Securing concurrent programs with dynamic information-flow control

Abstract: The work presented in this thesis focusses on dealing with timing covert channels in dynamic information-flow control systems, particularly for the LIO library in Haskell. Timing channels are dangerous in the presence of concurrency. Therefore, we start with the design, formalisation and implementation of a concurrent version of LIO which is secure against them. More specifically, we remove leaks due to non-terminating behaviour of programs (termination covert channel) and leaks produced by forcing certain interleavings of threads, as a result of affecting their timing behaviour (internal timing covert channel). The key insight is to decouple computations so that threads observing the timing or termination behaviour of other threads are required to be at the same confidentiality level. This work only deals with internal timing that can be exploited through language-level operations. We also mitigate leaks that result from the precise measurement of the timing of observable events (external timing covert channel), e.g. by using a stopwatch. Timing channels can also be exploited through hardware-based shared resources, such as the processor cache. This thesis presents a cache-based attack on LIO that relies on timing perturbations to leak sensitive information through internal timing. To address this problem, we modify the Haskell runtime to support instruction-based scheduling, a scheduling strategy that is indifferent to such perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. Additionally, we provide a purely language-based implementation of the instruction-based strategy for LIO, by means of a library. We leverage the notion of resumptions, a restricted form of continuations, to control the interleaving of threads, forcing each thread to yield after every LIO operation. Due to the flexibility of this approach, we are able to support parallel computation in the library, a novel feature in information-flow control tools. Finally, we present a new manifestation of internal timing in Haskell, by exploiting lazy evaluation to encode sensitive information as timing perturbations. We illustrate our claim with a concrete attack on LIO that relies on memoisation of shared thunks to leak information. We also propose a countermeasure based on restricting the implicit sharing of values.