GitBook 提供支持

Introduction

Injection errors
Information leaks

1.
Information Flow Security
2.
Confidentiality and Integrity
3.
Explicit Flows and Covert Channels
4.
Taint Analysis

Information Flow Security

Access Control vs. Information Flow Security

"A practical system needs both access and flow control to satisfy all security requirements."
​ --D. Denning, 1976
Access Control concerns how information is accessed.
Information Flow Security concerns how information is propagated.

Information Flow

If the information in variable x is transferred to variable y, then there is information flow x->y.

Information Flow Security

Connects information flow to security
Classifies program variables into different security level
为变量定出安全等级。可以类比Linux中的用户权限管理，如root用户和普通用户。
Specifies permissible flows between these levels, i.e., information flow policy
然后设定信息流政策。比如Linux中的root用户可以做一切事情，而普通用户不可能访问root用户专有的文件和文件夹。

Confidentiality and Integrity

Confidentiality(在信息流安全的语境中)侧重于防止攻击者获取到机密信息，即保护关键数据不被攻击者读取
Integrity(在信息流安全的语境中)侧重于防止攻击者通过恶意提权或SQL注入等手段执行了高执行权限的命令，即保护关键数据不被攻击者写入。
More on Integrity-a Board Definition(在信息流安全以外的语境中，Integrity有更多的含义):
To ensure the correctness, completeness, and consistency of data.
Correctness
E.g., for information flow integrity, the (trusted) critical data should not be corrupted by untrusted data
Completeness
E.g., a database system should store all data ompletely
Consistency
E.g., a file transfer system should ensure that the file contents

Explicit Flows and Covert Channels

Explicit Flow

Covert Channels

Leak under implicit flow
This kind of information flow is called implicit flow, which may arise when the control flow is affected by secret information.
Any differences in side effects under secret control encode information about the control, which may be publicly observable and leak secret information.
More Leak Examples
Mechanisms for signalling information through a computing system are known as channels.
信道传输信息。
Channels that exploit a mechanism whose primary purpose is not information transfer are called covert channels.
原本的目的不是传递信息，却传递了信息的信道，我们就称之为隐藏信道。
Covert Channels Examples
More:
通过观察电量消耗、网络流量特征、缓存命中率、服务器响应时长特征，都能以某种方式获得某种程度的机密信息。
Side Channel: "AF缺乏淡水"
在电影《中途岛海战》中，有这样一段对话，大意如下：
"你不知道酒宴将在哪里举行，但你能发现酒店被预定，酒水被集中运到某个地点……"

Taint Analysis

Definition

Sources of tainted data is called sources. In practice, tainted data usually come from the return values of some methods (regarded as sources).
Taint analysis tracks how tainted data flow through the program and observes if they can flow to locations of interest (called sinks). In practice, sinks are usually some sensitive methods.

Taint & Pointer Analysis, Together

“Can tainted data flow to a sink?”换一种问法其实就是“Which tainted data a pointer (at a sink) can point to?”

Treats tainted data as (artificial) objects
Treats sources as allocation sites (of tainted data)
Leverages pointer analysis to propagate tainted data

Inputs & Outputs

Inputs
𝑆𝑜𝑢𝑟𝑐𝑒𝑠: a set of source methods (the calls to these methods return tainted data)
𝑆𝑖𝑛𝑘𝑠: a set of sink methods (that tainted data flow to these
methods violates security polices)
Outputs
𝑇𝑎𝑖𝑛𝑡𝐹𝑙𝑜𝑤𝑠: a set of pairs of tainted data and sink methods
E.g.,
$(𝑡_𝑖, 𝑚)\in$
𝑇𝑎𝑖𝑛𝑡𝐹𝑙𝑜𝑤𝑠 denotes that the tainted data from call site 𝑖 (which calls a source method) may flow to sink method 𝑚

Rules

Rules for Propagation
New Rules for Call

Example

1
void main() {
2
A x = new A();
3
4
A y = x;
5
x.f = pw;
6
String s = y.f;
7
log(s);
8
// 这个log会写下什么惊人的东西吗？
9
}
10
11
return new String();
12
}
13
class A {
14
String f;
15
}
Copied!

Key Points

1.
Concept of information flow security
2.
Confidentiality & integrity
3.
Explicit flows & covert channels
4.
Use taint analysis to detect unwanted information flow