Section: New Results

Security

Participants : Nataliia Bielova, Ilaria Castellani, Tamara Rezk, Dolière Francis Some.

Security for multiparty session calculi

In our previous work, we investigated two security properties for multiparty session calculi: access control and information flow security. We proposed a type system ensuring both these properties. We also defined a monitored semantics inducing a property that is strictly included between typability and information flow security, which we called information flow safety.

The article [5] is an extended version of a previous workshop paper, which introduces refined versions of the safety and security properties examined in that paper and provides two additional results: compositionality of the refined safety property, and the proof that this property is ensured by a simplified version of the type system of [4].

In [18], we argue that the security requirements considered in previous work could be overly restrictive in some cases. In particular, a party is not allowed to communicate any kind of public information after receiving a secret information. The aim of [18] is to overcome this restriction, by proposing a new type discipline for a multiparty session calculus, which classifies messages according to their topics and allows unrestricted sequencing of messages on independent topics.

Security for dynamic and adaptable systems

We have started to study security issues in the context of dynamically evolving communicating systems, namely systems which are able to adapt themselves in reaction to particular events, arising in the system itself or in its environment. When focussing on security, examples of such events are security attacks or changes in security policies.

The paper [11] investigates a simple session calculus in which self-adaptation and security concerns may be jointly addressed. In this calculus, security violations occur when processes attempt to read or write messages of inappropriate security level within a session. Such violations trigger adaptation mechanisms that prevent the violations to propagate their effect in the remainder of the session, while allowing the computation to proceed. More specifically, our calculus is equipped with a monitored semantics based on session types, which activates local and global adaptation mechanisms for reacting respectively to soft and hard security violations. We present type soundness results that ensure that the overall protocol is still correctly executed after the application of these mechanisms.

Information Flow Monitoring

The dynamic aspects of JavaScript make the security analysis of web applications very challenging. Purely static analysis is prohibitively restrictive in practice since it must exclude JavaScript dynamic aspects or over-approximate them. In recent years, several dynamic enforcement mechanisms in the form of information flow monitors have been proposed. In order to better evaluate the currently available information flow monitors trade-offs, our contribution is to rigorously compare them [16]. We compare them with respect to two important dimensions according to the runtime monitor literature: soundness and transparency. We analyse five widely explored information flow monitor techniques: no-sensitive-upgrade, permissive-upgrade, hybrid monitors, secure multi execution, and multiple facets. Furthermore, we formally prove that the generalised belief in the equivalence of two of these approaches, secure multi-execution and multiple facets, is false [17].

Quantitative information flow measures

A number of measures for quantifying information leakage of a program have been proposed. Most of these measures evaluate a program as a whole by quantifying how much information can be leaked on average by different program outputs. While these measures perfectly fit for static program analyses, they cannot be used by dynamic analyses since they do not specify what information an attacker learns through observing one concrete program output.

In this work, we study the existing definitions of quantitative information flow [15]. Our goal is to find the definition of dynamic leakage – it should evaluate how much information an attacker learns when she observes one program output. Surprisingly, we find out that none of the existing definitions provide a suitable measure for dynamic leakage. We hence open a new research question in quantitative information flow area: which definition of dynamic leakage is suitable?

Access control and capability systems

Motivated by the problem of understanding the difference between practical access control and capability systems formally, we distill the essence of both in a language-based setting [19]. We first prove that access control systems and (object) capabilities are fundamentally different. We further study capabilities as an enforcement mechanism for confused deputy attacks (CDAs), since CDAs may have been the primary motivation for the invention of capabilities. To do this, we develop the first formal characterization of CDA-freedom in a language-based setting and describe its relation to standard information flow integrity. We show that, perhaps suprisingly, capabilities cannot prevent all CDAs. Next, we stipulate restrictions on programs under which capabilities ensure CDA- freedom and prove that the restrictions are sufficient. To relax those restrictions, we examine provenance semantics as sound CDA-freedom enforcement mechanisms.