2019 IEEE 32nd Computer Security Foundations Symposium (CSF)最新文献

筛选
英文 中文
Static Enforcement of Security in Runtime Systems 运行时系统中安全的静态实施
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00030
M. V. Pedersen, Aslan Askarov
{"title":"Static Enforcement of Security in Runtime Systems","authors":"M. V. Pedersen, Aslan Askarov","doi":"10.1109/CSF.2019.00030","DOIUrl":"https://doi.org/10.1109/CSF.2019.00030","url":null,"abstract":"Underneath every modern programming language is a runtime environment (RTE) that handles features such as automatic memory management and thread scheduling. In the information-flow control (IFC) literature, the RTE is often part of the trusted computing base (TCB), and there has been little focus on applying IFC to the implementation of the RTE itself. In this paper we address this problem by designing an IFC language, Zee, for implementing secure RTEs, thereby removing the RTE from the TCB. We implement Zee and design and implement secure versions of garbage collectors and thread schedulers using Zee. We also prove that a faithful calculus of Zee satisfies a strong variant of timing-sensitive noninterference.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"210 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121093346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
EasyUC: Using EasyCrypt to Mechanize Proofs of Universally Composable Security easyyuc:使用EasyCrypt来机械化普遍可组合安全性的证明
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00019
R. Canetti, Alley Stoughton, Mayank Varia
{"title":"EasyUC: Using EasyCrypt to Mechanize Proofs of Universally Composable Security","authors":"R. Canetti, Alley Stoughton, Mayank Varia","doi":"10.1109/CSF.2019.00019","DOIUrl":"https://doi.org/10.1109/CSF.2019.00019","url":null,"abstract":"We present a methodology for using the EasyCrypt proof assistant (originally designed for mechanizing the generation of proofs of game-based security of cryptographic schemes and protocols) to mechanize proofs of security of cryptographic protocols within the universally composable (UC) security framework. This allows, for the first time, the mechanization and formal verification of the entire sequence of steps needed for proving simulation-based security in a modular way: * Specifying a protocol and the desired ideal functionality; * Constructing a simulator and demonstrating its validity, via reduction to hard computational problems; * Invoking the universal composition operation and demonstrating that it indeed preserves security. We demonstrate our methodology on a simple example: stating and proving the security of secure message communication via a one-time pad, where the key comes from a Diffie-Hellman key-exchange, assuming ideally authenticated communication. We first put together EasyCrypt-verified proofs that: (a) the Diffie-Hellman protocol UC-realizes an ideal key-exchange functionality, assuming hardness of the Decisional Diffie-Hellman problem, and (b) one-time-pad encryption, with a key obtained using ideal key-exchange, UC-realizes an ideal secure-communication functionality. We then mechanically combine the two proofs into an EasyCrypt-verified proof that the composed protocol realizes the same ideal secure-communication functionality. Although formulating a methodology that is both sound and workable has proven to be a complex task, we are hopeful that it will prove to be the basis for mechanized UC security analyses for significantly more complex protocols and tasks.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116221339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 32
Decidability of a Sound Set of Inference Rules for Computational Indistinguishability 一组可靠的计算不可区分推理规则的可判定性
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00011
Adrien Koutsos
{"title":"Decidability of a Sound Set of Inference Rules for Computational Indistinguishability","authors":"Adrien Koutsos","doi":"10.1109/CSF.2019.00011","DOIUrl":"https://doi.org/10.1109/CSF.2019.00011","url":null,"abstract":"Computational indistinguishability is a key property in cryptography and verification of security protocols. Current tools for proving it rely on cryptographic game transformations. We follow Bana and Comon's approach, axiomatizing what an adversary cannot distinguish. We prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an IND-CCA_2 encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121777838","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Information-Flow Preservation in Compiler Optimisations 编译器优化中的信息流保存
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00023
Frédéric Besson, Alexandre Dang, T. Jensen
