-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtutorial.html
212 lines (175 loc) · 13.7 KB
/
tutorial.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-HF4HSC64G3"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() {
dataLayer.push(arguments);
}
gtag('js', new Date());
gtag('config', 'G-HF4HSC64G3');
</script>
<title>jsflow tutorial</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<!-- Le styles -->
<link href="css/bootstrap.css" rel="stylesheet">
<style>
body {
padding-top: 60px;
/* 60px to make the container go all the way to the bottom of the topbar */
}
</style>
<link href="css/bootstrap-responsive.css" rel="stylesheet">
<link href="css/prism.css" rel="stylesheet">
<script src="js/prism.js"></script>
</head>
<body>
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="brand" href="http://jsflow.net">jsflow</a>
<div class="nav-collapse collapse">
<ul class="nav">
<li><a href="index.html">main</a></li>
<li class="active"><a href="tutorial.html">tutorial</a></li>
<li><a href="jsflow.html">console</a></li>
<li><a href="jsflow-challenge.html">challenge</a></li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container">
<h2>Tutorial</h2>
This tutorial will give a brief introduction to <i>information flow control</i>, and how it is implemented in JSFlow.
<h3>Usage</h3>
To start using JSFlow, download the <a href="jsflow-1.1.0.tgz">JSFlow package</a> and unpack it. Ensure <a href="#">NodeJS</a> and <a href="#">npm</a> are installed. Once unpacked, enter the directory and execute <code>npm install</code>. This
should install all the necessary libraries. If that fail, manually install <a href="#">esprima</a>, <a href="#">escodegen</a>, <a href="#">estraverse</a>, <a href="#">source-map</a> and <a href="#">underscore</a>. It is recommended to use npm
to do this.
<br /><br /> Programming towards JSFlow is similar to programming towards standard JavaScript, with the main difference being labeling primitives. In the unpacked directory, execute <code>./jsflow</code> to run an interactive shell, or execute
<code>./jsflow <i>filepath</i></code>, which will execute the JavaScript file pointed to by
<code><i>filepath</i></code>.
<hr>
<h3>Dynamic Information Flow Control</h3>
In our work, we work with dynamic information flow control (IFC). In dynamic IFC, all runtime values are augmented with a security label, which are copied and joined to reflect the computations of a program. The labels are drawn from a lattice, in litterature
usually denoted as <i>L</i> and <i>H</i> for <i>low</i> (public) and <i>high</i> (private) data.
<br /><br /> When tracking the information flow during execution, a <i>program counter (pc)</i> is used. As an example, the pc is upgraded when the program branches on a secret variable, and hence reflects the current
<i>security context</i>, i.e. the security level of the current computation.
<br /><br /> For a program to be of any use, it must take inputs and produce outputs. We call inputs to a program <i>sources</i>, and outputs from the program <i>sinks</i>. With this, there are two types of flows to look for in IFC: <i>explicit</i> and <i>implicit</i> flows. In explicit flows, the data flow is used to leak information by writing from a private source to a public sink. As an example, <code>l := h</code> has an explicit flow from the private source <code>h</code> to the public
sink
<code>l</code>. On the other hand, implicit flows use the control flow of a program to leak the secret to a public sink, without explicitly writing from the private source. To illustrate this, if we assume <code>h</code> is of boolean type, <code>l := false; if(h) l := true;</code> would leak the secret source <code>h</code> to the public sink <code>l</code>, without an explicit assignment between the source and the sink. With this, we can define a common security property for IFC, namely <i>noninterference</i> Noninterference
states public output must not depend on private input. More intuitively, a program satisfies noninterference if, for all runs of a program, if the only difference between the runs are the private input, then the public output should remain the
same. One of the security models of noninterference is <i>termination insensitive noninterference(TINI)</i>, which guarantees noninterference for terminating executions of an application. In practice, this means applications that leak through
the termination behaviour of a program are allowed, given it is the termination behaviour only that produces the leak. As an example, have a look at the following example.
<pre>
<code class="language-javascript">
/* Assuming h is a secret variable of type Number defined elsewhere.
* Also assume the attacker can observe the output done by print. */
for(var i = Number.MIN_VALUE; i <= Number.MAX_VALUE; i++) {
print(i);
if(i == h) {
while(true) { }
}
}
</code>
</pre> Assuming <code>print</code> prints to a public sink which the attacker can observe, the secret value <code>h</code> is leaked. For each iteration, the variable <code>i</code> is public: it never depends on a secret. This means printing
<code>i</code> to a public sink is always allowed. The only time the application will branch on a secret is in the if-statement <code>if(i == h)</code>. But branching there will make the application run an infinite loop, and never terminate, indicating
the last written output to the public sink will be the secret value. Since the leak only depends on the non-termination in the branch, this would be allowed for systems which employ TINI.
<br /><br /> To help achieve noninterference, one must handle side-effects under secret control carefully. If security labels are allowed to change under secret control, there can be implicit flows into the labels. To help prevent this, there
is the concept of <i>no sensitive upgrade (NSU)</i>. NSU states that security labels are not allowed to change under secret control. What would be the effect if labels are allowed to change under secret control? The following example illustrate
this well.
<pre>
<code class="language-javascript">
/* For this example, we assume lo and tm to be public values.
