Secure program partitioning

This paper presents secure program partitioning, a language-based technique for protecting confidential data during computation in distributed systems containing mutually untrusted hosts. Confidentiality and integrity policies can be expressed by annotating programs with security types that constrain information flow; these programs can then be partitioned automatically to run securely on heterogeneously trusted hosts. The resulting communicating subprograms collectively implement the original program, yet the system as a whole satisfies the security requirements of participating principals without requiring a universally trusted host machine. The experience in applying this methodology and the performance of the resulting distributed code suggest that this is a promising way to obtain secure distributed computation.

[1]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[2]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[3]  David Binkley,et al.  Unravel:: a case tool to assist evaluation of high integrity software , 1995 .

[4]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[5]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[6]  Jonathan K. Millen A Logical Approach to Multilevel Security of Probabilistic Systems , 1992, S&P 1992.

[7]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[8]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[9]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[10]  C MyersAndrew,et al.  Untrusted hosts and confidentiality , 2001 .

[11]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[12]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[13]  Sylvan Pinsky,et al.  Absorbing covers and intransitive non-interference , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[14]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[15]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[16]  Jonathan K. Millen Information Flow Analysis of Formal Specifications , 1981, 1981 IEEE Symposium on Security and Privacy.

[17]  BlackAndrew,et al.  Fine-grained mobility in the Emerald system , 1988 .

[18]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[19]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[20]  Ivan Damgård,et al.  On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions , 1998, EUROCRYPT.

[21]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1998, Distributed Computing.

[22]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[23]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[24]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[25]  Heiko Mantel,et al.  A generic approach to the security of multi-threaded programs , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[26]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[27]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[28]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[29]  Massachusett Framingham,et al.  The Common Object Request Broker: Architecture and Specification Version 3 , 2003 .

[30]  Andrew P. Black,et al.  Fine-grained mobility in the Emerald system , 1987, TOCS.

[31]  Emin Gün Sirer,et al.  A Practical Approach for Improving Startup Latency in Java Applications , 1999 .

[32]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[33]  David Walker,et al.  From System F to Typed Assembly Language (Extended Version) , 1997 .

[34]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[35]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[36]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[37]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[38]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality , 2001, SOSP.

[39]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[40]  Karl N. Levitt,et al.  Property-based testing of privileged programs , 1994, Tenth Annual Computer Security Applications Conference.

[41]  Andrew S. Tanenbaum,et al.  A Comparison of Two Distributed Systems: Amoeba and Sprite , 1991, Comput. Syst..

[42]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[43]  Lorrie Faith Cranor,et al.  Platform for Privacy Preferences - P3P , 2000, Datenschutz und Datensicherheit.

[44]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[45]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[46]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[47]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[48]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[49]  Rimon Barr,et al.  Automatic Code Placement Alternatives for Ad-Hoc And Sensor Networks , 2001 .

[50]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[51]  Troy Downing,et al.  Java Virtual Machine , 1997 .

[52]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[53]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[54]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[55]  Andrew C. Myers,et al.  Secure Information Flow and CPS , 2001, ESOP.