Presentation given at CSF 2014 on the paper "Stateful Declassification Policies for Event-Driven Programs". In essence we present declassification for Secure Multi Execution (SME).

1. Stateful Declassification Policies
for Event-Driven Programs
M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, T. Rezk
CSF 2014

2. Observation
“The browser is the new OS”
2

3. But… browser security?
3
XSS

4. Firefox: no protection
4
Previous work(s) offer protection against this!

5. What are we protecting?
5
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced using API calls

6. What are we protecting?
6
Event-driven (reactive) programs:
 All inputs to the program are events
 Output is produced using API calls
Public outputPrivate input

7. Currently: Noninterference
7
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
Equal after high
input removed
low output identical
 Security levels: H (private) and L (public)
 Enforce using Secure Multi Execution (SME)
 Secure
 Precise

8. Implemented in FlowFox
8
With proper policy, attack is blocked!
Keys pressed, but request blocked

9. The problem…
9
Noninterference is too strict!
Examples:
 Leak only occurrence of key presses?
 Leak specific shortcut keys only?
 Leak approximate location (mouse, GPS)?

10. Example: online slideshow
10
Uses arrow keys to navigate:
 We need declassification support!

11. Our Contributions
11
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

12. Policy specification
 What does the policy define?
“The info leaked public observers”
 We consider two cases:
1. Leaking approximate information about one event
2. Leaking aggregate or statistical info over several events
12

13. Policy specification
 How to formally specify both cases?
 Using a functional, declarative program.
 On each input, define the (new) public info.
13
Leaking over one event Leaking over several events
(1) Event projection (2) Information release

14. 1. Event projection
14
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Nothing : Event not visible to low observers
 ev n′ : Low observers can depend on (ev n′)
Other events project to Nothing

15. 1. Event projection
15
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Generalizes security labels:
Low event: 𝜋 𝑒𝑣 𝑛 = Project 𝑛
High event: 𝜋 𝑒𝑣 𝑛 = Nothing
 And separation of content and presence:
Only presence: 𝜋 𝑒𝑣 𝑛 = Project 0

16. 1. Event projection
16
 Leaks info about one event (stateless):
π ev n = Nothing | Project n′
 Must be idempotent to guarantee precision:
𝜋(𝜋 𝑒𝑣 𝑛 ) = 𝜋(𝑒𝑣 𝑛)
In line with the idea of removing sensitive info!

17. 2. Information release
17
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 𝑠, 𝑠′: old and new state
 Release 𝑛′: low observers can depend on 𝑛′
 Unchanged: no new info released

18. 2. Information release
18
 Leaks info about multiple events (stateful):
𝑟 𝑠, 𝑒𝑣 𝑛 = 𝑠′
, Unchanged | Release 𝑛′
 Can specify type and initial value of the state:
State :: Bool = False
 Released value is put on a release channel
 Enforcement mechanism can obtain latest released value

19. 2. Info release: example
19
 Leak if shotcut key was used at least once
 State :: Bool = False
 Release function 𝑟:

20. Updated noninterference
20
 Noninterference (old):
𝐼 ≈ 𝐿 𝐼′ → 𝑂 ≈ 𝐿 𝑂′
 𝒟∗
𝐼 = all info low observers can depend
on according to policy 𝒟
 Noninterference with declassification:
𝒟∗
𝐼 = 𝒟∗
𝐼′
→ 𝑂 ≈ 𝐿 𝑂′
Equal according to policy 𝒟 Low outputs identical

21. Our Contributions
21
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

22. Secure Multi Execution (SME)
Runs a copy for each security level:
Low
HighHigh
Low
Program (H)
Program (L)
22

23. SME Example: high input
Low run
KeyPress ‘e’
High run
23

24. SME Example: high input
Low run
KeyPress ‘e’
High run
24

25. SME Example: high input
Low run
KeyPress ‘e’
High run
25

26. SME Example: low input
Low run
High run
MouseClick 10
26

27. SME Example: low input
Low run
High run
MouseClick 10
27

28. SME Example: low input
Low run
High run
MouseClick 10
28

29. SME Example: low input
Low run
High run
MouseClick 10
29

30. SME Example: low input
Low run
High run
MouseClick 10
30

31. Declassification in SME?
31
Projections generalize security labellings!
Low
HighHigh
Low
Program (H)
Program (L)

32. Declassification in SME?
32
Low
High
Input
Program (H)
𝜋
Program (L)
Projections generalize security labellings!

33. Declassification in SME?
33
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)

34. Declassification in SME?
34
Information release?
Low
High
Input
Program (H)
𝜋
Program (L)
SME state

35. Declassification in SME?
35
Information release?
Low
High
Input
Program (H)
𝜋
?
Program (L)
SME state

36. Access to release channel
36
 Using annotations
 Important remarks:
 Annotations are seen as untrusted, security does not
depend on them (hence attacker cannot abuse them).
 Only used to assure precision!
 Idea: browser vendor sets default policies,
motivating programmers to use annotates.

37. Declassification in SME
37
Properties:
 Security: OK!
 Precision for projections: OK!
 Full precision more tedious:
 Program must run under expected policy
 All leaks should happen through annotations
 Projections are powerful!

38. Our Contributions
38
Declassification in untrusted programs
 Policy specification
 SME enforcement
 Implementation in FlowFox

39. Revealing Occurrence
39
 Keylogger in chrome (no protection):

40. Revealing Occurrence
40
 Keylogger in FlowFox (policy):

41. Revealing Occurrence
41
 Keylogger in FlowFox (attack blocked):

42. Leak approximate info
42
 Imagine mouse tracking software:

43. Leak approximate info
43
 Imagine mouse tracking software:

44. Leak approximate info
44
 Mouse tracking under FlowFox (policy):

45. Leak approximate info
45
 Mouse tracking under FlowFox (high output):

46. Leak approximate info
46
 Mouse tracking under FlowFox (low output):

47. Questions?