Justin Hsu University of Pennsylvania, USA Michael Huth Imperial College London, Storbritannien Heiko Mantel TU Darmstadt, Tyskland Fabio Martinelli IIT-CNR, Italien. Probst Unitec Institute of Technology, New Zealand Peter Ryan University of Luxembourg, Luxembourg Andrei Sabelfeld Chalmers University of Technology, Sverige David Sands Chalmers University of Technology, Sverige Carsten Schürmann IT University of Copenhagen, Denmark Alwen Tiu The Australian National University, Australia Mingsheng Ying University of Technology, Sydney, Australien.
Control Runtime Systems
1 Introduction
We then design a new dynamic parallel language-level IFC runtime system called LIOPAR, which extends LIO to the parallel setting by changing how shared runtime system resources—namely, CPU time and memory—are managed. To our knowledge, LIOPAR is the first parallel language-level dynamic IFC runtime system that addresses both internal and external timing attacks that abuse the runtime system scheduler, memory allocator, and GC.
2 Internal Manifestation of External Attacks
Overview of the Concurrent LIO Information Flow Control System
Similarly, LIO prevents threads from measuring memory usage directly - LIO does not expose APIs for querying heap statistics - and indirectly, through garbage collection cycles (e.g. caused by secret threads) [46] - GHC's stop-the-world GC stops all threads . Like other IFC systems, the security guarantees of LIO are weaker in practice because its formal model does not consider the GC and assumes that memory is infinite [54,55].
External Timing Attacks to Runtime Systems
Internalizing External Timing Attacks
LIO secret threads can also leak by allocating many secret threads in the kernel with public threads - this reduces the CPU time available to public threads. In particular, GHC's approach to reclaiming memory via a world shutdown GC stops all threads on all cores at the same time, so that the relative write rate of public threads remains constant.
3 Secure, Parallel Runtime System
If secret = false, the secret thread s0 repeats and the public thread p0 shares the CPU time on corec0 with it. Trust model. This work addresses attacks that use runtime system resource management, specifically memory and CPU time.
4 Hierarchical Calculus
Core Scheduler
We now present the basic scheduler and describe the top-level parallel scheduler in Section 4.3. Using these mappings, the master scheduler ensures that threadn: (i) executes B(n) continuous steps until the next thread takes over, (ii) does not grow its heap beyond the maximum heap size H(n), and (iii) has an exclusive access to free basic facilitiesθ(n).
Resource Reclamation and Observations
In this case, the core scheduler checks if the parent thread owns the core in which the child is scheduled and the core capabilities assigned to the child, i.e. θ(n) = {k} ∪K1 ∪K2 for some setK2, and informs the parallel scheduler with event spawn(Δ,n,t, K1). Finally, in line [ContextSwitch], all threads scheduled in the core queue have consumed their time budget i.e. Q[n0] and the core scheduler resets their remaining budget using the budget folderΣ.B.
Parallel Scheduler
Then, it collects all concurrent events generated by the kthreads along with their thread id, sorts the events by type, i.e. sort [(n1,e1), ..,(nκ, eκ)] and calculates the updated configuration by processing events in order.12 In particular, new threads are first created (event spawn (·) and fork (·) ), and then killed (event kill (·)) - the order between events of the same type is arbitrary and is supposed to be fixed. The scheduler leaves the global state unchanged if the parent thread has already been killed by the time this event is handled, that is, when the safeguard n ∈ Dom(T) is true—the child's resources will have been reclaimed by another ancestor.
5 Security Guarantees
Erasure Function
Thus, we cannot associate the sensitivity of a thread's resources with its program counter label when resources are managed hierarchically, as in LIOPAR. Instead, we associate the security level of the resources in a secret thread with the sensitivity of its parent: the resources in a secret thread are public information when the program counter label of the parent is public and secret information otherwise.
Timing-Sensitive Non-interference
More formally, if the queue contains no threadn ∈ P, then the function replaces the queue entirely with the running thread and returns the threads' remaining budgets, i.e., εL(Q) =◦Bif ni ∈ P and B=. The interesting case is n1bH1n2bH2 , which reassigns the budget of the child (the right leaf n2bH2 ) to the parent (the left leaf n1bH1), by rewriting the subtree inton1Hb1+b2.
