Information flow for secure distributed applications

Private and confidential information is increasingly stored online and increasingly being exposed due to human errors as well as malicious attacks. Information leaks threaten confidentiality, lead to lawsuits, damage enterprise reputations, and cost billion of dollars. While distributed computing architectures provide data and service integration, they also create information flow control problems due to the interaction complexity among service providers. A main problem is the lack of an appropriate programming model to capture expected information flow behaviors in these large distributed software infrastructures. This research tackles this problem by proposing a programming methodology and enforcement platform for application developers to protect and share their sensitive data. We introduce Aeolus, a new platform intended to make it easier to build distributed applications that avoid the unauthorized release of information. The Aeolus security model is based on information flow control but differs from previous work in ways that we believe make it easier to use and understand. In addition, Aeolus provides a number of new mechanisms (anonymous closures, compound tags, boxes, and shared volatile state) to ease the job of writing applications. This thesis provides examples to show how Aeolus features support secure distributed applications. It describes the system design issues and solutions in designing a prototype implementation and presents performance results that show our platform has low overhead. Thesis Supervisor: Barbara H. Liskov Title: Institute Professor

[1]  Úlfar Erlingsson,et al.  Using web application construction frameworks to protect against code injection attacks , 2007, PLAS '07.

[2]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[3]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[4]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[6]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[7]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[8]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[9]  Alessandro Piva,et al.  Cryptography and Data Hiding for Media Security , 2008 .

[10]  Rebecca T. Mercuri The HIPAA-potamus in health care data security , 2004, CACM.

[11]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[12]  Frederic T. Chong,et al.  Minos: Architectural support for protecting control data , 2006, TACO.

[13]  Alan H. Karp,et al.  Mobile In-store Personalized Services , 2009, 2009 IEEE International Conference on Web Services.

[14]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[15]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[16]  Andrew C. Myers,et al.  Decentralized robustness , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[17]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[18]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[19]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[20]  M. Franz,et al.  Practical , Dynamic Information-flow for Virtual Machines , 2005 .

[21]  Boniface Hicks,et al.  Dynamic updating of information-flo w policies , 2005 .

[22]  Trent Jaeger,et al.  From Trusted to Secure: Building and Executing Applications That Enforce System Security , 2007, USENIX Annual Technical Conference.

[23]  Bill Venners,et al.  Inside the Java Virtual Machine , 1997 .

[24]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[25]  C. Weissman Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[26]  Steve Zdancewic,et al.  Run-time Principals in Information-flow Type Systems , 2004, IEEE Symposium on Security and Privacy.

[27]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[28]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[29]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[30]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[32]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[33]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[34]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[35]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[36]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[37]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[38]  Peter J. Denning,et al.  The working set model for program behavior , 1968, CACM.

[39]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[40]  Bei Yu,et al.  TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[41]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[42]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[43]  Don Box,et al.  Essential .NET: The Common Language Runtime , 2002 .

[44]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[45]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[46]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[47]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[48]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[49]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[50]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[51]  Maxwell N. Krohn,et al.  Information flow control for secure web sites , 2008 .

[52]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[53]  David Mazières,et al.  Securing untrustworthy software using information flow control , 2007 .

[54]  Elisa Bertino,et al.  Fine-grained role-based delegation in presence of the hybrid role hierarchy , 2006, SACMAT '06.

[55]  T. Giordano,et al.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule: implications for clinical research. , 2006, Annual review of medicine.

[56]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[57]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .