Observational Determinism for Concurrent Program Security
نویسندگان
چکیده
Noninterference is a property of sequential programs that is useful for expressing security policies for data confidentiality and integrity. However, extending noninterference to concurrent programs has proved problematic. In this paper we present a relatively expressive secure concurrent language. This language, based on existing concurrent calculi, provides first-class channels, higher-order functions, and an unbounded number of threads. Well-typed programs obey a generalization of noninterference that ensures immunity to internal timing attacks and to attacks that exploit information about the thread scheduler. Elimination of these refinement attacks is possible because the enforced security property extends noninterference with observational determinism. Although the security property is strong, it also avoids some of the restrictiveness imposed on previous securitytyped concurrent languages.
منابع مشابه
Stateless Code Model Checking of Information Flow Security
Observational determinism is a security property that characterizes secure information flow for multithreaded programs. Most of the methods that have been used to verify observational determinism are based on either type systems or conventional model checking techniques. A conventional model checker is stateful and often verifies a system model usually constructed manually. As these methods are...
متن کاملProbabilistic Noninterference Based on Program Dependence Graphs
We present a new algorithm for checking probabilistic noninterference in concurrent programs. The algorithm uses the Low-Security Observational Determinism criterion. It is based on program dependence graphs for concurrent programs, and is thus very precise: it is flowsensitive, context-sensitive, object-sensitive, and optionally time-sensitive. The algorithm has been implemented for full Java ...
متن کاملScheduler-related Confidentiality for Multi-threaded Programs
Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example the...
متن کاملPreface Foundational aspects of security
• Joshua Guttman in “Establishing and preserving protocol security goals” proposes a model-theoretic approach to the verification of security properties, where the models are executions, and the security goals are implications over the geometric fragment of predicate logic. This methodology also leads to a new reading of protocol refinement and transformation, and offers the possibility of reas...
متن کاملD2C: Deterministic, Deadlock-free Concurrency
The advent of multicore processors has made concurrent programming languages mandatory. However, most concurrent programming models come with two major pitfalls: non-determinism and deadlocks. By determinism, we mean the output behavior of the program is independent of the scheduling choices (e.g., the operating system) and depends only on the input behavior. A few concurrent programming models...
متن کامل