skip to main content
research-article

Towards a practical secure concurrent language

Published:19 October 2012Publication History
Skip Abstract Section

Abstract

We demonstrate that a practical concurrent language can be extended in a natural way with information security mechanisms that provably enforce strong information security guarantees. We extend the X10 concurrent programming language with coarse-grained information-flow control. Central to X10 concurrency abstractions is the notion of a place: a container for data and computation. We associate a security level with each place, and restrict each place to store only data appropriate for that security level. When places interact only with other places at the same security level, then our security mechanisms impose no restrictions. When places of differing security levels interact, our information security analysis prevents potentially dangerous information flows, including information flow through covert scheduling channels. The X10 concurrency mechanisms simplify reasoning about information flow in concurrent programs. We present a static analysis that enforces a noninterference-based extensional information security condition in a calculus that captures the key aspects of X10's place abstraction and async-finish parallelism. We extend this security analysis to support many of X10's language features, and have implemented a prototype compiler for the resulting language.

References

  1. M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. In Conference Record of the Twenty-Sixth Annual ACM Symposium on Principles of Programming Languages, pages 147--160, New York, NY, USA, 1999. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 207--221. IEEE Computer Society, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. Askarov, S. Hunt, A. Sabelfeld, andD. Sands. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the 13th European Symposium on Research in Computer Security, Oct. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. G. Barthe and L. P. Nieto. Formally verifying information flow type systems for concurrent and thread systems. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pages 13-22, New York, NY, USA, 2004. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. G. Barthe, T. Rezk, A. Russo, and A. Sabelfeld. Security of multithreaded programs by compilation. ACM Transactions on Information and System Security, 13(3):21:1--21:32, July 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. R. L. Bocchino, V. S. Adve, S. V. Adve, and M. Snir. Parallel programming must be deterministic by default. In Proceedings of the First USENIX Workshop on Hot Topics in Parallelism, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. R. L. Bocchino, Jr., V. S. Adve, D. Dig, S. V. Adve, S. Heumann, R. Komuravelli, J. Overbey, P. Simmons, H. Sung, and M. Vakilian. A type and effect system for deterministic parallel Java. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, pages 97--116, New York, NY, USA, 2009. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. R. L. Bocchino, Jr., S. Heumann, N. Honarmand, S. V. Adve, V. S. Adve, A. Welc, and T. Shpeisman. Safe nondetermin-ism in a deterministic-by-default parallel language. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 535--548, New York, NY, USA, 2011. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. G. Boudol and I. Castellani. Non-interference for concurrent programs and thread systems. Theoretical Computer Science, 281(1):109--130, June 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P. Charles, C. Grothoff, V. Saraswat, C. Donawa, A. Kielstra, K. Ebcioglu, C. von Praun, and V. Sarkar. X10: an object-oriented approach to non-uniform cluster computing. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, pages 519--538, New York, NY, USA, 2005. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. R. Focardi, S. Rossi, and A. Sabelfeld. Bridging language-based and process calculi security. In Foundations of Software Science and Computation Structure, volume 3441 of Lecture Notes in Computer Science, pages 299--315, Edinburgh, UK, Apr. 2005. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 11--20. IEEE Computer Society, Apr. 1982.Google ScholarGoogle ScholarCross RefCross Ref
  13. R. Grabowski and L. Beringer. Noninterference with dynamic security domains and policies. In 13th Asian Computing Science Conference, Focusing on Information Security and Privacy, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. Grove, O. Tardieu, D. Cunningham, B. Herta, I. Peshansky, and V. Saraswat. A performance model for x10 applications. In Proceedings of The First X10 Workshop, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Y. Guo, R. Barik, R. Raman, and V. Sarkar. Work-first and help-first scheduling policies for async-finish task parallelism. In Proceedings of the 2009 IEEE International Symposium on Parallel & Distributed Processing, pages 1--12, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. K. Honda and N. Yoshida. A uniform type structure for secure information flow. In Conference Record of the Twenty-Ninth Annual ACM Symposium on Principles of Programming Languages, pages 81--92, New York, NY, USA, Jan. 2002. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. K. Honda and N. Yoshida. Noninterference through flow analysis. Journal of Functional Programming, 15(2):293--349, Mar. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In Proceedings of the Ninth European Symposiumon Programming, volume 1782 of Lecture Notes in Computer Science, pages 180-199. Springer, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. M. Huisman, P. Worah, and K. Sunesen. A temporal logic characterisation of observational determinism. In Proceedings of the 19th IEEE Workshop on Computer Security Foundations, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. N. Kobayashi. Type-based information flow analysis for the pi-calculus. Acta Informatica, 42(4-5):291--347, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. G. Le Guernic. Automaton-based Confidentiality Monitoring of Concurrent Programs. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 218--232, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. J. K. Lee and J. Palsberg. Featherweight X10: a core calculus for async-finish parallelism. In Proceedings of the 15th ACM SIGPLAN Annual Symposium on Principles and Practice of Parallel Programming, pages 25--36, New York, NY, USA, January 2010. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. P. Li and S. Zdancewic. Encoding information flow in Haskell. In Proceedings of the 19th IEEE Workshop on Computer Security Foundations, pages 16--27, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. H. Mantel and A. Sabelfeld. A generic approach to the security of multi-threaded programs. