Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.

Slides:



Advertisements
Similar presentations
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Advertisements

Operating System Security
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
ISBN Chapter 3 Describing Syntax and Semantics.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
Debugging Introduction to Computing Science and Programming I.
The Microsoft View: Module 1: Getting Started. Copyright Course 2559B, Introduction to Visual Basic®.NET Programming with Microsoft®.NET. Lecture 1 Microsoft.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”
A Type System for Expressive Security Policies David Walker Cornell University.
Building Secure Software Chapter 9 Race Conditions.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 1: Getting Started by George Lamperti & BU Faculty.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Describing Syntax and Semantics
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Copyright © 2009 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Java Software Solutions Foundations of Program Design Sixth Edition by Lewis.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
LAYING OUT THE FOUNDATIONS. OUTLINE Analyze the project from a technical point of view Analyze and choose the architecture for your application Decide.
Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Context Tailoring the DBMS –To support particular applications Beyond alphanumerical data Beyond retrieve + process –To support particular hardware New.
CIS 199 Test 01 Review. Computer Hardware  Central Processing Unit (CPU)  Brains  Operations performed here  Main Memory (RAM)  Scratchpad  Work.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
COP 4620 / 5625 Programming Language Translation / Compiler Writing Fall 2003 Lecture 10, 10/30/2003 Prof. Roy Levow.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Python – Part 1 Python Programming Language 1. What is Python? High-level language Interpreted – easy to test and use interactively Object-oriented Open-source.
Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.
Introduction to Database Management Systems. Information Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours: Monday, Wednesday 4:15 pm – 5:30.
S2008Final_part1.ppt CS11 Introduction to Programming Final Exam Part 1 S A computer is a mechanical or electrical device which stores, retrieves,
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Lecture 1 Introduction Figures from Lewis, “C# Software Solutions”, Addison Wesley Richard Gesick.
ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan.
Extending context models for privacy in pervasive computing environments Jadwiga Indulska The School of Information Technology and Electrical Engineering,
Advantage of File-oriented system: it provides useful historical information about how data are managed earlier. File-oriented systems create many problems.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
A Framework for Automatically Enforcing Privacy Policies Jean Yang MSRC / October 15, 2013.
Domain Driven Web Development With WebJinn Sergei Kojarski College of Computer & Information Science Northeastern University joint work with David H. Lorenz.
Construction Planning and Prerequisite
1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.
Semantics In Text: Chapter 3.
Introduction.  Administration  Simple DBMS  CMPT 454 Topics John Edgar2.
Chapter 5 Introduction To Form Builder. Lesson A Objectives  Display Forms Builder forms in a Web browser  Use a data block form to view, insert, update,
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
A Framework for Automatically Enforcing Privacy Policies Jean Yang MIT KIT / April 17, 2014.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
INTRODUCTION TO COMPUTER PROGRAMMING(IT-303) Basics.
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Copyright Office Material Copyright Request System.
Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and.
Types for Programs and Proofs
Paper Reading Group:. Language-Based Information-Flow Security. A
State your reasons or how to keep proofs while optimizing code
Information Security CS 526
Information Security CS 526
CS 325: Software Engineering
Presentation transcript:

Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015

Wearable devices Data, Data Everywhere Jean Yang / Jeeves2 Social media Electronic health records Online courses

Jean Yang / Jeeves3 All Kinds of People Are Writing All Kinds of Code Open source lines of code Journalists Medical researchers Social scientists Children

Jean Yang / Jeeves4 Even Trained Developers Leak Information

Why Aren’t Existing Approaches Enough? Jean Yang / Jeeves5 Exploit Patch But leaves system builders a step behind. Defensive protection But people are still showing the data wrong. Encrypting Data

My Approach: Privacy by Construction Jean Yang / Jeeves6 Factor out privacy to reduce opportunity for leaks. Programmer specifies high-level policies about how sensitive data can be used. Rest of program is policy-agnostic. System manages policies automatically.

Social Calendar Example Jean Yang / Jeeves7 Alice and Bob throw a surprise party for Carol.

