When a program does not comply with given security requirements itself, one can employ a dynamic enforcement mechanism to make the program compliant while it is executed. A dynamic enforcement mechanism can be seen as an encapsulation that protects a program from a malicious environment or, vice versa, the environment from a malicious program. Dynamic enforcement is an active research area which comprises both theoretical aspects (e.g., the question which security policies are enforceable) as well as practical aspects (e.g., how to implement dynamic enforcement mechanisms). At MAIS, we particularly focus on distributed dynamic enforcement, which bears challenges like race conditions and incomplete information about the global state of the program.
Service Automata are a concept developed at MAIS for runtime enforcement of properties in distributed systems. They are a flexible and generic enforcement mechanism, meaning that they can be instantiated with different policies. Security Automata have been modeled in the process algebra CSP. This formalization of the mechanism allows formal proofs that the desired security guarantees of a system are enforced.
CliSeAu is a proof-of-concept implementation of Service Automata. It can be used to enforce properties on distributed systems consisting of programs written in Java and Ruby as well as Android applications. Evaluations on case studies have shown that CliSeAu has only little runtime overhead.
Open research topicsSide channels are unintended indirect flows of information revealed by physical executions of a computer program. Examples of side channels include program's running time, cache behavior, power consumption, electromagnetic radiation, etc. Such unintended flows of information may be correlated to secrets e.g., private cryptographic keys, and this makes side channels a severe security vulnerability. By exploiting such correlation, the hacker can recover the secrets, and this is known as a side-channel attack. Due to improvements in security protection mechanisms, traditional security vulnerabilities like programming bugs are getting harder to exploit, and that is why side channels are becoming now more and more attractive to hackers. Among different types of side channels, timing side channels are particularly critical since timing attacks can be mounted remotely over computer networks and do not require direct physical access to the system under attack.
At MAIS, we develop methods and tools for sound detection of timing side channels, assessment of their seriousness, construction of timing attacks and design of proper countermeasures.
Open research topicsWhen running a program that requires access to confidential data, one wants to be sure that no information about the confidential data is leaked to untrusted third parties. For instance, a banking application requires access to a user's login credentials, but no information about the login credentials must be leaked to the developers of the app even if they legitimately receive other information, e.g. usage statistics. Such security requirements can be formally expressed with information-flow properties. Program analysis techniques, such as security type systems, can check automatically whether a program satisfies a given information-flow property. In the scenario of the banking application, a positive result of the analysis combined with a so-called soundness result for the analysis technique guarantees that no information about the user's login credentials is leaked to the developers.
At MAIS, we develop and improve information-flow properties and sound analysis techniques for these properties. Furthermore, we develop tools for the automatic verification of programs based on these analysis techniques.
Open research topics
Mobile devices store and collect a wide range of sensitive information, such as the user's current location, his contacts, calendar entries, e-mails, photos, and many other kinds of information. Maintaining the privacy of this sensitive information is an open issue. In the past, many leaks of sensitive information by Android apps, both intentionally and unintentionally, have been reported. This is in spite of existing security mechanisms provided by Android.
Cassandra, the Certifying App Store for Secure Android Applications, addresses this problem by integrating an information-flow analysis into an app store. This allows users to check whether apps he would like to install respect his privacy requirements. In the development of Cassandra, we are addressing both theoretical and practical research questions. On the theory side, the analysis is formalized as a security type system. It is proven to be sound against a formal semantics of Android applications and a formal definition of security. This means that all applications passing the analysis are guaranteed to be secure. On the practical side, we have developed a system architecture that enables fast analyses as well as an optimized analysis algorithm. Here, we are also considering how to enable non-expert users to specify their privacy requirements and how to make sure that they can understand the results of the analysis.
Open research topicsModern multi-core processors implement various optimizations intended to improve their performance, such as caches, reordering of instructions, and branch prediction. These optimizations can have effects that are unintuitive and unexpected. Weak memory models have been developed to describe the effects of processor optimizations. We have found that weak memory models have subtle effects on the security of programs: Security guarantees that have been established without taking into account processor optimizations no longer hold in general when a program is executed under a weak memory model. This is a significant issue, since many devices nowadays are equipped with multi-core processors.
At MAIS, we are further exploring the effects of weak memory models on security and developing techniques for re-establishing security guarantees. To this end, we are investigating a number of theoretical research questions, including how weak memory models can be incorporated in formal semantics, how different semantics incorporating weak memory models compare to each other, and what the impact of weak memory models is on security properties. This theoretical research is supported by the Isabelle/HOL proof assistant, which we use for modeling and verification. On the practical side, we are evaluating whether the executions possible under a given memory model are the same as those possible on an actual given processor and are investigating whether existing analyses and tools can be adapted to address the effects of the memory model of a given processor architecture.
Open research topics