{"title":"Information-Flow Preservation in Compiler Optimisations","authors":"Frédéric Besson, Alexandre Dang, T. Jensen","doi":"10.1109/CSF.2019.00023","DOIUrl":"https://doi.org/10.1109/CSF.2019.00023","url":null,"abstract":"Correct compilers perform program transformations preserving input/output behaviours of programs. Yet, correctness does not prevent program optimisations from introducing information-flow leaks that would make the target program more vulnerable to side-channel attacks than the source program. To tackle this problem, we propose a notion of Information-Flow Preserving (IFP) program transformation which ensures that a target program is no more vulnerable to passive side-channel attacks than a source program. To protect against a wide range of attacks, we model an attacker who is granted arbitrary memory accesses for a pre-defined set of observation points. We propose a compositional proof principle for proving that a transformation is IFP. Using this principle, we show how a translation validation technique can be used to automatically verify and even close information-flow leaks introduced by standard compiler passes such as dead-store elimination and register allocation. The technique has been experimentally validated on the CompCert C compiler.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"138 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125236254","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 12
Resource-Bounded Intruders in Denial of Service Attacks 拒绝服务攻击中的资源受限入侵者
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00033
Abraão Aires Urquiza, Musab A. Alturki, M. Kanovich, Tajana Ban Kirigin, Vivek Nigam, A. Scedrov, C. Talcott
{"title":"Resource-Bounded Intruders in Denial of Service Attacks","authors":"Abraão Aires Urquiza, Musab A. Alturki, M. Kanovich, Tajana Ban Kirigin, Vivek Nigam, A. Scedrov, C. Talcott","doi":"10.1109/CSF.2019.00033","DOIUrl":"https://doi.org/10.1109/CSF.2019.00033","url":null,"abstract":"Denial of Service (DoS) attacks have been a serious security concern, as no service is, in principle, protected against them. Although a Dolev-Yao intruder with unlimited resources can trivially render any service unavailable, DoS attacks do not necessarily have to be carried out by such (extremely) powerful intruders. It is useful in practice and more challenging for formal protocol verification to determine whether a service is vulnerable even to resource-bounded intruders that cannot generate or intercept arbitrary large volumes of traffic. This paper proposes a novel, more refined intruder model where the intruder can only consume at most some specified amount of resources in any given time window. Additionally, we propose protocol theories that may contain timeouts and specify service resource usage during protocol execution. In contrast to the existing resource-conscious protocol verification models, our model allows finer and more subtle analysis of DoS problems. We illustrate the power of our approach by representing a number of classes of DoS attacks, such as, Slow, Asymmetric and Amplification DoS attacks, exhausting different types of resources of the target, such as, number of workers, processing power, memory, and network bandwidth. We show that the proposed DoS problem is undecidable in general and is PSPACE-complete for the class of resource-bounded, balanced systems. Finally, we implemented our formal verification model in the rewriting logic tool Maude and analyzed a number of DoS attacks in Maude using Rewriting Modulo SMT in an automated fashion.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123325184","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement 超越标签:动态信息流执行的许可性
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00031
Elisavet Kozyri, F. Schneider, A. Bedford, Josée Desharnais, N. Tawbi
{"title":"Beyond Labels: Permissiveness for Dynamic Information Flow Enforcement","authors":"Elisavet Kozyri, F. Schneider, A. Bedford, Josée Desharnais, N. Tawbi","doi":"10.1109/CSF.2019.00031","DOIUrl":"https://doi.org/10.1109/CSF.2019.00031","url":null,"abstract":"Flow-sensitive labels used by dynamic enforcement mechanisms might themselves encode sensitive information, which can leak. Metalabels, employed to represent the sensitivity of labels, exhibit the same problem. This paper derives a new family of enforcers—k-Enf, for 2 ≤ k ≤ ∞—that uses label chains, where each label defines the sensitivity of its predecessor. These enforcers satisfy Block-safe Noninterference (BNI), which proscribes leaks from observing variables, label chains, and blocked executions. Theorems in this paper characterize where longer label chains can improve the permissiveness of dynamic enforcement mechanisms that satisfy BNI. These theorems depend on semantic attributes—k-precise, k-varying, and k-dependent—of such mechanisms, as well as on initialization, threat model, and lattice size.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126188664","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
On the Meaning and Purpose of Attack Trees 论攻击树的意义和目的
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-06-01 DOI: 10.1109/CSF.2019.00020
H. Mantel, Christian W. Probst