* hi is a secret boolean value, defined elsewhere. */
var lo = true;
var tm = true;
if(hi === true) {
tm = false;
}
if(tm === true) {
lo = false;
}
</code>
</pre> Lets follow the execution, and assume that there is no NSU, i.e. labels are allowed to change freely under secret control. If <code>hi</code> is <code>true</code>, then the body of the if-statement <code>if(hi === true)</code> will
execute under secret control. When this happens, <code>tm</code> will be given the value <code>false</code>, and its label will be upgraded to the label of <code>hi</code>. Since <code>tm</code> now is <code>false</code>, the body of the if-statement
<code>if(tm === true)</code> will not execute, leaving <code>lo</code> with the value <code>true</code>, and a public label.
<br /> On the other hand, if <code>hi</code> is <code>false</code>, the body of the if-statement
<code>if(hi === true)</code> will never execute, leaving <code>tm</code> with the value <code>true</code> and a public label. This means the guard in the if-statement <code>if(tm === true)</code> is <code>true</code>, and the body will be executed.
However, since <code>tm</code> was public, the body is executed under public control, giving <code>lo</code> the value <code>false</code> with a public label.
<br /> In both instances, the value of <code>hi</code> is leaked to <code>lo</code>, with <code>lo</code> keeping a public label. But with NSU, the assignment <code>tm = false</code> is not allowed, as it would change the label of <code>tm</code> under secret control. If <code>hi</code> is false, <code>lo</code> would be <code>false</code> and public. This is a one-bit leak that cannot be prevented with NSU.
<hr>
<h3>JSFlow</h3>
JSFlow is a JavaScript interpreter which is extended with security labels on the values. It supports all the standard libraries defined in the <a href="https://www.ecma-international.org/ecma-262/5.1/">Ecma v5 standard</a>, but it does not support
strict mode. JSFlow has the security property of TINI, and uses NSU.
<br /><br /> If not provided by the programmer of an application, JSFlow employs a two-level lattice: public and secret, where public values are allowed to flow to secret. In principle, the lattice in JSFlow is a subset lattice, meaning that the
label(s) of a sink must be a subset of the label(s) of the source. In order to label values, one must call the built-in function <code>lbl</code> which, given a value, will label the value. As an example, <code>var x = lbl(42);</code> will give
the variable <code>x</code> the value <code>42</code>, and the label <code>T</code> for Top, i.e. the top value of the lattice, which is secret. We can verify this by executing <code>print(x);</code>, which gives the output <code>(<>)42_<T></code>,
indicating the pc is public (<code>(<>)</code>), the value is <code>42</code>, and its label is Top (
<code><T></code>).
<br /> We can see the execution context change by having <code>if(x) print(x);</code>. Since <code>x</code> is defined, the body of the if-statement will be executed. When <code>print(x)</code> is executed, it will print <code>(<T>)42_<T></code>.
This is due to branching on the secret variable <code>x</code> will upgrade the pc to sensitive.
<br /><br /> In JSFlow, a pure explicit flow is allowed. As an example, imagine the secret variable <code>h</code> and the public variable <code>l</code>. If we execute the program <code>l = h</code> in JSFlow, the label of <code>l</code> would
simply be upgraded, as the execution context is public. Without any branching, this is always allowed.
<br /> If, however, we add an if-statement: <code>l = false; if(h) l = true;</code>, given <code>h</code> is defined to a value which can be interpreted as <code>true</code>, JSFlow would detect the implicit flow and prevent it.
<br /> On the other and, a combination of these can be allowed.
<pre>
<code class="language-javascript">
l = h; // This is allowed, and l will become secret.
if(h) {
l = 42; // This is allowed, since l is now secret, i.e. NSU will not trigger.
}
</code>
</pre> Although there is an implicit flow to <code>l</code> depending on the secret value <code>h</code>, since
<code>l</code> has been upgraded on the first line, it is a safe implicit flow. Similarly, JSFlow would prevent the NSU example from before as well.
<hr>
<h3>More advanced labeling in JSFlow</h3>
If the standard two-level lattice is not enough, one can use <code>lbl</code> to create their own labels for the values. As an example, <code>var x = lbl(42, "my-extremely-secret-value");</code> will label the variable <code>x</code> with the
label <code>my-extremely-secret-value</code>, and
<code>var y = lbl(42, "secret-value", "extremely-secret-value");</code> will label <code>y</code> with both
<code>secret-value</code> and <code>extremely-secret-value</code>. Since JSFlow employs a subset lattice, in order for <code>x</code> to be allowed to flow to <code>y</code>, the labels of <code>x</code> must be a subset of the labels of <code>y</code>.
This means the following is not allowed in JSFlow, due to the labels of <code>m</code> not being a subset of the labels of <code>h</code>.
<pre>
<code class="language-javascript">
var l = lbl(10, 'low');
var m = lbl(15, 'mid');
var h = lbl(20, 'high');
if(m === 15) {
/* This assignment is not allowed due to execution context containing the
label 'mid', which h does not have.*/
h = 25;
}
</code>
</pre> Instead, we must label the variable <code>h</code> to both <code>mid</code> and <code>high</code> in order for the assignment to be allowed. If <code>h</code> is labeled in this manner, the labels of <code>m</code> becomes a subset
of the labels of
<code>h</code>.
<pre>
<code class="language-javascript">
var l = lbl(10, 'low');
var m = lbl(15, 'mid');
var h = lbl(20, 'mid', 'high');
if(m === 15) {
/* This assignment is allowed, since h has 'mid' as label (as well as 'high'),
so h is at least as sensitive as m. Note that h, after the assignment, will
only have label 'mid' (due to dynamic execution)*/
h = 25;
}
</code>
</pre>
</div>
<script src="js/jquery.js"></script>
<script src="js/bootstrap.js"></script>
</body>
</html>