Preventing information leaks with policy-agnostic programming

As a solution to the problem of information leaks, I propose a policy-agnostic programming paradigm that enforces security and privacy policies by construction. I present the implementation of this paradigm in a new language, Jeeves, that automatically enforces information flow policies describing how sensitive values may flow through computations. In Jeeves, the programmer specifies expressive information flow policies separately from other functionality and relies on the language runtime to customize program behavior based on the policies. Jeeves allows programmers to implement information flow policies once instead of as repeated checks and filters across the program. To provide strong guarantees about Jeeves programs, I present a formalization of the dynamic semantics of Jeeves, define non-interference and policy compliance properties, and provide proofs that Jeeves enforces these properties. To demonstrate the practical feasibility of policy-agnostic programming, I present Jacqueline, a web framework built on Jeeves that enforces policies in database-backed web applications. I provide a formalization of Jacqueline as an extension of Jeeves to include relational operators and proofs that this preserves the policy compliance guarantees. Jacqueline enforces information flow policies end-to-end and runs using an unmodified Python interpreter and SQL database. I show, through several case studies, that Jacqueline reduces the amount of policy code required while incurring limited overheads. Thesis Supervisor: Armando Solar-Lezama Title: Associate Professor without Tenure

[1]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[2]  Sebastian Nanz,et al.  A logic for state-modifying authorization policies , 2007, TSEC.

[3]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[4]  Frank Pfenning,et al.  Stateful Authorization Logic: - Proof Theory and a Case Study , 2010, STM.

[5]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[6]  Darko Marinov,et al.  Model-based, event-driven programming paradigm for interactive web applications , 2013, Onward!.

[7]  James Cheney,et al.  Functional programs that explain their work , 2012, ICFP.

[8]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[9]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[10]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[11]  Martin C. Rinard,et al.  Proving acceptability properties of relaxed nondeterministic approximate programs , 2012, PLDI.

[12]  Armando Solar-Lezama,et al.  Faceted execution of policy-agnostic programs , 2013, PLAS '13.

[13]  Arnar Birgisson,et al.  Capabilities for information flow , 2011, PLAS '11.

[14]  Carl A. Gunter,et al.  A formal framework for reflective database access control policies , 2008, CCS.

[15]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[16]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[17]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[18]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[19]  Sven Apel,et al.  Variational Data Structures: Exploring Tradeoffs in Computing with Variability , 2014, Onward!.

[20]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[21]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[22]  Michael Carl Tschantz,et al.  Towards reasonability properties for access-control policy languages , 2006, SACMAT '06.

[23]  James Cheney,et al.  A Core Calculus for Provenance , 2012, POST.

[24]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[25]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[26]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[27]  Geoffrey Smith,et al.  Principles of Secure Information Flow Analysis , 2007, Malware Detection.

[28]  David Walker,et al.  Languages for software-defined networks , 2013, IEEE Communications Magazine.

[29]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[30]  Alvin Cheung,et al.  Sloth: being lazy is a virtue (when issuing database queries) , 2014, SIGMOD Conference.

[31]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[32]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[33]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[34]  Douglas R. Smith Aspects as Invariants , 2008 .

[35]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[36]  Martin C. Rinard,et al.  Data structure repair using goal-directed reasoning , 2005, ICSE.

[37]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[38]  Michael J. Freedman,et al.  Automating Isolation and Least Privilege in Web Services , 2014, 2014 IEEE Symposium on Security and Privacy.

[39]  Andrei Sabelfeld,et al.  SeLINQ , 2014, ICFP.

[40]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[41]  M. Hanus,et al.  Curry: An Integrated Functional Logic Language , 2003 .

[42]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[43]  Rupak Majumdar,et al.  Engage: a deployment management system , 2012, PLDI '12.

[44]  A. Prasad Sistla,et al.  Preventing Information Leaks through Shadow Executions , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[45]  Michael Hanus,et al.  Improving Control of Logic Programs by Using Functional Logic Languages , 1992, PLILP.

[46]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[47]  Kathi Fisler,et al.  Specifying and Reasoning About Dynamic Access-Control Policies , 2006, IJCAR.

[48]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[49]  Steve Zdancewic,et al.  A Type System for Robust Declassification , 2003, MFPS.

[50]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[51]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[52]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[53]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[54]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[55]  David Sands,et al.  Flow Locks: Towards a Core Calculus for Dynamic Flow Policies , 2006, ESOP.

[56]  Rastislav Bodík,et al.  Programming with angelic nondeterminism , 2010, POPL '10.

[57]  John W. Lloyd,et al.  Programming in an Integrated Functional and Logic Language , 1999, J. Funct. Log. Program..

[58]  Nik Sultana,et al.  Foundations of trust management , 2012 .

[59]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[60]  Barbara Liskov,et al.  IFDB: decentralized information flow control for databases , 2013, EuroSys '13.

[61]  Ben Hardekopf,et al.  Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach , 2011, 2011 IEEE Symposium on Security and Privacy.

[62]  Prasad Naldurg,et al.  SEAL: a logic programming framework for specifying and verifying access control models , 2011, SACMAT '11.

[63]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[64]  Armando Solar-Lezama,et al.  End-To-End Policy-Agnostic Security for Database-Backed Applications , 2015, ArXiv.

[65]  Todd D. Millstein,et al.  Falling Back on Executable Specifications , 2010, ECOOP.

[66]  Nikhil Swamy,et al.  Cross-tier, label-based security enforcement for web applications , 2009, SIGMOD Conference.

[67]  Luís Caires,et al.  Information Flow Analysis for Valued-Indexed Data Security Compartments , 2013, TGC.

[68]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[69]  Martin Odersky,et al.  An Overview of the Scala Programming Language , 2004 .

[70]  Thomas Streicher,et al.  A Tiny Constrain Functional Logic Language and Its Continuation Semantics , 1994, ESOP.

[71]  Carroll Morgan,et al.  The specification statement , 1988, TOPL.

[72]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[73]  Sebastian Nanz,et al.  The Role of Abduction in Declarative Authorization Policies , 2008, PADL.

[74]  James Cheney,et al.  A Formal Framework for Provenance Security , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[75]  M. Rinard,et al.  Prophet : Automatic Patch Generation via Learning from Successful Patches , 2015 .

[76]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[77]  Derek Rayside,et al.  Unifying execution of imperative and declarative code , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[78]  Douglas R. Smith A Generative Approach to Aspect-Oriented Programming , 2004, GPCE.

[79]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[80]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[81]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[82]  Joseph P. Near,et al.  Rubicon: bounded verification of web applications , 2012, SIGSOFT FSE.