Abstract
We demonstrate that a practical concurrent language can be extended in a natural way with information security mechanisms that provably enforce strong information security guarantees. We extend the X10 concurrent programming language with coarse-grained information-flow control. Central to X10 concurrency abstractions is the notion of a place: a container for data and computation. We associate a security level with each place, and restrict each place to store only data appropriate for that security level. When places interact only with other places at the same security level, then our security mechanisms impose no restrictions. When places of differing security levels interact, our information security analysis prevents potentially dangerous information flows, including information flow through covert scheduling channels. The X10 concurrency mechanisms simplify reasoning about information flow in concurrent programs. We present a static analysis that enforces a noninterference-based extensional information security condition in a calculus that captures the key aspects of X10's place abstraction and async-finish parallelism. We extend this security analysis to support many of X10's language features, and have implemented a prototype compiler for the resulting language.
- M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In Conference Record of the Twenty-Sixth Annual ACM Symposium on Principles of Programming Languages, pages 147--160, New York, NY, USA, 1999. ACM Press. Google Scholar
Digital Library
- A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 207--221. IEEE Computer Society, 2007. Google Scholar
Digital Library
- A. Askarov, S. Hunt, A. Sabelfeld, andD. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the 13th European Symposium on Research in Computer Security, Oct. 2008. Google Scholar
Digital Library
- G. Barthe and L. P. Nieto. Formally verifying information flow type systems for concurrent and thread systems. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 13-22, New York, NY, USA, 2004. ACM. Google Scholar
Digital Library
- G. Barthe, T. Rezk, A. Russo, and A. Sabelfeld. Security of multithreaded programs by compilation. ACM Transactions on Information and System Security, 13(3):21:1--21:32, July 2010. Google Scholar
Digital Library
- R. L. Bocchino, V. S. Adve, S. V. Adve, and M. Snir. Parallel programming must be deterministic by default. In Proceedings of the First USENIX Workshop on Hot Topics in Parallelism, 2009. Google Scholar
Digital Library
- R. L. Bocchino, Jr., V. S. Adve, D. Dig, S. V. Adve, S. Heumann, R. Komuravelli, J. Overbey, P. Simmons, H. Sung, and M. Vakilian. A type and effect system for deterministic parallel Java. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, pages 97--116, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- R. L. Bocchino, Jr., S. Heumann, N. Honarmand, S. V. Adve, V. S. Adve, A. Welc, and T. Shpeisman. Safe nondetermin-ism in a deterministic-by-default parallel language. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 535--548, New York, NY, USA, 2011. ACM. Google Scholar
Digital Library
- G. Boudol and I. Castellani. Non-interference for concurrent programs and thread systems. Theoretical Computer Science, 281(1):109--130, June 2002. Google Scholar
Digital Library
- P. Charles, C. Grothoff, V. Saraswat, C. Donawa, A. Kielstra, K. Ebcioglu, C. von Praun, and V. Sarkar. X10: an object-oriented approach to non-uniform cluster computing. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, pages 519--538, New York, NY, USA, 2005. ACM. Google Scholar
Digital Library
- R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Foundations of Software Science and Computation Structure, volume 3441 of Lecture Notes in Computer Science, pages 299--315, Edinburgh, UK, Apr. 2005. Springer-Verlag. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 11--20. IEEE Computer Society, Apr. 1982.Google Scholar
Cross Ref
- R. Grabowski and L. Beringer. Noninterference with dynamic security domains and policies. In 13th Asian Computing Science Conference, Focusing on Information Security and Privacy, 2009. Google Scholar
Digital Library
- D. Grove, O. Tardieu, D. Cunningham, B. Herta, I. Peshansky, and V. Saraswat. A performance model for x10 applications. In Proceedings of The First X10 Workshop, 2011. Google Scholar
Digital Library
