Quantitative information-flow tracking for real systems

Autor: McCamant, Stephen
Jazyk: angličtina
Rok vydání: 2008
Předmět:
Druh dokumentu: Diplomová práce
Popis: Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Includes bibliographical references (p. 99-105).
An information-flow security policy constrains a computer system's end-to-end use of information, even as it is transformed in computation. For instance, a policy would not just restrict what secret data could be revealed directly, but restrict any output that might allow inferences about the secret. Expressing such a policy quantitatively, in terms of a specific number of bits of information, is often an effective program independent way of distinguishing what scenarios should be allowed and disallowed. This thesis describes a family of new techniques for measuring how much information about a program's secret inputs is revealed by its public outputs on a particular execution, in order to check a quantitative policy on realistic systems. Our approach builds on dynamic tainting, tracking at runtime which bits might contain secret in formation, and also uses static control-flow regions to soundly account for implicit flows via branches and pointer operations. We introduce a new graph model that bounds information flow by the maximum flow between inputs and outputs in a flow network representation of an execution. The flow bounds obtained with maximum flow are much more precise than those based on tainting alone (which is equivalent to graph reachability). The bounds are a conservative estimate of channel capacity: the amount of information that could be transmitted by an adversary making an arbitrary choice of secret inputs. We describe an implementation named Flowcheck, built using the Valgrind framework for x86/Linux binaries, and use it to perform case studies on six real C, C++, and Objective C programs, three of which have more than 250,000 lines of code. We used the tool to check the confidentiality of a different kind of information appropriate to each program. Its results either verified that the information was appropriately kept secret on the examined executions, or revealed unacceptable leaks, in one case due to a previously unknown bug.
by Stephen Andrew McCamant.
Ph.D.
Databáze: Networked Digital Library of Theses & Dissertations