Presentation is loading. Please wait.

Presentation is loading. Please wait.

Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and.

Published byEvelyn Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and."— Presentation transcript:

1 Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong PLDI 2016 Jean Yang / PLDI 2016

2 An oil skimming operation works in a heavy oil slick after the spill on April 1, 1989. (Photo from Huffington Post ) Huffington Post Jean Yang / PLDI 2016

3 Oil-covered otter. (Photo from the Human Impact Project)Human Impact Project

4 The Relationship Between Design and Accidents Jean Yang / PLDI 2016 Crude oil Single hull Crude oil Double hull Required by the Oil Pollution Act of 1990.

5 Jean Yang / PLDI 2016 But what about information leaks?

6 Wanted: Double Hull for Information Security Jean Yang / PLDI 2016 Sensitive data Single hull Sensitive data Double hull Research in language-based security looks at designs for double hulls [Sabelfeld and Myers, JSAC 2003]. Our goal: make double hulls that are as easy to construct as possible!

7 This Talk: Making It Easier to Secure Web Programs 1. Why it’s hard to prevent information leaks. 2. A programming model that makes writing secure web programs easier. 3. How we support that programming model in database-backed applications. Jean Yang / PLDI 2016

8 Social Calendar Example Jean Yang / Jeeves Let’s say Arjun and I want to throw a surprise paper discussion party for Emery.

9 Challenge: Different Viewers Should See Different Events Jean Yang / PLDI 2016 Guests Emery Strangers Surprise discussion for Emery at Chuck E. Cheese. Pizza with Arjun/Jean. Private event at Chuck E. Cheese.

10 Policies May Depend on Sensitive Values Jean Yang / PLDI 2016 Guest List Finalized list Must be on guest list. Must be member of list and the list must be finalized. Leaky enforcement: when the programmer neglects dependencies of policies on sensitive values. Policy for event depends on policy for guest list!

11 A Story of Leaky Enforcement Jean Yang / PLDI 2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2

12 A Story of Leaky Enforcement Jean Yang / PLDI 2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2 Problem: implementation for event policy neglected to take into account guest list policy. This arises whenever we trust programmers to get policy checks right!

13 Need to Track Policies and Viewers Across the Code Jean Yang / PLDI 2016 “What is the most popular location among friends 7pm Tuesday?” Update to all calendar users Need to track how information flows through derived values and where derived values flow!

14 “Policy Spaghetti” in HotCRP Jean Yang / PLDI 2016 Conditional permissions checks everywhere!

15 Jacqueline Web Framework to the Rescue! Jean Yang / PLDI 2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3

16 Contributions Policy-agnostic programming model for database-backed web applications. Semantics and proofs for policy- agnostic programming that encompasses SQL databases. Demonstration of practical feasibility with Python implementation and application case studies. Jean Yang / PLDI 2016

17 Enhanced runtime Jacqueline Web Framework Jean Yang / PLDI 2016 Policies Framework attaches policies based on annotations. Framework shows appropriate values based on viewer and policies. Object-relational mapping propagates policies and sensitive values through computations.

18 @jacqueline def has_host(self, host): return EventHost.objects.get( event=self, host=host) != None @jacqueline def has_guest(self, guest): return EventGuest.objects.get( event=self, host=host) != None Jean Yang / PLDI 2016 Base schema Policy helper functions class Event(JacquelineModel): name = CharField(max_length=256) location = CharField(max_length=512) time = DateTimeField() description = CharField(max_length)=1024) @staticmethod @label_for(‘location’) def restrict_event(event, ctxt): return event.has_host(ctxt) or event.has_guest(ctxt) @staticmethod def jacqueline_get_private_location(event): return “Undisclosed location” Public value for location field Information flow policy for location field Coding in Jacqueline

19 Centralized Policies in Jacqueline Jean Yang / PLDI 2016 Model View Controller Centralized policies! No checks or declassifications needed anywhere else!

20 20 Jean Yang / Jeeves if == : userCount += 1 return userCount userCount = 0 print { } 1 0 Closer Look at the Policy- Agnostic Runtime Runtime propagates values and policies. Runtime solves for values to show based on policies and viewer. 2 1 Jeeves [Yang et al 2012, Austin et al 2013] uses facets [Austin et al 2012] to simulate simultaneous multiple executions.