- Y. Guo, R. Barik, R. Raman, and V. Sarkar. Work-first and help-first scheduling policies for async-finish task parallelism. In Proceedings of the 2009 IEEE International Symposium on Parallel & Distributed Processing, pages 1--12, Washington, DC, USA, 2009. IEEE Computer Society. Google Scholar
Digital Library
- K. Honda and N. Yoshida. A uniform type structure for secure information flow. In Conference Record of the Twenty-Ninth Annual ACM Symposium on Principles of Programming Languages, pages 81--92, New York, NY, USA, Jan. 2002. ACM Press. Google Scholar
Digital Library
- K. Honda and N. Yoshida. Noninterference through flow analysis. Journal of Functional Programming, 15(2):293--349, Mar. 2005. Google Scholar
Digital Library
- K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In Proceedings of the Ninth European Symposiumon Programming, volume 1782 of Lecture Notes in Computer Science, pages 180-199. Springer, 2000. Google Scholar
Digital Library
- M. Huisman, P. Worah, and K. Sunesen. A temporal logic characterisation of observational determinism. In Proceedings of the 19th IEEE Workshop on Computer Security Foundations, 2006. Google Scholar
Digital Library
- N. Kobayashi. Type-based information flow analysis for the pi-calculus. Acta Informatica, 42(4-5):291--347, 2005. Google Scholar
Digital Library
- G. Le Guernic. Automaton-based Confidentiality Monitoring of Concurrent Programs. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 218--232, 2007. Google Scholar
Digital Library
- J. K. Lee and J. Palsberg. Featherweight X10: a core calculus for async-finish parallelism. In Proceedings of the 15th ACM SIGPLAN Annual Symposium on Principles and Practice of Parallel Programming, pages 25--36, New York, NY, USA, January 2010. ACM. Google Scholar
Digital Library
- P. Li and S. Zdancewic. Encoding information flow in Haskell. In Proceedings of the 19th IEEE Workshop on Computer Security Foundations, pages 16--27, Washington, DC, USA, 2006. IEEE Computer Society. Google Scholar
Digital Library
- H. Mantel and A. Sabelfeld. A generic approach to the security of multi-threaded programs. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, page 126, Washington, DC, USA, 2001. IEEE Computer Society. Google Scholar
Digital Library
- H. Mantel and H. Sudbrock. Flexible scheduler-independent security. In Proceedings of the 15th European Conference on Research in Computer Security, pages 116--133, Berlin, Heidelberg, 2010. Springer-Verlag. Google Scholar
Digital Library
- H. Mantel, D. Sands, and H. Sudbrock. Assumptions and guarantees for compositional noninterference. In Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF), pages 218--232. IEEE Computer Society, 2011. Google Scholar
Digital Library
- J. McLean. Proving noninterference and functional correct-ness using traces. Journal of Computer Security, 1(1):37--58, 1992.Google Scholar
Digital Library
- S. Moore, A. Askarov, and S. Chong. Precise enforcement of progress-sensitive security. In Proceedings of the 19th ACM Conference on Computer and Communications Security, New York, NY, USA, 2012. ACM Press. Google Scholar
Digital Library
- S. Muller and S. Chong. Towards a practical secure concurrent language. Technical Report TR-05-12, Harvard University, 2012.Google Scholar
Digital Library
- N. Nystrom, M. R. Clarkson, and A. C. Myers. Polyglot: An extensible compiler framework for java. In In 12th International Conference on Compiler Construction, pages 138--152. Springer-Verlag, 2003. Google Scholar
Digital Library
- K. R. O'Neill, M. R. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proceedings of the 19th IEEE Computer Security Foundations Workshop, pages 190--201. IEEE Computer Society, June 2006. Google Scholar
Digital Library
- F. Pottier. A simple view of type-secure information flow in the pi-calculus. In Proceedings of the 15th IEEE Computer Security Foundations Workshop, pages 320--330, June 2002. Google Scholar
Digital Library
- A. W. Roscoe. CSP and determinism in security modelling. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 114--127, Washington, DC, USA, 1995. IEEE Computer Society. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Security for multithreaded pro-grams under cooperative scheduling. In Proceedings of Andrei Ershov International Conference on Perspectives of System Informatics, volume 4378 of Lecture Notes in Computer Science, pages 474--480. Springer-Verlag, 2006. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Securing interaction between threads and the scheduler. In Proceedings of the 19th IEEE Computer Security Foundations Workshop, pages 177--189, 2006. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the IEEE Computer Security Foundations Symposium, 2010. Google Scholar
