A trusted execution platform for multiparty computation

The value of data used in computation is increasing more rapidly than the security of the computation environment. Users are submitting private personal and financial information to untrusted programs, even though the programs cannot guarantee the privacy of that information. This problem is even more pronounced for programs that are provided through the Internet, such as servlets and applets. Sandboxing and runtime policy mechanisms are designed to prevent such programs from leaking information, but these techniques are either too weak or too restrictive to support useful information sharing. Myers’ decentralized label model addresses this problem by tracking privacy policies on individual pieces of data as they flow through a program. This thesis presents a system that enforces these policies and allows mutually-distrusting parties to share data in computation. The Simple Public Key Infrastructure (SPKI) provides name resolution and authorization services without depending on a central authority. This thesis describes a system that combines SPKI with Myers’ label model to connect the names and policies in programs with real-world users and permissions. Users must trust the system with their private data; in return, the system protects their data from release to untrusted parties. The system is called the Trusted Execution Platform (TEP). This thesis presents the design and implementation of TEP and analyzes its performance. TEP ensures that the applications it runs protect the privacy of classified data used in computation.

[1]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[2]  Carl A. Gunter,et al.  Policy-directed certificate retrieval , 2000, Softw. Pract. Exp..

[3]  Ronald L. Rivest,et al.  Certificate Chain Discovery in SPKI/SDSI , 2002, J. Comput. Secur..

[4]  Dennis Longley,et al.  Security Documentation , 2001, Conference on Information Security Management & Small Systems Security.

[5]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[6]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[7]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[8]  Wilson C. Hsieh,et al.  Techniques for the Design of Java Operating Systems , 2000, USENIX Annual Technical Conference, General Track.

[9]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[10]  Tuomas Aura,et al.  Comparison of Graph-search Algorithms for Authorization Veriication in Delegation Networks , 1997 .

[11]  Emin Gün Sirer,et al.  Design and implementation of a distributed virtual machine for networked computers , 1999, SOSP.

[12]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[13]  Carl M. Ellison,et al.  SPKI Requirements , 1999, RFC.

[14]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[16]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[17]  Carl A. Gunter,et al.  What is QCM? , 1999 .

[18]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[19]  David Mazières,et al.  Secure applications need flexible operating systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[20]  Tuomas Aura,et al.  On the structure of delegation networks , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[21]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[22]  Butler W. Lampson,et al.  Simple Public Key Certificate , 1998 .