Manageable fine-grained information flow

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers fine-grained control over security policy and privilege management. DIFC developers can partition much application functionality into untrusted components bound by a kernel- or language-enforced security policy. Unless a (usually smaller and less exposed) trusted component is exploited, the effects of an application compromise are contained by the policy. Although system-based DIFC can simultaneously achieve high performance and effective isolation, it offers a challenging programming model. Fine-grained policy specifications are spread over several application pieces. Common programming errors may be indistinguishable from policy exploit attempts, the system cannot expose developers to information about these errors, complicating debugging. Static checking (as in language based systems) and new system primitives can reduce these problems, but for dynamic applications like web servers, they do not eliminate them. In this paper we propose subsystems that make decentralized information flow more manageable. First, a policy description language specifies an application-wide security policy in one localized place; communication restrictions are compiled into lower-level labels. Second, information flow-safe debugging mechanisms let developers debug DIFC applications without violating security policies. Although these mechanisms are preliminary, we demonstrate their effectiveness using applications similar to those developed for Asbestos and other DIFC systems.

[1]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[2]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[4]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[5]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[6]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[7]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[8]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[9]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[10]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[11]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[12]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[13]  Micah Z. Brodsky,et al.  Toward Secure Services from Untrusted Developers , 2007 .

[14]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[15]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].