Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama.

Published bySuzan Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama."— Presentation transcript:

1 A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama

2 getLocation ? Displaying User Locations to Other Users 2Jean Yang @ POPL

3 getLocation No Privacy Concerns Alice A Secret club Whatever! A Secret club 3 def getLocation (user: User): Location = user.location Jean Yang @ POPL

4 getLocation Alice OwnerViewer Simple policy Only my friends can see my location. A Secret club A 4Jean Yang @ POPL

5 getLocation Owner Viewer Which policies apply where? Policy interaction? Finer-Grained Policies Alice Only my friends can see my location. A Only members know this exists. Secret club A Diner Not a member! Locations 5Jean Yang @ POPL

6 Programmer Burden 6 def getLocation (user: User) (viewer: User) : Location = { if (isFriends user viewer) { if (canSee user.location viewer) { user.location; } else { scrub(user.location, “Diner”); } } else { undisclosedLocation; } } Policies Views of sensitive values Jean Yang @ POPL Output Context

7 Our Mission Make it easier for the programmer to preserve confidentiality of user data. 7Jean Yang @ POPL

8 What’s Hard? Function Scrubbed data Data Programmer check/filter Scrubbed data Functionality and policy are intertwined. 8Jean Yang @ POPL

9 Scrubbed data Our Solution Function Scrubbed data Data Automatic enforcement Policy Separation of policies from functionality 9 Programmer check/filter Tagged data Jean Yang @ POPL

10 Jeeves Goal def getLocation (user: User) (viewer: User) : Location = { if (isFriends user viewer) { if (canSee user.location viewer) { user.location; } else { scrub(user.location, “Work”); } } else { undisclosedLocation; } } 10 def getLocation (user: User): Location = user.location State of the Art Jeeves Jean Yang @ POPL Policy + Functionality

11 Talk Outline Jeeves language How it works Coding in Jeeves 11Jean Yang @ POPL

12 Jeeves Language Function Tagged data Scrubbed data Data Sensitive values 1 Policy Policies 2 Automatic contextual enforcement 3 12Jean Yang @ POPL

13  |  Secret club A Low confidentialityHigh confidentiality Diner A Secret club Jeeves for Locations 13Jean Yang @ POPL

14 val location: String = a level a in Core Functionality val msg: String = “Alice is at ” + location Contextual Enforcement print {alice} msg /* “Alice is at MIT” */ print {bob} msg /* “Alice is at school” */ Low component High component Policies policy a: context != alice  low Using Jeeves Level variable { low, high } 14 Sensitive Values Jean Yang @ POPL

15 Jeeves language How it works Coding in Jeeves Talk Outline 15Jean Yang @ POPL

16 How Jeeves Works Function Symbolic expressions Concrete value Symbolic valuesConstraints Symbolic evaluation Implicit parameter SMT solving 16Jean Yang @ POPL

17 NameLocation AliceMIT BobPOPL ClairePOPL Representing Sensitive Values in Jeeves NameLocation Alice  ?|MIT  a BobPOPL Claire  ?|POPL  b Policy Without JeevesJeeves 17Jean Yang @ POPL

18 Runtime Environment context != alice  a = low …  b = low 1 + ((x 1 = POPL) ? 1 : 0) + ((x 2 = POPL) ? 1 : 0) Symbolic Evaluation for Information Flow NameLocation Alice  |  a BobPOPL Claire  |  b How many people are at POPL? Outputs computed from sensitive values are symbolic & concretized under the policy environment. 18Jean Yang @ POPL

19 Jeeves Non-Interference Guarantee  L | H  a Consider the sensitive value Low component High component Level variable Given a fixed L, all executions where a must be low produce equivalent outputs no matter the value of H. 19Jean Yang @ POPL

20 20 Program L a Standard Non-Interference H1H1 H2H2 H n-1 HnHn Does not depend on the H-value Output Does not depend on the H-value = low

21 Jean Yang @ POPL21 Program L a Jeeves Non-Interference H1H1 H2H2 H n-1 HnHn = low Output Cannot distinguish between H-values that imply a = low a = high a = low Depends on the H-value

22 Jean Yang @ POPL22 Program L a Jeeves Non-Interference = low Output Program does not leak information about H. Programs to outputs? H

23 Language Restrictions Function Symbolic expressions Concrete value Symbolic valuesConstraints Symbolic evaluation SMT solving ConstraintsSymbolic values Arithmetic and Boolean constraints with conditionals & implications. Primitives and objects. No functions. 23Jean Yang @ POPL No functions, quantifiers, or theory of lists.

