Transparent IFC Enforcement: Possibility and (In)Efficiency Results

by   Maximilian Algehed, et al.

Information Flow Control (IFC) is a collection of techniques for ensuring a no-write-down no-read-up style security policy known as noninterference. Traditional methods for both static and dynamic IFC suffer from untenable numbers of false alarms on real-world programs. Secure Multi-Execution (SME) promises to provide secure IFC without modifying the behaviour of already secure programs, a property known as transparency. Implementations of SME exist for the web and as plug-ins to several programming languages. Furthermore, SME can in theory work in a black-box manner, meaning that it can be programming language agnostic, making it perfect for securing legacy or third-party systems. As such SME, and its variants like Multiple Facets (MF) and Faceted Secure Multi-Execution (FSME), appear to be a family of panaceas for the security engineer. The question is, how come, given all these advantages, that these techniques are not ubiquitous in practice? The answer lies, partially, in the issue of runtime and memory overhead. SME and its variants are prohibitively expensive to deploy in many non-trivial situations. Why is this the case? On the surface, the reason is simple. The techniques in the SME family all rely on the idea of multi-execution, running all or parts of a program multiple times to achieve noninterference. Naturally, this causes overhead. However, the goal in the IFC community has been to overcome these overheads. In this paper we argue that there are fundamental reasons to expect this not to be possible and prove two key theorems: 1. All transparent enforcement is polynomial time equivalent to multi-execution. 2. All black-box enforcement takes time exponential in the number of principals in the security lattice. We also answer, in the affirmative, an open question about the possibility of transparently enforcing the TINI security condition.


Multi-Execution Lattices Fast and Slow

Methods for automatically, soundly, and precisely guaranteeing the nonin...

Pifthon: A Compile-Time Information Flow Analyzer For An Imperative Language

Compile-time information flow analysis has been a promising technique fo...

Racets: Faceted Execution in Racket

Faceted Execution is a linguistic paradigm for dynamic information-flow ...

The Case for Temporal Transparency: Detecting Policy Change Events in Black-Box Decision Making Systems

Bringing transparency to black-box decision making systems (DMS) has bee...

dMVX: Secure and Efficient Multi-Variant Execution in a Distributed Setting

Multi-variant execution (MVX) systems amplify the effectiveness of softw...

Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer

Information leakage is a class of error that can lead to severe conseque...

Please sign up or login with your details

Forgot password? Click here to reset