< Back to previous page

Publication

Impossibility of Precise and Sound Termination-Sensitive Security Enforcements

Book Contribution - Book Chapter Conference Contribution

© 2018 IEEE. An information flow policy is termination-sensitive if it imposes that the termination behavior of programs is not influenced by confidential input. Termination-sensitivity can be statically or dynamically enforced. On one hand, existing static enforcement mechanisms for termination-sensitive policies are typically quite conservative and impose strong constraints on programs like absence of while loops whose guard depends on confidential information. On the other hand, dynamic mechanisms can enforce termination-sensitive policies in a less conservative way. Secure Multi-Execution (SME), one of such mechanisms, was even claimed to be sound and precise in the sense that the enforcement mechanism will not modify the observable behavior of programs that comply with the termination-sensitive policy. However, termination-sensitivity is a subtle policy, that has been formalized in different ways. A key aspect is whether the policy talks about actual termination, or observable termination. This paper proves that termination-sensitive policies that talk about actual termination are not enforceable in a sound and precise way. For static enforcements, the result follows directly from a reduction of the decidability of the problem to the halting problem. However, for dynamic mechanisms the insight is more involved and requires a diagonalization argument. In particular, our result contradicts the claim made about SME. We correct these claims by showing that SME enforces a subtly different policy that we call indirect termination-sensitive noninterference and that talks about observable termination instead of actual termination. We construct a variant of SME that is sound and precise for indirect termination-sensitive noninterference. Finally, we also show that static methods can be adapted to enforce indirect termination-sensitive information flow policies (but obviously not precisely) by constructing a sound type system for an indirect termination-sensitive policy.
Book: 2018 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP)
Pages: 496 - 513
Number of pages: 18
ISBN:9781538643525
Publication year:2018
BOF-keylabel:yes
IOF-keylabel:yes
Authors from:Higher Education

Authors/publisher

  • Ngo Minh (First author)
  • Frank Piessens (Author)
  • Tamara Rezk (Last author)

Research units

Events

  • 39th IEEE Symposium on Security and Privacy (SP)()

    CA, San Francisco

Projects