Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

Information Flow and Covert Channels November, 2006.
Operating System Security
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Verifiable Security Goals
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 14: Protection.
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
CS Sept CACL: Efficient Fine­Grained Protection for Objects Richardson, Schwarz, Cabrera IBM Almaden OOPSLA’92.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Course Overview Dennis Kafura.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Names Variables Type Checking Strong Typing Type Compatibility 1.
Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Cryptographic Security Secret Sharing, Vanishing Data.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Language-Based Information- Flow Security Andrei Sabelfeld.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
Academic Year 2014 Spring Academic Year 2014 Spring.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
2/1/20161 Computer Security Foundational Results.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.
Biosimilar (Insulin) – Competitive Landscape and Market & Pipeline Analysis, 2016 DelveInsight’s, “Biosimilar (Insulin) – Competitive Landscape and Market. Request for sample of this research report:
Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Verifiable Security Goals
Chapter 14: System Protection
Paper Reading Group:. Language-Based Information-Flow Security. A
Section 11.1 Class Variables and Methods
Chapter 14: Protection.
Chapter 14: Protection.
Modern Systems: Security
Building Systems That Flexibly Control Downloaded Executable Content
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 6: Integrity Policies
Chapter 14: Protection.
Chapter 14: Protection.
Lecture 13: Subtyping Rules Killer Bear Climber
Chapter 6: Integrity Policies
Access Control What’s New?
Presentation transcript:

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Motivation &Goals  Example  Model  Labels Confidentiality (reading) Integrity (writing) [presented later]  Principal hierarchy  Relabeling  Declassification  Jif (Java Information Flow)  Static and dynamic checking 2 Overview

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  End-end confidentiality  Need to control propagation/release of information beyond access control guarantees  Need for more precise and practical model  Model  Decentralized label model Independent principals, not a central authority  Copes with Untrusted code Mutual suspicion  Protection for users/group (not just organization)  Richer notion of declassification Need in practical systems to avoid “label creep” Does not need trusted subject (each principal declassifies their own data)  Finer grain of protection via JIF 3 Motivation & Goals

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Bob and Tax preparer must cooperate  Each have sensitive information to protect from the other  Bob cannot inspect Tax preparer code  Both must trust execution platform 4 Example

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  A process can act on behalf of a (set of) principal(s)  p acts for q  p has all the powers of q  Written  Represents  Individuals  Group/role 5 Model: Principals

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Confidentiality labels (integrity later)  Form  { policy 1, policy 2, …, policy n }  Policy is owner : list of readers  Example L = {o 1 : r 1, r 2 ;, o 2 : r 2, r 3 }  All policies in a label must be satisfied  In example, r 2 can read an object labeled by L 6 Model: Labels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 7 Intuition - Confidentiality confidentialityrestrictive high lowless more assignment destination source declassification after before : union of all policies (each of which must be met), intersection of all readers by a given principal : intersection of all policies, union of all readers by a given principal lattice

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Assignment (value/L 1  variable/L 2 ) iff it is safe  Safety  L 2 is at least as restrictive as L 1  every policy in L 1 will be enforced by L 2  Notation  Label restriction  Policy “covers” J’s owner can act for I’s owner (or is the same owner) J’s readers are a subset of I’s readers (or are the same)  Incremental relabeling rules  Remove a reader  Add a policy  Add a reader r’ if r is in policy and  Replace an owner o with o’ if 8 Relabeling

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 9 Relabeling Examples

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  For policy I  Owner: o(I)  Explicit readers: r(I)  Implicit readers:  Rule 10 Complete relabeling rule

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 11 Combining Information

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Goal: deliberate action by process to weaken/relax confidentiality  Authority – the set of principals on whose behalf a process is allowed to act  Performed on a per-owner basis  No centralized declassifier needed  Owners cannot affect each others policies  Rule 12 Declassification – Confidentiality Labels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  requires WebTax to declassify final tax form to be readable by Bob. 13 Declassification: example

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Form  { policy 1, policy 2,…, policy n }  Policy is owner : list of writers  Example L = {o 1 : w 1, w 2 ;, o 2 : w 2, w 3 }  Interpretation (of a policy)  A guarantee by the policy owner that the data can only be affected by the list of writers  The fewer writers, the less restrictive and the stronger the integrity guarantee  The most restrictive label is {} States no guarantee of source(s)/contamination All users may have written to the data Can only be used only when receiver imposes no integrity requirements 14 Model: Integrity Labels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 15 Intuition - Integrity integrity low high guarantee strong weak assignment destination source declassification after before lattice : intersection of all policies, union of all writers by a given principal : union of all policies, intersection of all readers by a given principal restrictive less more

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Assignment (value/L 1  variable/L 2 ) iff it is safe  Safety: L 2 is more restrictive than L 1 (no less restrictive?)  Notation:  Examples:  {o : w 1 }  {o: w 1, w 2 } is allowed  { o : w 1, w 3 }  {o: w 1, w 2 } is not allowed  { o : w 1 ; o’: w 3 }  {o: w 1, w 2 } is allowed  Incremental relabeling rules  Add a writer  Remove a policy  Replace writer w’ by a writer w where  Add a policy J that is identical to policy I except that 16 Relabeling Integrity Labels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Goal: deliberate act by a process to weaken/relax integrity guarantees  Authority: the set of principles on whose behalf a process is allowed to act  Performed on a per-owner basis  No centralized declassifier needed  Owners cannot affect each others policies  Rule  L 1 can be declassified to L 2 if  is an integrity label with a policy {p: all } for every principal p in the authority of the process; all is a list of all users 17 Declassification – Integrity Labels

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Extends Java with information flow checking  New features  Static checking of code privileges and also dynamic granting/checking of authority  Label polymorphism  Run-time checking when needed; run-time checks are checked to guard against leaks  Automatic label inference reduces need for manual labeling  Implicit flows accounted for by associating a static program-counter label (pc) with every statement 18 Jif – Java Information Flow

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Labeled type  associate a type, t, with an information flow label, l, as t{l}  Label checking insures that the apparent label of a value is at least as restrictive as the actual label of every value that might affect it.  Additional features  Declassify operator  An actsFor statement  Procedure calls my delegate a portion of the authority of the caller  Type “label” permits run-time label checking 19 Overview

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 20 Example

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.