Digital Library
- A. Sabelfeld. The impact of synchronisation on secure information flow in concurrent programs. In Proceedings of Andrei Ershov 4th International Conference on Perspectives of System Informatics, volume 2244 of Lecture Notes in Computer Science, pages 225--239. Springer-Verlag, 2002. Google Scholar
Digital Library
- A. Sabelfeld. Confidentiality for multithreaded programs via bisimulation. In Proceedings of the Andrei Ershov International Conference on Perspectives of System Informatics, volume 2890 of Lecture Notes in Computer Science, pages 260--273. Springer-Verlag, 2003.Google Scholar
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communi-cations, 21(1):5-19, Jan. 2003. Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Computer Security Foundations Workshop, pages 200--214. IEEE Computer Society, July 2000. Google Scholar
Digital Library
- V. Saraswat, B. Bloom, I. Peshansky, O. Tardieu, and D. Grove. X10 Language Specification: Version 2.1.2, Feb. 2011. Available at http://x10.sourceforge.net/documentation/languagespec/x10-212.pdf.Google Scholar
- G. Smith. A new type system for secure information flow. In Proceedings of the Proceedings of the 14th IEEE Computer Security Foundations Workshop, pages 115--125. IEEE Computer Society, June 2001. Google Scholar
Digital Library
- G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. In Conference Record of the Twenty-Fifth Annual ACM Symposium on Principles of Programming Languages, pages 355--364, New York, NY, USA, Jan. 1998. ACM Press. Google Scholar
Digital Library
- D. Stefan, A. Russo, P. Buiras, A. Levy, J. C. Mitchell, and D. Mazieres. Addressing covert termination and timing channels in concurrent information flow systems. In Proceedings of the 17th ACM SIGPLAN International Conference on Functional Programming, New York, NY, USA, June 2012. ACM Press. Google Scholar
Digital Library
- T. Terauchi. A type system for observational determinism. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, pages 287--300, June 2008. Google Scholar
Digital Library
- T. Terauchi and A. Aiken. A capability calculus for concurrency and determinism. ACM Transactions on Programming Languages and Systems, 30(5):27:1--27:30, Sept. 2008. Google Scholar
Digital Library
- T. Tsai, A. Russo, and J. Hughes. A library for secure multi-threaded information flow in haskell. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 187--202, Washington, DC, USA, 2007. IEEE Computer Society. Google Scholar
Digital Library
- D. Volpano and G. Smith. Probabilistic noninterference in a concurrent language. In Proceedings of the 11th IEEE Computer Security Foundations Workshop, pages 34--45, Washing-ton, DC, USA, 1998. IEEE Computer Society. Google Scholar
Digital Library
- S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In Proceedings of the 16th IEEE Computer Security Foundations Workshop, pages 29--43, Pacific Grove, California, June 2003. IEEE Computer Society.Google Scholar
Cross Ref
- L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In Formal Aspects in Security and Trust, Toulouse, France, Aug. 2004.Google Scholar
Index Terms
Towards a practical secure concurrent language
Recommendations
Towards a practical secure concurrent language
OOPSLA '12: Proceedings of the ACM international conference on Object oriented programming systems languages and applicationsWe demonstrate that a practical concurrent language can be extended in a natural way with information security mechanisms that provably enforce strong information security guarantees. We extend the X10 concurrent programming language with coarse-grained ...
Declarative Policies for Capability Control
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations SymposiumIn capability-safe languages, components can access a resource only if they possess a capability for that resource. As a result, a programmer can prevent an untrusted component from accessing a sensitive resource by ensuring that the component never ...
Hybrid Monitors for Concurrent Noninterference
CSF '15: Proceedings of the 2015 IEEE 28th Computer Security Foundations SymposiumControlling confidential information in concurrent systems is difficult, due to covert channels resulting from interaction between threads. This problem is exacerbated if threads share resources at fine granularity. In this work, we propose a novel ...







Comments