6 Limitations
Software model. Because resource management is explicit, creating applications based on LIOPAR presents new challenges - the programmer must explicitly choose resource limits for each thread. Similar to concurrent LIO [54], LIOPAR relies on fork to handle label creep rather than Labeled—the latter exposes the termination hidden channel [54].
7 Related Work
Our approach to hierarchical resource management is not unique – other countermeasures to external timing channels have also been studied. Askarov et al.'s [2] mitigate external timing channels using predictive black-box mitigation, which delays events and thus limits information leakage.
8 Conclusion
However, unlike Fabric and DStar, LIOPAR addresses both internal and external timing channels that result from running code in parallel. We find these techniques largely orthogonal: they can be used in conjunction with our techniques to mitigate timing channels that we do not eliminate.
Buiras, P., Vytiniotis, D., Russo, A.: HLIO: mixing static and dynamic typing for information flow control in Haskell. Stefan, D., Russo, A., Mazi`eres, D., Mitchell, JC: Flexible dynamic control of information flows in the presence of exceptions.
Security via Bucketing
A counterexample showing that bucketing alone is insufficient for security against adaptive side-channel attacks. We also show that bucketing is generally insufficient to guarantee system security against adaptive side-channel attacks.
2 Security Against Adaptive Side-Channel Attacks
Insufficiency of Bucketing
We have shown that bucketing is generally not sufficient to ensure the security of systems against adaptive side-channel attacks. Note that the side channel is easily realized as a time channel, for example with a branch with the branch condition "s[v] = 0".
3 Sufficient Conditions for Security Against Adaptive Side-Channel Attacks
Secret-Restricted Side-Channel Refinement Condition
Roughly speaking, common channel security says that the system is safe from attacks that only observe the common channel output. Second, the statement in Theorem 1 says that when a normal channel of a system is (f, )-secure for certain subsets of secrets, then the entire system is (f, )-secure under certain conditions.
Low-Input Side-Channel Non-Interference Condition
Condition (2) states that the side-channel outputs are independent of low inputs (ie, attacker-controlled inputs). Also (3) is satisfied due to property (c) above (ie the side channel is non-interfering for the subset).
Combining Bucketing and Constant-Time Implementation Compositionally
Note that the side channel outputs the sum of the high input and the low input. That is, the side channel of the composite system is non-interfering (with respect to high inputs) for the subset S.
4 Related Work
5 Conclusion and Future Work
This work presents DepSec, a dependently typed library inspired by aMAC, for static information flow control in Idris. In this article, we introduced DepSec - a library for statically enforced information flow control in Idris.
Furthermore, the fact that controlled and legacy pointers can be mixed in the same module facilitates the porting process, including porting via automated tools. Unlike previous safe-C efforts, Checked C specifically distinguishes parts of the program that are and may not be completely "safe". So-called controlled areas differ from uncontrolled areas in that they can only use marked pointers - dereference.
2 Overview of Checked C
A checked array of τ implicitly converts to an Array ptr<τ> when it is accessed. Accessing a Ptr<τ> requires a null check, while accessing an Array ptr<τ> requires both null and bounds checks.
3 Formalism: C ORE C HK C
Syntax
Marked C allows normal C functions, such as those in an existing library, to be given an interface type. By doing this, the same function can be called from an untagged region (with either tagged or untagged types) or a tagged region (there it will always have the tagged type).
Semantics
As such, when n1 is a non-zero pointer checked in an array and n2 is anint, result3 is marked as a pointer. The last two indicate an attempt to construct a pointer controlled by a null pointer via field access or pointer arithmetic.
Typing
Ensures that checked pointers of type ptrcω are heap-consistent by recursively confirming that the memory pointed to the heap has ω-consistent types. The T-Malloc rule produces verified pointers as long as the type ω pointed to is of zero size, i.e. not array0 τ.
4 Checked Code Cannot Be Blamed
Progress and Preservation
After applying Rule T-PtrC, we used the fact that nptrcstructnode ∈ σ, nptrcstruct node to prove that the next field of the struct is well-typed. While the proof of the latter fact relies on the scope of the node of nptrcstruct, this would not be necessary if we (independently) knew that it was well-typed.
Blame
Conversely, the second lemma, scope strengthening, allows us to remove a literal from a scope if the literal is well-written in an empty context. Informally, if the fact that nτ22 is in the scope is used in the proof of well-writtenness of nτ11 to prove that nτ22 is well-written for some scope σ, then we can just use the proof that it is well-written in an empty scope , along with attenuation, to reach the same conclusion.
