skip to main content
research-article

A type system for data-flow integrity on Windows Vista

Published:28 February 2009Publication History
Skip Abstract Section

Abstract

The Windows Vista operating system implements an interesting model of multi-level integrity. We observe that in this model, trusted code must participate in any information-flow attack. Thus, it is possible to eliminate such attacks by statically restricting trusted code. We formalize this model by designing a type system that can efficiently enforce data-flow integrity on Windows Vista. Typechecking guarantees that objects whose contents are statically trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Some of Windows Vista's runtime access checks are necessary for soundness; others are redundant and can be optimized away.

References

  1. M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749--786, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In POPL'99: Principles of Programming Languages, pages 147--160. ACM, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and logic programs. In POPL'02: Principles of Programming Languages, pages 33--44. ACM, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Abadi, L. Cardelli, P.-L. Curien, and J.-J. Lévy. Explicit substitutions. In POPL'90: Principles of Programming Languages, pages 31--46. ACM, 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In POPL'01: Principles of Programming Languages, pages 104--115. ACM, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. M. Abadi, B. Lampson, and J.-J. Lévy. Analysis and caching of dependencies. In ICFP'96: Functional Programming, pages 83--91. ACM, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. B. Alpern and F. B. Schneider. Defining liveness. Information Processing Letters, 21(5):181--185, 1985.Google ScholarGoogle ScholarCross RefCross Ref
  8. A. Banerjee and D. Naumann. Using access control for secure information flow in a Java-like language. In CSFW'03: Computer Security Foundations Workshop, pages 155--169. IEEE, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  9. K. J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, MITRE Corporation, 1977.Google ScholarGoogle Scholar
  10. G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(1-2):109--130, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. L. Cardelli, G. Ghelli, and A. D. Gordon. Secrecy and group creation. Information and Computation, 196(2):127--155, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI'06: Operating Systems Design and Implementation, pages 147--160. USENIX, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Chaudhuri. Dynamic access control in a concurrent object calculus. In CONCUR'06: Concurrency Theory, pages 263--278. Springer, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Chaudhuri and M. Abadi. Secrecy by typing and file-access control. In CSFW'06: Computer Security Foundations Workshop, pages 112--123. IEEE, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. Chaudhuri, P. Naldurg, and S. Rajamani. A type system for data-flow integrity on Windows Vista. Technical Report TR-2007-86, Microsoft Research, 2007. Also available as an arXiv e-print at http://arxiv.org/abs/0803.3230.Google ScholarGoogle Scholar
  16. D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In SP'87: Symposium on Security and Privacy, pages 184--194. IEEE, 1987.Google ScholarGoogle ScholarCross RefCross Ref
  17. J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In ISSTA'07: International Symposium on Software Testing and Analysis, pages 196--206. ACM, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Conover. Analysis of the Windows Vista security model. Available at www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf.Google ScholarGoogle Scholar
  19. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of the ACM, 20(7):504--513, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazi` eres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In SOSP'05: Symposium on Operating Systems Principles, pages 17--30. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. Felleisen. The theory and practice of first-class prompts. In POPL'88: Principles of Programming Languages, pages 180--190. ACM, 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. C. Flanagan. Hybrid type checking. In POPL'06: Principles of Programming Languages, pages 245--256. ACM, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. C. Fournet, A. D. Gordon, and S. Maffeis. A type discipline for authorization policies. In ESOP'05: European Symposium on Programming, pages 141--156. Springer, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. J. A. Goguen and J. Meseguer. Security policies and security models. In SP'82: Symposium on Security and Privacy, pages 11--20. IEEE, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  25. A. D. Gordon and P. D. Hankin. A concurrent object calculus: Reduction and typing. In HLCL'98: High-Level Concurrent Languages, pages 248--264. Elsevier, 1998.Google ScholarGoogle Scholar
