Abstract
The Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically restricting trusted code. We formalize this model by designing a type system that can efficiently enforce data-flow integrity on Windows Vista. Typechecking guarantees that objects whose contents are statically trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Some of Windows Vista's runtime access checks are necessary for soundness; others are redundant and can be optimized away.
- M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749--786, 1999. Google Scholar
Digital Library
- M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In POPL'99: Principles of Programming Languages, pages 147--160. ACM, 1999. Google Scholar
Digital Library
- M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and logic programs. In POPL'02: Principles of Programming Languages, pages 33--44. ACM, 2002. Google Scholar
Digital Library
- M. Abadi, L. Cardelli, P.-L. Curien, and J.-J. Lévy. Explicit substitutions. In POPL'90: Principles of Programming Languages, pages 31--46. ACM, 1990. Google Scholar
Digital Library
- M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In POPL'01: Principles of Programming Languages, pages 104--115. ACM, 2001. Google Scholar
Digital Library
- M. Abadi, B. Lampson, and J.-J. Lévy. Analysis and caching of dependencies. In ICFP'96: Functional Programming, pages 83--91. ACM, 1996. Google Scholar
Digital Library
- B. Alpern and F. B. Schneider. Defining liveness. Information Processing Letters, 21(5):181--185, 1985.Google Scholar
Cross Ref
- A. Banerjee and D. Naumann. Using access control for secure information flow in a Java-like language. In CSFW'03: Computer Security Foundations Workshop, pages 155--169. IEEE, 2003.Google Scholar
Cross Ref
- K. J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corporation, 1977.Google Scholar
- G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(1-2):109--130, 2002. Google Scholar
Digital Library
- L. Cardelli, G. Ghelli, and A. D. Gordon. Secrecy and group creation. Information and Computation, 196(2):127--155, 2005. Google Scholar
Digital Library
- M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI'06: Operating Systems Design and Implementation, pages 147--160. USENIX, 2006. Google Scholar
Digital Library
- A. Chaudhuri. Dynamic access control in a concurrent object calculus. In CONCUR'06: Concurrency Theory, pages 263--278. Springer, 2006. Google Scholar
Digital Library
- A. Chaudhuri and M. Abadi. Secrecy by typing and file-access control. In CSFW'06: Computer Security Foundations Workshop, pages 112--123. IEEE, 2006. Google Scholar
Digital Library
- A. Chaudhuri, P. Naldurg, and S. Rajamani. A type system for data-flow integrity on Windows Vista. Technical Report TR-2007-86, Microsoft Research, 2007. Also available as an arXiv e-print at http://arxiv.org/abs/0803.3230.Google Scholar
- D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In SP'87: Symposium on Security and Privacy, pages 184--194. IEEE, 1987.Google Scholar
Cross Ref
- J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In ISSTA'07: International Symposium on Software Testing and Analysis, pages 196--206. ACM, 2007. Google Scholar
Digital Library
- M. Conover. Analysis of the Windows Vista security model. Available at www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf.Google Scholar
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977. Google Scholar
Digital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazi` eres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In SOSP'05: Symposium on Operating Systems Principles, pages 17--30. ACM, 2005. Google Scholar
Digital Library
- M. Felleisen. The theory and practice of first-class prompts. In POPL'88: Principles of Programming Languages, pages 180--190. ACM, 1988. Google Scholar
Digital Library
- C. Flanagan. Hybrid type checking. In POPL'06: Principles of Programming Languages, pages 245--256. ACM, 2006. Google Scholar
Digital Library
- C. Fournet, A. D. Gordon, and S. Maffeis. A type discipline for authorization policies. In ESOP'05: European Symposium on Programming, pages 141--156. Springer, 2005. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In SP'82: Symposium on Security and Privacy, pages 11--20. IEEE, 1982.Google Scholar
Cross Ref
- A. D. Gordon and P. D. Hankin. A concurrent object calculus: Reduction and typing. In HLCL'98: High-Level Concurrent Languages, pages 248--264. Elsevier, 1998.Google Scholar
- A. D. Gordon and A. Jeffrey. Typing correspondence assertions for communication protocols. Theoretical Computer Science, 300(1-3): 379--409, 2003. Google Scholar
Digital Library
- A. D. Gordon and A. Jeffrey. Secrecy despite compromise: Types, cryptography, and the pi-calculus. In CONCUR'05: Concurrency Theory, pages 186--201. Springer, 2005. Google Scholar
Digital Library
- M. Hennessy, J. Rathke, and N. Yoshida. SafeDpi: A language for controlling mobile code. Acta Informatica, 42(4-5):227--290, 2005. Google Scholar
Digital Library
- M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous pi-calculus. ACM Transactions on Programming Languages and Systems, 24(5):566--591, 2002. Google Scholar
Digital Library
