Complex middleware frameworks are made out of interacting components which may include bugs. These frameworks are often extended to provide additional features by third-party extensions that may not be completely trusted and, as a result, compromise the security of the whole platform. Aiming to minimize these problems, we propose a demonstration of PrivateFlow, a publish/subscribe prototype supported by Decentralized Information Flow Control (DIFC). DIFC is a taint-tracking mechanism that can prevent components from leaking information. We will showcase a simple deployment of PrivateFlow that incorporates third-party untrusted components. In our demonstration, one of these components will try to leak sensitive information about the system's operation and it will fail once DIFC is activated.
[1]
Steve Vandebogart,et al.
Labels and event processes in the Asbestos operating system
,
2005,
TOCS.
[2]
Eddie Kohler,et al.
Information flow control for standard OS abstractions
,
2007,
SOSP.
[3]
Andrew C. Myers,et al.
Protecting privacy using the decentralized label model
,
2000,
Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].