Section: New Results


Participants : Ilaria Castellani, Zhengqin Luo, Tamara Rezk [correspondant] , José Santos, Manuel Serrano.

Secure session calculi

We have pursued our work on controlling information flow in session calculi, started in previous years in collaboration with colleagues from the university of Torino. We also started investigating a notion of (objective) reputation for principals participating in sessions. The reputation of a principal is based on her previous behaviour as a user of a service. A principal's reputation can be checked both by the service itself, before admitting again the principal as a user, or by other principals to evaluate the reputation of the current users before they join a service (we consider multi-user services). We plan to apply this idea to refine our previous work on information flow control in multiparty sessions, by considering reputations built on the “security behaviour” of principals.

In the work “Information flow safety in multiparty sessions” [11] , we consider a calculus for multiparty sessions enriched with security levels for messages. We propose a monitored semantics for this calculus, which blocks the execution of processes as soon as they attempt to leak information. We illustrate the use of our monitored semantics with various examples, and show that the induced safety property implies the security property studied previously for the same calculus. This work was presented at the 18th International Workshop on Expressiveness in Concurrency (EXPRESS'11).

In the work “A Reputation System for Multirole Sessions” [10] , we extend role-based multiparty sessions with reputations and policies associated with principals. The reputation associated with a principal in a service is built by collecting her relevant behaviour as a participant in sessions of the service. The service checks the reputation of principals before allowing them to take part in a session, and decides whether to accept them or not depending on their reputation and on the role they want to play. Furthermore, principals can declare policies that must be fulfilled by the other participants of the same service. These policies are used by principals to check the reputation of the current participants and to decide accordingly whether or not to join the service. Our approach is illustrated by an example describing a real-world protocol. This work was presented at the 6th International Symposium on Trustworthy Global Computing (TGC'11).

Both [11] and [10] were partially funded by the ANR-08-EMER-010 grant PARTOUT.

Automatic Code Injection Prevention for Web Applications

We propose a new technique based on multitier compilation for preventing code injection in web applications. It consists in adding an extra stage to the client code generator which compares the dynamically generated code with the specification obtained from the syntax of the source program. No intervention from the programmer is needed. No plugin or modification of the web browser is required. The soundness and validity of the approach are proved formally by showing that the client compiler can be fully abstract. The practical interest of the approach is proved by showing the actual implementation in the Hop environment.

This work was presented in TOSCA'11 and appeared in the LNCS series [13] . See also software section.

A Certified Lightweight Non-Interference Java Bytecode Verifier

We propose a type system to verify the non-interference property in the Java Virtual Machine. We verify the system in the Coq theorem prover.

This work will appear in the journal of Mathematical Structures in Computer Science [8] .

Information-flow types for homomorphic encryptions

We develop a flexible information-flow type system for a range of encryption primitives, precisely reflecting their diverse functional and security features. Our rules enable encryption, blinding, homomorphic computation, and decryption, with selective key re-use for different types of payloads. We show that, under standard cryptographic assumptions, any well-typed probabilistic program using encryptions is secure (that is, computationally non-interferent) against active adversaries, both for confidentiality and integrity. We illustrate our approach using ElGamal and Paillier encryption.

We present two applications of cryptographic verification by typing: (1) private search on data streams; and (2) the bootstrapping part of Gentry's fully homomorphic encryption.

We provide a prototype typechecker for our system.

This work appeared in CCS'11 [12] . See also software section.

The Mashic compiler

Mashups are a prevailing kind of web applications integrating external gadget APIs often written in the Javascript programming language. Writing secure mashups is a challenging task due to the heterogeneity of existing gadget APIs, the privileges granted to gadgets during mashup executions, and Javascript's highly dynamic environment.

We propose a new compiler, called Mashic, for the automatic generation of secure Javascript-based mashups from existing mashup code. The Mashic compiler can effortlessly be applied to existing mashups based on a wide-range of gadget APIs. It offers security and correctness guarantees. Security is achieved by using the Same Origin Policy. Correctness is ensured in the presence of benign gadgets, that satisfy confidentiality and integrity constrains with regard to the integrator code. The compiler has been successfully applied to real world mashups based on Google maps, Bing maps, YouTube, and Zwibbler APIs.

See also software section.

Secure Information Flow by Self-Composition

Information flow policies are confidentiality policies that control information leakage through program execution. A common means to enforce secure information flow is through information flow type systems. Although type systems are compositional and usually enjoy decidable type checking or inference, their extensibility is very poor: type systems need to be redefined and proven sound for each new single variation of security policy and programming language for which secure information flow verification is desired. In contrast, program logics offer a general mechanism to enforce a variety of safety policies, and for this reason are favored in Proof Carrying Code, a promising security architecture for mobile code. However, the encoding of information flow policies in program logics is not straightforward, because they refer to a relation between two program executions. The purpose of this work is to investigate logical formulations of secure information flow based on the idea of self-composition, that reduces the problem of secure information flow of a program P to a safety property for program P composed with itself.

This work appeared in the special issue of MSCS of PLID [7] .

Secure Information flow enforcement techniques for dynamic security policies

We performed a comprehensive investigation of alternative static mechanisms to enforce information flow policies considering a setting in which programs run under an authority that is only known at runtime and that yields a relaxation of the base security policy. The devised method aims at eliminating the need to reanalyse a program each time its authority changes. The soundness of the proposed approach was established for a concurrent higher-order imperative lambda calculus with reference creation. This work resulted in the report “Typing Illegal Information Flows as Program Effects” available at http://www-sop.inria.fr/members/Jose.Santos/reportInfFlow.pdf .