2007.

[61]

L. Zheng and A. Myers. Dynamic security labels and noninterference. In FAST'04: Formal Aspects in Security and Trust, pages 27--40. Springer, 2004.

Cited By

Prakash AYin HLiang ZChen KXie QQiu WLi NTzeng W(2013)Enforcing system-wide control flow integrity for exploit detection and diagnosisProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484352(311-322)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484352
Schack-Nielsen ASchürmann C(2010)Curry-Style explicit substitutions for the linear and affine lambda calculusProceedings of the 5th international conference on Automated Reasoning10.1007/978-3-642-14203-1_1(1-14)Online publication date: 16-Jul-2010
https://dl.acm.org/doi/10.1007/978-3-642-14203-1_1

Index Terms

A type system for data-flow integrity on Windows Vista

Recommendations

A type system for data-flow integrity on windows vista
PLAS '08: Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security

The Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically ...
MCTS 70-620 Microsoft Windows Vista: Configuring Practice Questions Exam Cram
Windows Vista Resource Kit, Second Edition

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 43, Issue 12

December 2008

37 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/1513443

Issue’s Table of Contents

Copyright © 2009 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 February 2009

Published in SIGPLAN Volume 43, Issue 12

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
214
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Prakash AYin HLiang ZChen KXie QQiu WLi NTzeng W(2013)Enforcing system-wide control flow integrity for exploit detection and diagnosisProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484352(311-322)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484352
Schack-Nielsen ASchürmann C(2010)Curry-Style explicit substitutions for the linear and affine lambda calculusProceedings of the 5th international conference on Automated Reasoning10.1007/978-3-642-14203-1_1(1-14)Online publication date: 16-Jul-2010
https://dl.acm.org/doi/10.1007/978-3-642-14203-1_1

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents