Asymmetric secure multi-execution with declassification

Abstract

Secure multi-execution (SME) is a promising black-box technique for enforcing information flow properties. Unlike traditional static or dynamic language-based techniques, SME satisfies noninterference (soundness) by construction and is also precise. SME executes a given program twice. In one execution, called the high run, the program receives all inputs, but the program’s public outputs are suppressed. In the other execution, called the low run, the program receives only public inputs and declassified or, in some cases, default inputs as a replacement for the secret inputs, but its private outputs are suppressed. This approach works well in theory, but in practice the program might not be prepared to handle the declassified or default inputs as they may differ a lot from the regular secret inputs. As a consequence, the program may produce incorrect outputs or it may crash. To avoid this problem, existing work makes strong assumptions on the ability of the given program to robustly adapt to the declassified inputs, limiting the class of programs to which SME applies. To lift this limitation, we present a modification of SME, called asymmetric SME or A-SME. A-SME gives up on the pretense that real programs are inherently robust to modified inputs. Instead, A-SME requires a variant of the original program that has been adapted (by the programmer or automatically) to react properly to declassified or default inputs. This variant, called the low slice, is used in A-SME as a replacement for the original program in the low run. The original program and its low slice must be related by a semantic correctness criteria, but beyond adhering to this criteria, A-SME offers complete flexibility in the construction of the low slice. A-SME is provably sound even when the low slice is incorrect and when the low slice is correct, A-SME is also precise. Finally, we show that if the program is policy compliant, then its low slice always exists, at least in theory. On the side, we also improve the state-of-the-art in declassification policies by supporting policies that offer controlled choices to untrustworthy programs.