  26. A. D. Gordon and A. Jeffrey. Typing correspondence assertions for communication protocols. Theoretical Computer Science, 300(1-3): 379--409, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. A. D. Gordon and A. Jeffrey. Secrecy despite compromise: Types, cryptography, and the pi-calculus. In CONCUR'05: Concurrency Theory, pages 186--201. Springer, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Hennessy, J. Rathke, and N. Yoshida. SafeDpi: A language for controlling mobile code. Acta Informatica, 42(4-5):227--290, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous pi-calculus. ACM Transactions on Programming Languages and Systems, 24(5):566--591, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. K. Honda and N. Yoshida. A uniform type structure for secure information flow. In POPL'02: Principles of Programming Languages, pages 81--92. ACM, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. D. Hoshina, E. Sumii, and A. Yonezawa. A typed process calculus for fine-grained resource access control in distributed computation. In TACS'01: Theoretical Aspects of Computer Software, pages 64--81. Springer, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. N. Kobayashi. Type-based information flow analysis for the pi-calculus. Acta Informatica, 42(4-5):291--347, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125--143, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. B. W. Lampson. Protection. ACM Operating Systems Review, 8(1):18--24, Jan 1974. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. J.-J. Lévy. Réductions correctes et optimales dans le lambdacalcul. PhD thesis, Université Paris 7, 1978.Google ScholarGoogle Scholar
  37. P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In POPL'05: Principles of Programming Languages, pages 158--170. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. L. Wall, T. Christiansen, and R. Schwartz. Programming Perl. O'Reilly, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. A. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In CSFW'04: Computer Security Foundations Workshop, pages 172--186. IEEE, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. G. C. Necula. Proof-carrying code. In POPL'97: Principles of Programming Languages, pages 106--119. ACM, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond stack inspection: A unified access-control and information-flow security model. In SP'07: Symposium on Security and Privacy, pages 149--163. IEEE, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. F. Pottier and S. Conchon. Information flow inference for free. In ICFP'00: Functional Programming, pages 46--57. ACM, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. F. Pottier, C. Skalka, and S. Smith. A systematic approach to static access control. ACM Transactions on Programming Languages and Systems, 27(2):344--382, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. M. Russinovich. Inside Windows Vista User Access Control. Microsoft Technet Magazine, June 2007. Available at http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/.Google ScholarGoogle Scholar
  45. A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. D. Sangiorgi, N. Kobayashi, and E. Sumii. Environmental bisimulations for higher-order languages. In LICS'07: Logic in Computer Science, pages 293--302. IEEE, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In NDSS'06: Network and Distributed System Security Symposium. ISOC, 2006.Google ScholarGoogle Scholar
  48. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS'04: Architectural Support for Programming Languages and Operating Systems, pages 85--96. ACM, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. S. Tse and S. Zdancewic. Run-time principals in information-flow type systems. In SP'04: Symposium on Security and Privacy, pages 179--193. IEEE, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  50. P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Network and Distributed System Security Symposium. ISOC, 2007.Google ScholarGoogle Scholar
  51. D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167--187, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. P. Wadler and R. B. Findler. Well-typed programs can't be blamed. In Scheme'07: Workshop on Scheme and Functional Programming, 2007.Google ScholarGoogle Scholar
  53. Windows Vista TechCenter. Understanding and configuring User Account Control in Windows Vista. Available at http://technet.microsoft.com/en-us/windowsvista/aa905117.aspx.Google ScholarGoogle Scholar
  54. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS'07: Computer and Communications Security, pages 116--127. ACM, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. N. Yoshida. Channel dependent types for higher-order mobile processes. In POPL'04: Principles of Programming Languages, pages 147--160. ACM, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. S. Zdancewic and A. C. Myers. Robust declassification. In CSFW'01: Computer Security Foundations Workshop, pages 5--16. IEEE, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. S. Zdancewic and A. C. Myers. Secure information flow via linear continuations. Higher Order and Symbolic Computation, 15(2/3):209--234, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In CSFW'03: Computer Security Foundations Workshop, pages 29--43. IEEE, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  59. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI'06: Operating Systems Design and Implementation, pages 19--19. USENIX, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. L. Zheng. Personal communication, July 2007.Google ScholarGoogle Scholar
  61. L. Zheng and A. Myers. Dynamic security labels and noninterference. In FAST'04: Formal Aspects in Security and Trust, pages 27--40. Springer, 2004.Google ScholarGoogle Scholar

Index Terms

  1. A type system for data-flow integrity on Windows Vista

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!