{"title":"On the Meaning and Purpose of Attack Trees","authors":"H. Mantel, Christian W. Probst","doi":"10.1109/CSF.2019.00020","DOIUrl":"https://doi.org/10.1109/CSF.2019.00020","url":null,"abstract":"Attack trees are a popular notation for describing threats to systems, both in academia and industry. Originally, attack trees lacked a formal semantics, but formal semantics for different variants of attack trees were proposed later. These semantics focus on the attacker^{prime}s actions defined in the leaves and the logical structure defined by the inner nodes of an attack tree. Surprisingly, they do not clarify the connection to the goal defined at the root node in a satisfactory fashion. In this article, we aim at a better clarification of this connection between the attacks and the attacker goal specified by an attack tree. We argue that there are multiple sensible success criteria for attacks wrt. a given attacker goal and develop a framework for defining such criteria. We exploit our framework to identify similarities and differences between automatic attack-tree generation techniques. Finally, we propose a novel variant of attack trees that allows one to express exploits in an explicit fashion.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126317520","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
Quantifying Information Flow in Interactive Systems 量化交互系统中的信息流
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-05-10 DOI: 10.1109/CSF.2019.00035
David Mestel
{"title":"Quantifying Information Flow in Interactive Systems","authors":"David Mestel","doi":"10.1109/CSF.2019.00035","DOIUrl":"https://doi.org/10.1109/CSF.2019.00035","url":null,"abstract":"We consider the problem of quantifying information flow in interactive systems, modelled as finite-state transducers in the style of Goguen and Meseguer. Our main result is that if the system is deterministic then the information flow is either logarithmic or linear, and there is a polynomial-time algorithm to distinguish the two cases and compute the rate of logarithmic flow. To achieve this we first extend the theory of information leakage through channels to the case of interactive systems, and establish a number of results which greatly simplify computation. We then show that for deterministic systems the information flow corresponds to the growth rate of antichains inside a certain regular language, a property called the width of the language. In a companion work we have shown that there is a dichotomy between polynomial and exponential antichain growth, and a polynomial time algorithm to distinguish the two cases and to compute the order of polynomial growth. We observe that these two cases correspond to logarithmic and linear information flow respectively. Finally, we formulate several attractive open problems, covering the cases of probabilistic systems, systems with more than two users and nondeterministic systems where the nondeterminism is assumed to be innocent rather than demonic.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"115 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132838645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Deterministic Channel Design for Minimum Leakage 最小泄漏的确定性通道设计
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2019-05-02 DOI: 10.1109/CSF.2019.00036
Arthur Américo, M. Khouzani, P. Malacaria
{"title":"Deterministic Channel Design for Minimum Leakage","authors":"Arthur Américo, M. Khouzani, P. Malacaria","doi":"10.1109/CSF.2019.00036","DOIUrl":"https://doi.org/10.1109/CSF.2019.00036","url":null,"abstract":"This work explores the problem of designing a channel that leaks the least amount of information while respecting a set of operational constraints. This paper focuses on deterministic channels and deterministic solutions. This setting is relevant because most programs and many channel design problems are naturally modelled by deterministic channels. Moreover, the setting is also relevant when considering an attacker who can observe many outputs of an arbitrary channel while the secret input stays the same: when the number of observations is arbitrarily large, the channel of minimal leakage is deterministic. The deterministic channel design problem has different solutions depending on which leakage measure is chosen. The problem is shown to be NP-hard in general. However, for a particular class of constraints, called k-complete hypergraph constraints, a greedy algorithm is shown to provide the optimal solution for a wide class of leakage measures.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"136 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133339077","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation 超越完全抽象的旅程:探索安全编译的鲁棒属性保存
2019 IEEE 32nd Computer Security Foundations Symposium (CSF) Pub Date : 2018-07-12 DOI: 10.1109/CSF.2019.00025
Carmine Abate, Roberto Blanco, D. Garg, Catalin Hritcu, Marco Patrignani, J. Thibault
{"title":"Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation","authors":"Carmine Abate, Roberto Blanco, D. Garg, Catalin Hritcu, Marco Patrignani, J. Thibault","doi":"10.1109/CSF.2019.00025","DOIUrl":"https://doi.org/10.1109/CSF.2019.00025","url":null,"abstract":"Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program^{prime}s data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce. We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent \"property-free\" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-07-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129261873","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 52
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信