21 Labels Track Sensitive Values to Prevent Leaks Jean Yang / Jeeves 21 if == : c += 1 true false if : c += 1 c = c old +1c old Labels follow values through all computations, including conditionals and assignments. Emery can’t see secret party information or results of computations on those values! guest

22 Jean Yang / PLDI 2016

23

24 The Dangers of Interacting with Vanilla Databases Database queries can leak information! Jean Yang / PLDI 2016 Application Queries select * from Users where location = Database Application All data Database select * from Users Impractical and potentially slow! Challenge: Support faceted execution when interacting with an unmodified SQL database. Need faceted queries!

25 save( ) Semantics of a Faceted Database Jean Yang / PLDI 2016 SQL Database select * from Users where location = Too expensive! Too difficult to extend the formal semantics! Primary keyLocation 1 Conceptual row Store facets as strings? New database for each label?

26 Solution: Use ORM to Map Facets onto Database Rows Jeeves keyLocationLabels 1 1 Jean Yang / PLDI 2016 select * from Users where location = ORM refacets Jeeves keyLocationLabels 1 Jeeves keyLocation 1 NULL Primary keyLocation 1 a Conceptual row a

27 Supporting Queries in Jacqueline Jacqueline Supports SQL Implements ORM Implements getselectrefaceting allselectrefaceting filterselectrefaceting sortorder byrefaceting foreign keysjoin- savedelete, insertturning a faceted value into multiple rows delete keeping track of which facets to delete Jean Yang / PLDI 2016 Can use SQL implementations for many queries!

28 Jean Yang / PLDI 2016

29 Early Pruning Optimization Jean Yang / PLDI 2016 Observation: Framework can often (but not always) track viewer. Enhanced runtime Policies Optimization: Can often explore fewer possible paths!

30 Jean Yang / PLDI 2016

31 Review: Traditional Non- Interference Jean Yang / Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Challenge: Compute labels from program—may have dependencies on secret values! Secret values should not affect public output. guest

32 Jean Yang / Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Theorem: All executions where guest must be public produce equivalent outputs. Can’t tell apart secret values that require guest to be public. Policy-Agnostic Non- Interference guest

33 Jean Yang / PLDI 2016

34 Application Case Studies Jean Yang / PLDI 2016 Course manager Health record manager Conference management system (deployed!) Jacqueline reduces the number of lines of policy code and has reasonable overheads!

35 Demo Jean Yang / PLDI 2016

36 Conference Management System Running Times Jean Yang / PLDI 2016 Tests from Amazon AWS machine via HTTP requests from another machine. *Different from numbers in paper.

37 Summary: Policy-Agnostic Web Programming with Jacqueline Jean Yang / PLDI 2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3 We have strong formal guarantees and evidence that this can be practical!

38 Jean Yang / PLDI 2016 http://jeeveslang.org http://github.com/jeanqasaur/jeeves You can factor out information flow policies from other code to avoid policy spaghetti! You can enforce policies across the application and database by using a carefully-crafted ORM! You can build realistic systems using this approach!

Download ppt "Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and."

Similar presentations

Database Management Using Microsoft Access Xinhua Chen, Ph.D. Chinese Association of Professionals in Science and Technology March 23, 2003.

Database Management Using Microsoft Access Xinhua Chen, Ph.D. Chinese Association of Professionals in Science and Technology March 23, 2003.
Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.

Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.
Michael Pizzo Software Architect Data Programmability Microsoft Corporation.

Michael Pizzo Software Architect Data Programmability Microsoft Corporation.
Register Allocation Mooly Sagiv Schrierber 317 03-640-7606 Wed 10:00-12:00 html://www.math.tau.ac.il/~msagiv/courses/wcc.html.

Register Allocation Mooly Sagiv Schrierber Wed 10:00-12:00 html://
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Database Management Systems, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.

Database Management Systems, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama.

A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama.
ETEC 100 Information Technology

ETEC 100 Information Technology
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Previous finals up on the web page use them as practice problems look at them early.

Previous finals up on the web page use them as practice problems look at them early.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.

Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
1 Chapter 2 Reviewing Tables and Queries. 2 Chapter Objectives Identify the steps required to develop an Access application Specify the characteristics.

1 Chapter 2 Reviewing Tables and Queries. 2 Chapter Objectives Identify the steps required to develop an Access application Specify the characteristics.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google