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, page 126, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. H. Mantel and H. Sudbrock. Flexible scheduler-independent security. In Proceedings of the 15th European Conference on Research in Computer Security, pages 116--133, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. H. Mantel, D. Sands, and H. Sudbrock. Assumptions and guarantees for compositional noninterference. In Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF), pages 218--232. IEEE Computer Society, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. J. McLean. Proving noninterference and functional correct-ness using traces. Journal of Computer Security, 1(1):37--58, 1992.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. S. Moore, A. Askarov, and S. Chong. Precise enforcement of progress-sensitive security. In Proceedings of the 19th ACM Conference on Computer and Communications Security, New York, NY, USA, 2012. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. S. Muller and S. Chong. Towards a practical secure concurrent language. Technical Report TR-05-12, Harvard University, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. N. Nystrom, M. R. Clarkson, and A. C. Myers. Polyglot: An extensible compiler framework for java. In In 12th International Conference on Compiler Construction, pages 138--152. Springer-Verlag, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. K. R. O'Neill, M. R. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proceedings of the 19th IEEE Computer Security Foundations Workshop, pages 190--201. IEEE Computer Society, June 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. F. Pottier. A simple view of type-secure information flow in the pi-calculus. In Proceedings of the 15th IEEE Computer Security Foundations Workshop, pages 320--330, June 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. A. W. Roscoe. CSP and determinism in security modelling. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 114--127, Washington, DC, USA, 1995. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. A. Russo and A. Sabelfeld. Security for multithreaded pro-grams under cooperative scheduling. In Proceedings of Andrei Ershov International Conference on Perspectives of System Informatics, volume 4378 of Lecture Notes in Computer Science, pages 474--480. Springer-Verlag, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. A. Russo and A. Sabelfeld. Securing interaction between threads and the scheduler. In Proceedings of the 19th IEEE Computer Security Foundations Workshop, pages 177--189, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the IEEE Computer Security Foundations Symposium, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. Sabelfeld. The impact of synchronisation on secure information flow in concurrent programs. In Proceedings of Andrei Ershov 4th International Conference on Perspectives of System Informatics, volume 2244 of Lecture Notes in Computer Science, pages 225--239. Springer-Verlag, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. A. Sabelfeld. Confidentiality for multithreaded programs via bisimulation. In Proceedings of the Andrei Ershov International Conference on Perspectives of System Informatics, volume 2890 of Lecture Notes in Computer Science, pages 260--273. Springer-Verlag, 2003.Google ScholarGoogle Scholar
  39. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communi-cations, 21(1):5-19, Jan. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Computer Security Foundations Workshop, pages 200--214. IEEE Computer Society, July 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. V. Saraswat, B. Bloom, I. Peshansky, O. Tardieu, and D. Grove. X10 Language Specification: Version 2.1.2, Feb. 2011. Available at http://x10.sourceforge.net/documentation/languagespec/x10-212.pdf.Google ScholarGoogle Scholar
  42. G. Smith. A new type system for secure information flow. In Proceedings of the Proceedings of the 14th IEEE Computer Security Foundations Workshop, pages 115--125. IEEE Computer Society, June 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. In Conference Record of the Twenty-Fifth Annual ACM Symposium on Principles of Programming Languages, pages 355--364, New York, NY, USA, Jan. 1998. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. D. Stefan, A. Russo, P. Buiras, A. Levy, J. C. Mitchell, and D. Mazieres. Addressing covert termination and timing channels in concurrent information flow systems. In Proceedings of the 17th ACM SIGPLAN International Conference on Functional Programming, New York, NY, USA, June 2012. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. T. Terauchi. A type system for observational determinism. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, pages 287--300, June 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. T. Terauchi and A. Aiken. A capability calculus for concurrency and determinism. ACM Transactions on Programming Languages and Systems, 30(5):27:1--27:30, Sept. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. T. Tsai, A. Russo, and J. Hughes. A library for secure multi-threaded information flow in haskell. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, pages 187--202, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. D. Volpano and G. Smith. Probabilistic noninterference in a concurrent language. In Proceedings of the 11th IEEE Computer Security Foundations Workshop, pages 34--45, Washing-ton, DC, USA, 1998. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In Proceedings of the 16th IEEE Computer Security Foundations Workshop, pages 29--43, Pacific Grove, California, June 2003. IEEE Computer Society.Google ScholarGoogle ScholarCross RefCross Ref
  50. L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In Formal Aspects in Security and Trust, Toulouse, France, Aug. 2004.Google ScholarGoogle Scholar

Index Terms

  1. Towards a practical secure concurrent language

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM SIGPLAN Notices
          ACM SIGPLAN Notices  Volume 47, Issue 10
          OOPSLA '12
          October 2012
          1011 pages
          ISSN:0362-1340
          EISSN:1558-1160
          DOI:10.1145/2398857
          Issue’s Table of Contents
          • cover image ACM Conferences
            OOPSLA '12: Proceedings of the ACM international conference on Object oriented programming systems languages and applications
            October 2012
            1052 pages
            ISBN:9781450315616
            DOI:10.1145/2384616

          Copyright © 2012 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 19 October 2012

          Check for updates

          Qualifiers

          • research-article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!