Typed assembly languages for software security

Quantified Score

Visualization

Abstract

This thesis studies type systems for guaranteeing secure information flow in low-level programming languages. Existing work has shown that type systems for high-level languages can guarantee confidentiality of local data accessed by untrusted software, but no such results have been established for realistic low-level languages. Low-level languages lack control-flow structures that guide static analysis, and they include operations for explicit management of the control stack that make it possible to leak confidential information. This thesis addresses these issues and shows that the approach used for secure information flow in high-level languages can be adapted to low-level languages as well. The key property we study is non-interference, that no public output of a program is affected by secret data it may have accessed. Non-interference can be shown sound for natural type systems of low-level programs, yielding efficient, static procedures that can be used by clients to verify non-interference of untrusted software. In this dissertation we present three typed assembly languages. SIFTAL is a simple RISC language made suitable for non-interference analysis through the addition of typing directives that manipulate code labels, explicitly indicating the control-flow structure of programs. A refined version of SIFTAL addresses leaking of information through the control stack by annotating the type of the stack with the code labels used by the typing directives. The third language, SIF, removes a complication present in the other type systems by requiring typing for a restriction of the heap instead of the entire heap before starting the typechecking. For each type system a non-interference property is stated and proved, ensuring that all well-typed assembly programs respect the confidentiality of their local data.