- K. Honda and N. Yoshida. A uniform type structure for secure information flow. In POPL'02: Principles of Programming Languages, pages 81--92. ACM, 2002. Google Scholar
Digital Library
- D. Hoshina, E. Sumii, and A. Yonezawa. A typed process calculus for fine-grained resource access control in distributed computation. In TACS'01: Theoretical Aspects of Computer Software, pages 64--81. Springer, 2001. Google Scholar
Digital Library
- M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 2007. Google Scholar
Digital Library
- N. Kobayashi. Type-based information flow analysis for the pi-calculus. Acta Informatica, 42(4-5):291--347, 2005. Google Scholar
Digital Library
- L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125--143, 1977. Google Scholar
Digital Library
- B. W. Lampson. Protection. ACM Operating Systems Review, 8(1):18--24, Jan 1974. Google Scholar
Digital Library
- J.-J. Lévy. Réductions correctes et optimales dans le lambdacalcul. PhD thesis, Université Paris 7, 1978.Google Scholar
- P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In POPL'05: Principles of Programming Languages, pages 158--170. ACM, 2005. Google Scholar
Digital Library
- L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O'Reilly, 1996. Google Scholar
Digital Library
- A. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In CSFW'04: Computer Security Foundations Workshop, pages 172--186. IEEE, 2004. Google Scholar
Digital Library
- G. C. Necula. Proof-carrying code. In POPL'97: Principles of Programming Languages, pages 106--119. ACM, 1997. Google Scholar
Digital Library
- M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond stack inspection: A unified access-control and information-flow security model. In SP'07: Symposium on Security and Privacy, pages 149--163. IEEE, 2007. Google Scholar
Digital Library
- F. Pottier and S. Conchon. Information flow inference for free. In ICFP'00: Functional Programming, pages 46--57. ACM, 2000. Google Scholar
Digital Library
- F. Pottier, C. Skalka, and S. Smith. A systematic approach to static access control. ACM Transactions on Programming Languages and Systems, 27(2):344--382, 2005. Google Scholar
Digital Library
- M. Russinovich. Inside Windows Vista User Access Control. Microsoft Technet Magazine, June 2007. Available at http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/.Google Scholar
- A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), 2003. Google Scholar
Digital Library
- D. Sangiorgi, N. Kobayashi, and E. Sumii. Environmental bisimulations for higher-order languages. In LICS'07: Logic in Computer Science, pages 293--302. IEEE, 2007. Google Scholar
Digital Library
- U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In NDSS'06: Network and Distributed System Security Symposium. ISOC, 2006.Google Scholar
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS'04: Architectural Support for Programming Languages and Operating Systems, pages 85--96. ACM, 2004. Google Scholar
Digital Library
- S. Tse and S. Zdancewic. Run-time principals in information-flow type systems. In SP'04: Symposium on Security and Privacy, pages 179--193. IEEE, 2004.Google Scholar
Cross Ref
- P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Network and Distributed System Security Symposium. ISOC, 2007.Google Scholar
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167--187, 1996. Google Scholar
Digital Library
- P. Wadler and R. B. Findler. Well-typed programs can't be blamed. In Scheme'07: Workshop on Scheme and Functional Programming, 2007.Google Scholar
- Windows Vista TechCenter. Understanding and configuring User Account Control in Windows Vista. Available at http://technet.microsoft.com/en-us/windowsvista/aa905117.aspx.Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS'07: Computer and Communications Security, pages 116--127. ACM, 2007. Google Scholar
Digital Library
- N. Yoshida. Channel dependent types for higher-order mobile processes. In POPL'04: Principles of Programming Languages, pages 147--160. ACM, 2004. Google Scholar
Digital Library
- S. Zdancewic and A. C. Myers. Robust declassification. In CSFW'01: Computer Security Foundations Workshop, pages 5--16. IEEE, 2001. Google Scholar
Digital Library
- S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. Higher Order and Symbolic Computation, 15(2/3):209--234, 2002. Google Scholar
Digital Library
- S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSFW'03: Computer Security Foundations Workshop, pages 29--43. IEEE, 2003.Google Scholar
Cross Ref
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI'06: Operating Systems Design and Implementation, pages 19--19. USENIX, 2006. Google Scholar
Digital Library
- L. Zheng. Personal communication, July 2007.Google Scholar
- L. Zheng and A. Myers. Dynamic security labels and noninterference. In FAST'04: Formal Aspects in Security and Trust, pages 27--40. Springer, 2004.Google Scholar
Index Terms
A type system for data-flow integrity on Windows Vista
Recommendations
A type system for data-flow integrity on windows vista
PLAS '08: Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for securityThe Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically ...






Comments