Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Slides:



Advertisements
Similar presentations
Privacy & Other Issues. Acceptable Use Policies When you sign up for an account at school or from an Internet Service Provider, you agree to their rules.
Advertisements

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Access Control Methodologies
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
A Type System for Expressive Security Policies David Walker Cornell University.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.
Type-Directed, Whitespace-Delimited Parsing for Embedded DSLs Cyrus Omar School of Computer Science Carnegie Mellon University [GlobalDSL13] Benjamin ChungAlex.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca,
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld.
Cryptography, Authentication and Digital Signatures
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Identity-Based Secure Distributed Data Storage Schemes.
A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Lecturer : Assoc. Prof. Dang Tran Khah Presenter: Tran Thach Lam 1.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Containment and Integrity for Mobile Code Fred Schneider Andrew Myers Computer Science Department Cornell University.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Fall 2006CS 395: Computer Security1 Key Management.
Enabling Control over Adaptive Program Transformation for Dynamically Evolving Mobile Software Validation Mike Jochen, Anteneh Anteneh, Lori Pollock University.
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Key management issues in PGP
Secure Software Confidentiality Integrity Data Security Authentication
2.1. Compilers and Interpreters
Building Systems That Flexibly Control Downloaded Executable Content
Chapter 4: Security Policies
Presentation transcript:

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University Ithaca NY 14853

18 July 00End-to-end security, untrusted hosts — Andrew Myers 2 Research directions End-to-end security by program rewriting In-lined reference monitors Asynchronous proactive secret sharing Gossip protocols Mobile code integrity: –NAP protocols (primary-backup revisited) –Cryptographic-based privilege management

18 July 00End-to-end security, untrusted hosts — Andrew Myers 3 Protecting confidentiality Historically: privacy protection largely a military concern (confidentiality, secrecy) Future: many commercial, end-user needs Assurance for shared information services –on-line shopping, and home page services Programs with access to private information –spreadsheets, Quicken, word processors,... Military, commercial privacy needs converging? top secret secret classified unclassified

18 July 00End-to-end security, untrusted hosts — Andrew Myers 4 Privacy vs complexity Problem: complex systems, untrusted parts –both distributed and single-host computation Harder to protect confidential information ?

18 July 00End-to-end security, untrusted hosts — Andrew Myers 5 Example: airplane design Boeing Air Force marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Hosts Data Programs war simulations cost projections CAD aircraft simulations

18 July 00End-to-end security, untrusted hosts — Andrew Myers 6 Policies vs. Mechanisms Problem: policy/mechanism mismatch –Conventional mechanisms (e.g., access control): control whether A is allowed to transmit to B –Privacy policy: information I can only be obtained by users U (no matter how it is transformed) –Access control is point-to-point; policy is end-to-end How to map privacy policy onto a mechanism? (we already do this by hand!) AB ? I U

18 July 00End-to-end security, untrusted hosts — Andrew Myers 7 Mechanisms Discretionary access control: doesn’t control propagation AB ?... Mandatory access control: expensive, restrictive AB ? L top secret secret classified unclassified L

18 July 00End-to-end security, untrusted hosts — Andrew Myers 8 Static analysis of information flow Idea: add privacy policies as annotations to programs (types) : e.g., J IF language (Java Information Flow) int {L} x; // L is an end-to-end privacy policy J IF : security-typed language Uses decentralized label model

18 July 00End-to-end security, untrusted hosts — Andrew Myers 9 Static information flow Type-check information flow statically –efficient –validates all possible run-time information flows: more precise, less restrictive –allows modular composition –hybrid dynamic/static schemes possible

18 July 00End-to-end security, untrusted hosts — Andrew Myers 10 Compiler architecture Program Java source J IF compiler Label annotations Java compiler Class file (Bytecode) Source-to-source translator (J IF  Java) Mostly just removes annotations Class file (Bytecode) Label annotations

18 July 00End-to-end security, untrusted hosts — Andrew Myers 11 Single-machine model Source J IF compiler Bytecode Trust Host Executin g program

18 July 00End-to-end security, untrusted hosts — Andrew Myers 12 Airplane design Boeing Air Force marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Hosts Data Programs War simulations Cost projections CAD aircraft simulations

18 July 00End-to-end security, untrusted hosts — Andrew Myers 13 Avoiding trusted compiler Source J IF compiler Bytecode Trust Host Executin g program verifier Java trick: substitute trusted verifier for compiler Need expressive security type system for intermediate / assembly code Trust

18 July 00End-to-end security, untrusted hosts — Andrew Myers 14 Avoiding trusted hosts Security invariant: host distrusted by principal p should not see p’s confidential data Problem: multi-party computation may involve confidential data from several parties Run only on completely trusted hosts? –expensive –bottleneck Computation across available hosts

18 July 00End-to-end security, untrusted hosts — Andrew Myers 15 Secure program partitioning New approach to secure distributed systems Write programs without explicit code locations or inter-host communication Automatically transform code to run securely on current hosts source compiler intermediate code Host splitter Host code partition authenticated trust declarations

18 July 00End-to-end security, untrusted hosts — Andrew Myers 16 Caveats Programs annotated with security information –but: annotations are types Communication model: inter-host messages cannot be intercepted, damaged –but: private-key encryption can be used Some covert channels (e.g., timing) still exist

18 July 00End-to-end security, untrusted hosts — Andrew Myers 17 Status New, expressive intermediate language with support for security types, program transformations –Next: security-typed assembly language –verifier Rewrite rules for automatic program partitioning across hosts –Next: optimizing transformations for performance –partitioning back end for J IF compiler –partitioning verifier Core technology is in place

18 July 00End-to-end security, untrusted hosts — Andrew Myers 18 Conclusions Decentralized enforcement of end-to-end security policies appears surprisingly feasible Application: assurance for distributed services Other project research directions: –In-lined reference monitors –Asynchronous proactive secret sharing –Gossip protocols –Mobile code integrity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.