RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Even as modern computing systems allow the manipulation and distribution of massive amounts of information, users of these systems are unable to manage the confidentiality of their data in a practical fashion. Conventional access control security mechanisms cannot prevent the illegitimate use of privileged data once access is granted. For example, information provided by a user during an online purchase may be covertly delivered to malicious third parties by an untrustworthy web browser. Existing information-flow security mechanisms do provide this assurance, but only for programmer-specified policies enforced during program development as a static analysis on special-purpose type-safe languages. Not only are these techniques not applicable to many commonly used programs, but they leave the user with no defense against malicious programmers or altered binaries. In this paper, we propose RIFLE, a runtime information-flow security system designed from the user's perspective. By addressing information-flow security using architectural support, RIFLE gives users a practical way to enforce their own information-flow security policy on all programs. We prove that, contrary to statements in the literature, run-time systems like RIFLE are no less secure than existing language-based techniques. Using a model of the architectural framework and a binary translator, we demonstrate RIFLE's correctness and illustrate that the performance cost is reasonable.

[1]  Simon N. Foley A taxonomy for information flow policies and models , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  David I. August,et al.  Microarchitectural exploration with Liberty , 2002, MICRO 35.

[3]  Wen-mei W. Hwu,et al.  Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation , 2000, PLDI '00.

[4]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[5]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[6]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[7]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[8]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[9]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[10]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[11]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[12]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[13]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[14]  Lori A. Clarke,et al.  A Formal Model of Program Dependences and Its Implications for Software Testing, Debugging, and Maintenance , 1990, IEEE Trans. Software Eng..

[15]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[16]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[17]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[18]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[19]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[20]  LiskovBarbara,et al.  Protecting privacy using the decentralized label model , 2000 .

[21]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[22]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[23]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[24]  David C. Sehr,et al.  On the importance of points-to analysis and other memory disambiguation methods for C programs , 2001, PLDI '01.

[25]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[26]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[27]  Angelos D. Keromytis,et al.  Automated Recovery in a Secure Bootstrap Process , 1998, NDSS.

[28]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[29]  Joel S. Emer,et al.  Memory dependence prediction using store sets , 1998, Proceedings. 25th Annual International Symposium on Computer Architecture (Cat. No.98CB36235).

[30]  Harry J. Saal A hardware architecture for controlling information flow , 1978, ISCA '78.

[31]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.