Henning Sudbrock

Assumptions and Guarantees for Compositional Noninterference

The idea of building secure systems by plugging together secure"" components is appealing, but this requires a definition of security which, in addition to taking care of top-level security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with shared resources. This pessimism leads to many intuitively secure threads being labelled as insecure. Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs.

Flexible scheduler-independent security

We propose an approach to certify the information flow security of multi-threaded programs independently from the scheduling algorithm. A scheduler-independent verification is desirable because the scheduler is part of the runtime environment and, hence, usually not known when a program is analyzed. Unlike for other system properties, it is not straightforward to achieve scheduler independence when verifying information flow security, and the existing independence results are very restrictive. In this article, we show how some of these restrictions can be overcome. The key insight in our development of a novel scheduler-independent information flow property was the identification of a suitable class of schedulers that covers the most relevant schedulers. The contributions of this article include a novel security property, a scheduler independence result, and a provably sound program analysis.

Combining different proof techniques for verifying information flow security

When giving a program access to secret information, one must ensure that the program does not leak the secrets to untrusted sinks. For reducing the complexity of such an information flow analysis, one can employ compositional proof techniques. In this article, we present a new approach to analyzing information flow security in a compositional manner. Instead of committing to a proof technique at the beginning of a verification, this choice is made during verification with the option of flexibly migrating to another proof technique. Our approach also increases the precision of compositional reasoning in comparison to the traditional approach. We illustrate the advantages in two exemplary security analyses, on the semantic level and on the syntactic level.

Information-Theoretic Modeling and Analysis of Interrupt-Related Covert Channels

We present a formal model for analyzing the bandwidth of covert channels. The focus is on channels that exploit interrupt-driven communication, which have been shown to pose a serious threat in practical experiments. Our work builds on our earlier model [1], which we used to compare the effectiveness of different countermeasures against such channels. The main novel contribution of this article is an approach to exploiting detailed knowledge about a given channel in order to make the bandwidth analysis more precise.

Types vs. PDGs in Information Flow Analysis

Type-based and PDG-based information flow analysis techniques are currently developed independently in a competing manner, with different strengths regarding coverage of language features and security policies. In this article, we study the relationship between these two approaches. One key insight is that a type-based information flow analysis need not be less precise than a PDG-based analysis. For proving this result we establish a formal connection between the two approaches which can also be used to transfer concepts from one tradition of information flow analysis to the other. The adoption of rely-guarantee-style reasoning from security type systems, for instance, enabled us to develop a PDG-based information flow analysis for multi-threaded programs.

Comparing Countermeasures against Interrupt-Related Covert Channels in an Information-Theoretic Framework

Interrupt-driven communication with hardware devices can be exploited for establishing covert channels. In this article, we propose an information-theoretic framework for analyzing the bandwidth of such interrupt-related channels while taking aspects of noise into account. As countermeasures, we present mechanisms that are already implemented in some operating systems, though for a different purpose. Based on our formal framework, the effectiveness of the mechanisms is evaluated. Despite the large body of work on covert channels, this is the first comprehensive account of interrupt-related covert channel analysis and mitigation.

An Empirical Bandwidth Analysis of Interrupt-Related Covert Channels

Interrupt-related covert channels IRCCs utilize hardware interrupts for enabling communication between processes. This article provides an empirical evaluation of IRCC vulnerabilities, based on an actual exploit. The evaluation combines experiments with an information-theoretic analysis for computing the channel bandwidth. The evaluation shows that a bandwidth of multiple bits per second is achievable in a desktop system via interrupts of a network interface card. This result clarifies the significance of this IRCC vulnerability for one particular system. The exploit presented is configurable, and the article provides a solution for computing an optimal exploit configuration for a given system. While side channels based on hardware interrupts have been discussed before, this is the first empirical evaluation of covert channels based on hardware interrupts.