5 Porting Assistance
- Constraint Logic and Solving
- Algorithm
- Resolving Conflicts
- Experimental Evaluation
Casts introduce implication constraints based on the ratio of the sizes of the two types. No imbalance: In this case, the rewriting is done based on the value of the constraint variable in the solution to the unification.
6 Related Work
In that setting, parts of a program written in a dynamically typed language can be annotated with static types. For marked C, legacy C plays the role of the dynamically typed language, and marked areas play the role of statically typed parts.
7 Conclusions and Future Work
The trace of a computation records the order and nesting structure of the output of the as_sec expressions executed together - the result of a computation and the trace are its observable behavior. The function returns a booleanr that is true if the concrete value (v_of_sh) of s differs from the concrete values of all elements of the list l.
Document Processing
In what follows, we define similarity in terms of the classic Earth Mover's distance used in machine learning for topic classification in text document processing.4 We explain how to combine this with dX privacy which extends privacy for databases to other unstructured domains (such as e.g. as texts). In Section.2, we outline the details of the bag-of-words representation of documents and define the Earth Mover's metric for topic classification.
2 Documents, Topic Classification and Earth Moving
Word Embeddings
In the special case that |X| = |Y|, the solution is known to satisfy the conditions of a (pseudo)metric [43] which we call the Earth Mover's Metric. In this paper we are interested in the special case |X|=|Y|, so we use the term Earth Mover's metric to refer to EdS.
3 Differential Privacy and the Earth Mover’s Metric
Application to Text Documents Recall the bag-of-words
In the latter case, this means that the K outputs on b1 and b2 are almost indistinguishable. The parameter depends on the randomness implemented in the underlying mechanism K; we explore this in more detail in Section 4.
Properties of Earth Mover’s Privacy
In fig. 2, the probability density function Lap2(v) shows this situation, where we see that the highest relative probability of a randomly selected point on the plane is close to the origin, where the chance of selecting more distant points rapidly decreases. Letz, y ∈Rn. We must show that for any (measurable) set A⊆Rn, that:. 15) (15) follows, however, provided that the probability densities for K(z) and K(y), respectively, satisfy it.
Utility Bounds
The result follows by completing the multiple integrals and applying some approximations, noting that the variables in the integration have a dimensional vector value. We note that in our application, word embeddings typically map to vectors in R300, so we would use n∼300 in Theorem 3.
5 Text Document Privacy
However, if E·(Vec(b),Vec(b)) is very large – meaning that b and b are on completely different topics, then it should be so small that the output document with noise would be very unlikely to be in a topic remotely close to person b (recall Lemma3). More recent author attribution algorithms represent words as "character n-grams" [28] which have been found to capture stylistic clues such as systematic spelling errors.
6 Experimental Results
Number of correct author/topic predictions in the 20-author set (left) and 50-author set (right), using 1-NN for the same representation of author identification (SRauth), 5-NN for the same representation of topic classification (SRtopic), Koppel- the algorithm for different representation of author identification (DRauth) and fastText for classifying different representation of topics (DRtopic). For different levels of , with our different representation-inference mechanisms, we see broadly the behavior we expected: the performance of author identification decreases, while topic classification remains roughly constant.
8 Conclusions
In: Proceedings of the Twenty-Third Conference on Innovative Applications of Artificial Intelligence (IAAI) (2011). In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, p.
Bounding Protocols
We will assume that malicious nodes cooperate, but again messages cannot travel (even between malicious nodes) faster than the speed of light. To show that these statements are truly unnecessary requires substantial changes in the evidence of the completeness of the original proceeding.
2 Background
Distance Bounding Protocols
Our contributions. We devise a new procedure for checking reachability properties for protocols written in Calculus, which has many similarities to the one introduced in [19] and gives us a way to model faithfully bounded distance protocols. We first model the protocols as follows (see Section 3) and then translate them into Horn clauses (see Section 4).
Attacks on Distance Bounding Protocols
The verifier then sends a nonce m and begins the fast phase during which it sends a challenge to the prover. The protocol completes successfully if the response provided by the prover is correct and has reached a predetermined threshold.