24 Static Checks Function Symbolic expressions Concrete value Symbolic valuesConstraints Symbolic evaluation SMT solving Symbolic values flow only where expected. Evaluation does not introduce nontermination. Contexts are well-formed. Outputs are concrete. Symbolic expressions Function Concrete value 24Jean Yang @ POPL

25 A Stateful Policies Alice Only people near me can see my location. policy a: (distance context alice > radius )  low But Alice’s location is changing… Jeeves: Delay policy evaluation until output. Secret club 25Jean Yang @ POPL

26 Jeeves System Function Symbolic expressions Concrete value DataPolicies Jeeves runtime Output Well-formed values. Evaluation produces well- formed values. Policies evaluated. Guarantee: outputs shown according to policies. 26Jean Yang @ POPL

27 Scala Implementation + v3 Overload operators to create symbolic expressions. = v2 Runtime Environment SMT Solver Use an SMT solver as a model finder. print Propagate policies. Delay evaluation of policies until output. policy 27Jean Yang @ POPL

28 Jeeves language How it works Talk Outline 28 Coding in Jeeves Jean Yang @ POPL

29 JConf Architecture User Role Paper Title Author Reviews Tags … Policy Review Reviewer Content Policy Context Viewer: User CStage: Stage Policy Submission, review, rebuttal, decision, public Core Program Search papers. Display papers. Add and remove tags. Assign and submit reviews. Functionality 29Jean Yang @ POPL Does not need to know about policies.

30 Functionality vs. Policy FileTotal LOCPolicy LOC ConfUser.scala5917 PaperRecord.scala10348 PaperReview.scala2111 ConfContext.scala60 Backend1230 Frontend (Scalatra)1610 Total47376 30Jean Yang @ POPL

31 Conclusions Website:sites.google.com/site/jeevesprogramming Google Code:code.google.com/p/scalasmt Contact:jeanyang@mit.edu The Jeeves language: pushing responsibility of privacy to the runtime. How we designed a language with constraints using symbolic evaluation to provide execution guarantees. Evaluation of Jeeves in practice: conference management example. 31Jean Yang @ POPL

Download ppt "A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama."

Similar presentations

Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.

Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.
1 Compiler Construction Intermediate Code Generation.

1 Compiler Construction Intermediate Code Generation.
1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.

1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
 2006 Pearson Education, Inc. All rights reserved. 1 11 Operator Overloading.

 2006 Pearson Education, Inc. All rights reserved Operator Overloading.
Algorithms and Problem Solving-1 Algorithms and Problem Solving.

Algorithms and Problem Solving-1 Algorithms and Problem Solving.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.

Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Encapsulation by Subprograms and Type Definitions

Encapsulation by Subprograms and Type Definitions
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
1 September 6, 2005CS150 Introduction to Computer Science I What Actions Do We Have Part 1 CS150 Introduction to Computer Science I.

1 September 6, 2005CS150 Introduction to Computer Science I What Actions Do We Have Part 1 CS150 Introduction to Computer Science I.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.

1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.
Review Algorithm Analysis Problem Solving Space Complexity

Review Algorithm Analysis Problem Solving Space Complexity
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Introduction to JavaScript for Python Programmers

Introduction to JavaScript for Python Programmers
Operator OverloadingCS-2303, C-Term 20101 Operator Overloading CS-2303 System Programming Concepts (Slides include materials from The C Programming Language,

Operator OverloadingCS-2303, C-Term Operator Overloading CS-2303 System Programming Concepts (Slides include materials from The C Programming Language,
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Similar presentations

Ads by Google