Even Seemingly Simple Policies Have Subtleties Jean Yang / Jeeves8 Guests Carol Strangers Surprise party for Carol at Chuck E. Cheese. Pizza with Alice/Bob. Private event at Chuck E. Cheese. Policy: Must be guest. Policies can depend on sensitive values and other policies. Policy: Only visible to hosts until finalized. Problem:

Enforcing Policies Can Leak Information! Jean Yang / Jeeves9 Guests Surprise party at Chuck E. Cheese. Policy: Only visible to hosts until finalized. Policy: Must be guest. Guest list finalized Guests can’t see event Guests can see event Subtle mistake: check for policy 1 neglects dependency on policy 2. Problem arises when programmers trusted to get dependencies right. 1 2

Policies Are Intertwined Across the Code Jean Yang / Jeeves10 “What is the most popular location among friends 7pm Tuesday?” Update to event subscribers Track information flow through derived values. Track where derived values flow. Problem:

Jean Yang / Jeeves11 “Policy Spaghetti” in Real Systems Code from HotCRP conference management system Highlighted: conditional permissions checks everywhere.

Jean Yang / Jeeves12 Programming model. Mathematical guarantees. Implementations, web framework, and case studies. Automatic Enforcement with Jeeves The well-intentioned programmer writes same code no matter what policies are.

Jeeves Factors Out Policies Jean Yang / Jeeves13 Centralized policies. Policy-agnostic program. Runtime differentiates behavior. Model ViewController

Background. Jean Yang / Jeeves14 Jeeves programming model. How Jeeves works. Theoretical guarantees. Implementation & evaluation. This Talk [PLAS ’13] [draft] [POPL ’12] Background.

1.Specifying policies. 2.Specifying differentiated behavior. 3.Factoring out policies from other code. 4.Enforcing policies that depend on sensitive values. Automatically Managing Information Flow Jean Yang / Jeeves15 Only Jeeves supports 3 and 4. Jeeves supports more expressive policies than prior work.

Jean Yang / Jeeves16 Information flow controls check that only allowed flows occur [HiStar, Flume, Resin, LIO/Hails, Jif/Sif, flow locks, F*, and more]. Related Work: Checking Information Flow == true == false if viewer == : elif viewer != : error Programmer tags data. System prevents leaks by raising error. Must explicitly define and tag alternate behavior. My previous work.

Jean Yang / Jeeves17 == Multi-execution approaches differentiate behavior based on viewer [secure multi-execution (Devriese et al); faceted execution (Austin and Flanagan)]. true false Computing with Multiple Values Related Work: Must encode policies as tags. “Policy spaghetti.” Policies can leak information.

Background. Jean Yang / Jeeves18 Jeeves programming model How Jeeves works. Theoretical guarantees. Implementation & evaluation. This Talk Jeeves programming model. Supporting expressive policies that can depend on sensitive values. 2 Factoring out information flow. 1 Challenges

Policy-Agnostic Programming in Jeeves Jean Yang / Jeeves19 Application Code Separate from policies. policies Sensitive values encapsulate multiple behaviors. Policies describe rules for how values may flow to output contexts.

.guests [ ] Jeeves Supports Expressive Policies def isNotCarol(oc): return oc != Jean Yang / Jeeves20 Output context can be of arbitrary type. def isGuest(oc): return oc in.guests A policy is an arbitrary function that takes the output context and returns a Boolean value. Policies can depend on sensitive values.

21Jean Yang / Jeeves == true false print { } true false Jeeves Programming Model Programmer writes policy- agnostic programs. Runtime propagates values and policies. Runtime produces differentiated output based on the viewer. Programmer specifies policies and facets

The Jeeves Programming Model Well-defined runtime semantics for policy-agnostic programming with information flow policies. Can be implemented standalone or embedded as a library. Has been adapted across runtimes in web frameworks. Jean Yang / Jeeves22

Background. Jean Yang / Jeeves23 Jeeves programming model How Jeeves works. Theoretical guarantees. Implementation & evaluation. This Talk How Jeeves works. Handling policies with dependencies. 1 Enforcing policies when state changes. 2 Challenges

24Jean Yang / Jeeves if == : x += 1 return x x = 0 print { } 10 Jeeves Execution Model Runtime propagates values and policies. Runtime solves for values to show based on policies and viewer. 2 1 Runtime simulates simultaneous multiple executions.

Using Policies to Produce Outputs Jean Yang / Jeeves25 print { } 0 ( != ) ? 1 : 0 policy( ) Jeeves uses policies to defacet appropriately. 1 0 def isNotCarol(oc): return oc !=

Jean Yang / Jeeves26 print { } ( == ) ? : policy( ) def isMaybeCarol(oc): return oc == But What About Dependencies? Possible solutions: ( == ) ? : Jeeves runtime will pick the secret value if allowed. Need to find a fixed point!