Symbolic Security Analysis
3 A Security Model Dealing with Time and Location
Term Algebra
Given a set U of equations between terms, a unifier (modulo a rewriting system R) is a substitution σ such that sσ↓ =sσ↓ for any equation s= s in U. A Collection S of unifiers is said to is complete for U as for any unifierσ, there existsθ∈S andτ such thatσ=τ◦θ.
Timing Constraints
Furthermore, this finite variety property implies the existence of a finite and complete set of unifiers and gives us a way to compute it efficiently. In practice, our tool (see Sect.7) will only be able to consider simple linear timing constraints.
Process Algebra
When modeling distance-limiting protocols, we will usually consider a time limit of the form z2−z1< twithz1, z2∈ Zandt∈R+. A more realistic configuration would include other instances of the prover and verifier roles and would likely give more knowledge to the attacker.
4 Modelling Using Horn Clauses
Preliminaries
We consider symbolic runs which are finite sequences of pairs with perhaps one variable usually directed at its ends. More formally, given a configuration (T;Φ;t), its timeless counterpart is (T;φ) where φ is the timeless counterpart of Φ, i.e.
Seed Statements
To define our set of seed sentences, we need to fix some naming conventions. When we compute seed statements, we compute complete sets of unifiers and complete sets of variants modulo R.
Soundness and Completeness
Statementf1 states that the trace is executable (in the relaxed semantics) once we can deduce the two terms requested in input, f2says that the attacker knows the termu once T0 is executed. Moreover, we can assume that the proof tree witnessing these facts is uniform and corresponds to the execution of R1,.
5 Saturation
Saturation Procedure
During saturation, the statement obtained by resolution is given to an update function that decides whether or not to add it to the knowledge base (possibly after some transformations). To address this issue, we've modified the canonical rule, as well as the update feature, to allow more deductions to be added to the knowledge base.
Completeness
Given a setSof statement, the initial knowledge base associated with S, denoted Kinit(S), is defined to be the empty knowledge base updated by set S, i.e. The hard part is when the statement taken from the resolution is not added directly. in the knowledge base.
6 Algorithm
Description
In fact, all the formulas we encounter during our case studies are quite simple: they are expressed by equations of the form z −z ≤ t, and we therefore rely on the well-known Floyd-Warshall algorithm to solve them. When necessary, we can rely on the simplex algorithm to solve more general linear constraints.
Termination Issues
This function calculates a formula that represents all the timing constraints that must be met to ensure traceability in our timed model. This can be achieved using a simple backward search and terminates because Kon contains only resolved statements that are well formed.
Correctness of Our Algorithm
7 Implementation and Case Studies
Integration in Akiss
Case Studies
In: Proceedings of the 12th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2017), pp. The properties of the resulting commitment scheme depend on the security of the underlying Σ protocol.
2 Formalisation Overview
Outline of Formalisation
Sections 5 and 7 show how we concretize these abstract frameworks for the Schnorr and Pedersen protocols. We show how to link the two in Sect.8 and how to construct a commitment scheme using the Schnorr Σ protocol.
Instantiating the Abstract Frameworks
Asymptotic Security
3 CryptHOL and Isabelle Background
Isabelle Notation
CryptHOL
For example, we must ensure that the opponent in the hide and seek game (Fig.6) sends out two valid messages so that the game can continue. Picking up on our hide and seek example; if the adversary does not issue two valid messages, the assertion fails and the ELSE branch is invoked, resulting in the adversary not winning the hide-and-seek game.
4 Formalising Σ-Protocols
Definition of Σ -protocols
In the honest verifier zero-knowledge property, the real view is a probabilistic program that defines the real view (i.e., the protocol) transcript of the execution. Both the special sound game and the definition of the actual view can be seen in Fig.2.
5 Formalising the Schnorr Σ-Protocol
The Schnorr Σ-protocol
The probabilistic program defining the simulator, together with the expanded definition of the real image, is given in Figure 5. In the definitions given in Figure 5, the number of random samples in each view is different.
6 Formalising Commitment Schemes
Properties of Commitment Schemes
The hiding advantage is the probability an opponent has of winning the hiding game. Analogous to the hiding and binding properties, we use the correctness game to define correctness.
7 The Pedersen Commitment Scheme
Formal Proofs for the Pedersen Protocol
Application of the disposable pad Lemma shows that the value given to the opponent is independent ofmb. We first define the adversary's task and then the advantage associated with the adversary.
8 Using Σ-Protocols to Construct Commitment Schemes