Jean Yang / Jeeves27 Using Constraints to Handle Dependencies LabelPolicy a def isGuest(oc): return oc in.guests policy( ) print { } a Constraints contain only Boolean variables. Always a consistent assignment. Evaluated with respect to state at time of output.

Handling Indirect Flows Jean Yang / Jeeves28 if == : a x += 1 true false a if : x += 1 x = x old +1 x old a Labels follow values through all computations, including conditionals and assignments.

Outputting to Sinks Jean Yang / Jeeves29 Evaluate output context and expression to print. Retrieve labels and policies. Evaluate policies applied to the output context. Defacet using satisfying policy assignment. Jeeves Runtime Semantics: Statement evaluation Expression evaluation Output context Result Policies

Background. Jean Yang / Jeeves30 Jeeves programming model How Jeeves works. Theoretical guarantees. Implementation & evaluation. This Talk Theoretical guarantees. Proving enforcement with respect to our semantics. 2 Defining what it means to enforce policies. 1 Challenges

Non-Interference Jean Yang / Jeeves31 a if == : x += 1 print { } a a if == : x += 1 Jeeves Challenge: Compute labels from program—may have dependencies on secret values! Secret values should not affect public output.

Jean Yang / Jeeves32 a if == : x += 1 print { } a a if == : x += 1 Jeeves Theorem: All executions where a must be public produce equivalent outputs. Jeeves Non-Interference and Policy Compliance Can’t tell apart secret values that require a to be public.

Jeeves Policy Compliance Theorem Suppose we have Jean Yang / Jeeves33 Need to account for policies that depend on sensitive values!

Background. Jean Yang / Jeeves34 Jeeves programming model How Jeeves works. Theoretical guarantees. Implementation & evaluation. This Talk Implementation and evaluation. Adapting the approach for web applications. 1 Scaling the approach. 2 Challenges

Facets in the Application and Database Jean Yang / Jeeves35 Application Queries select * from Users where location = SQL Database Application All data SQL Database select * from Users Database queries can leak information! Impractical and potentially slow! Solution: Facet the database. Implemented as an object- relational mapping supporting uniform facet representation.

Jeeves runtime Jacqueline Web Framework Jean Yang / Jeeves36 Application Viewer Propagate policies. Attach policies. Defacet values based on viewer. Programmer is responsible Framework is responsible

Jean Yang / Jeeves37 Django-like data schema for describing fields. Policy for ‘location’ field. Helper functions for policy include queries. Public value for ‘location’ field.

Jean Yang / Jeeves38 DEPLOYED FOR PLOOC 2014! Conference management system Course managerMedical records (HIPAA) Implemented in Jeeves Questions 1.How does faceted execution scale? 2.How does faceting the database affect queries?

Demo Jean Yang / Jeeves39

CMS Running Times Jean Yang / Jeeves40 Database size does not affect query speed. Showing sensitive data grows linearly. Tests from Amazon AWS machine via HTTP requests from another machine.

Evaluation Lessons Faceted execution is expensive. Policy-agnostic programming does not always need faceted execution. Many opportunities for optimization in web frameworks. Jean Yang / Jeeves41

Policy-Agnostic Programming in Jeeves Jean Yang / Jeeves42 Design of a policy- agnostic programming language [POPL ‘12] Semantics and guarantees [PLAS ’13] Implementation, web framework, and case studies [in submission] == Other functionality Policies Sensitive values

Jean Yang / Jeeves43 F*: type-checking security properties. [ICFP ’11; JFP ‘13] Ask Reeves: verified privacy policies. [patent filed] Verified Type- checked Verve: a provably type-safe OS. [PLDI ’10 (Best Paper); CACM ‘10] My Interests in Provable Guarantees Lessons Difficult to write secure and private programs. Even more difficult to prove them correct. Easier if we can get privacy by construction.

Jean Yang / Jeeves44 The Future of Policy- Agnostic Programming Factor out policies from other code. Rely on compiler and runtime to differentiate behavior.

Programmability. –Languages for different kinds of policies. –Tools for verifying and visualizing policies. Scaling. –Policy-agnostic semantics with minimal faceting. –Building foundations with policy management in mind. Jean Yang / Jeeves45 Making Policy-Agnostic Programming Work Web frameworks DatabasesWeb browsers

Parting Thoughts By reducing opportunity for programmer error, we can eliminate whole classes of privacy leaks. Jean Yang / Jeeves46

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.