Automatically Enforcing Information Flow Armando SolarLezama From work

Automatically Enforcing Information Flow Armando Solar-Lezama From work led by Jean Yang

Information flow is hard to get right. Jean Yang / Jeeves 2

Jean Yang / Jeeves 3

Many possible points of failure. Desired Policy Implementation Policy Only friends can see GPS location. get. Location(user) Policy find. All. Users(location) Policy find. Top. Locations()

Increasingly complex policies. Desired Policy Only friends can see GPS location. who are local within next five hours

Jeeves Goal: Separate Policy and Functionality Policy Implementation Only friends can see GPS location. Other Implementation get. Location(user) find. All. Users(location) find. Top. Locations()

Jeeves for Web Applications Django +Jeeves = Jelf Python Jeeves Jean Yang / Jeeves 7

THE JEEVES LANGUAGE Jean Yang / Jeeves 8

In Jeeves, associate policies with data for automatic enforcement. Only friends can see GPS location. data policy

The Jeeves Language | policies find. All. Users(Cornell) You have no friends in this location. Jean Yang / Jeeves 10

Sensitive Values a = mk. Label() { low, high } loc = mk. Sensitive(a, gps. Coords, country) High value Low value Label Policies restrict (a, loc. (is. Near(oc, jean)) Label. Output channel Policy Core Functionality msg = “Jean’s location is ” + as. Str(loc) Contextual Enforcement print {owen} msg “Jean’s location is N 42 , W 71. ” print {rishabh} msg “Jean’s location is in the United States. ” Jean Yang / Jeeves 11

Faceted Execution + gps. Coords | country a “Jean’s location is” “… N 42 , W 71. ” | “… in the United States. ” a print {rishabh} “Jean’s location is in the United States. ” Jean Yang / Jeeves 12

Jeeves Policies restrict(a, loc. is. Near(oc, jean)) oc = rishabh a = high is. Near(rishabh, jean) a = high false a = low Notes • Policies may refer to sensitive values. • There is always a consistent assignment. • Notion of maximal functionality: if a label is allowed to be high, we set it to high. Jean Yang / Jeeves 13

Classical Security Lattice of access levels. Level 3: top secret. Level 2: highly classified. Level 1: privileged information. Jean Yang / Jeeves 16

Classical Security + Level 3 Level 0 Level 3 Viewers must have access for the highest level. Jean Yang / Jeeves 17

Jeeves Security | p + Jean Yang / Jeeves 18

Jeeves Non-Interference Theorem Given a sensitive value H | L a Takes into account when label depends on sensitive values! all executions where a must be low produce equivalent outputs no matter the value of H. Jean Yang / Jeeves 19

Jeeves Non-Interference Theorem restrict a: loc. (distance(oc, location) < 25) protected location viewer Jean Yang / Jeeves Viewer within radius: a is allowed to be high. 20

Jeeves Non-Interference Theorem restrict a: loc. (distance(oc, location) < 25) viewer protected location Jean Yang / Jeeves Viewer outside radius: a must be low. Viewer should not be able to distinguish actual location from any other of these points. 21

PYTHON JEEVES AND JELF Jean Yang / Jeeves 22

Python Implementation For faceted execution, overload operators and perform source transform. Store policies in runtime environment mk. Label restrict + 3 | 42 a 1 Policy environment 4 | 43 a Use an SMT solver to check label assignments. print {rishabh} … 43 Jean Yang / Jeeves 23

Jelf Web Framework Pr oj ba ect v vie sed alu we on es r. Jeeves runtime Frontend Application | policies Attach policies. Viewer Database @jeeves Programmer is responsible Framework is responsible Jean Yang / Jeeves 24

Sample Schema Code class User. Profile(Model): username = Char. Field() location = Char. Field() # More fields here… @public_value(“location”) def jeeves_get_public_location(user): return get. Country(user. location) @label_for(“lc”, “location”) @jeeves def jeeves_restrict_loc(user, ctxt): return (user. is. Friends(ctxt) and user. location. is. Near(ctxt. location)) Jean Yang / Jeeves 25

Jelf DB Interaction Naive Jeeves Application Database Application logic Select * from Users with location = “ 02134” Jelf Everything This is very slow! Jean Yang / Jeeves 26

Jelf DB Interaction Jeeves Application Database Application logic Select * from Users with location = “ 02134” Jelf [Joe, 02134] This is very dangerous! Jean Yang / Jeeves 27

Jelf DB Interaction Jeeves Application logic Faceted Database Select * from Users with location = “ 02134” Jelf Jean Yang / Jeeves , 28

Representing a Faceted DB , , , Jean Yang / Jeeves , … 29

Representing a Faceted DB User Location Joe 01234 Tim 02340 Evan 24456 Jill 01999 Jean Yang / Jeeves 30

Representing a Faceted DB Metadata User Location L 1, 2, high Joe 01234 L 1, 2, low Joe USA Tim 02340 L 2, 3, high Tim 02340 Evan 24456 L 2, 3, low Tim USA Jill 01999 L 3, 4, high Evan 24456 L 3, 4, high Evan USA L 4, 5, high Jill 01999 Select * from Users with location = “ 02134” Jean Yang / Jeeves 31

Case study: Conference Management System D E Y LO P C E O D O PL R FO 014! 2 Jean Yang / Jeeves 32

Jelf CMS Policy Code Language Javascript Python HTML CSS Total LOC 1826 1604 897 212 4539 Jean Yang / Jeeves Policy LOC 0 131 0 0 131 (2. 9%) 33

Comparison: Hot. CRP Language PHP Javascript CSS Perl SQL C++ Total LOC Policy LOC 34889 >2326 2566 0 2503 0 1422 0 389 many 237 0 42006 2322 (5. 5%) Jean Yang / Jeeves 34

Jelf Running Times Action Showing all papers Submitting a paper Viewing a paper Submitting a review Hard-coded 0. 05 s 0. 07 s 0. 05 s Jean Yang / Jeeves Jelf 0. 48 s 0. 19 s 0. 15 s 35

Ongoing Case Studies Course manager Medical records (HIPAA) Jean Yang / Jeeves Protein signaling 36

Jeeves Team Jean Yang Travis Hance Cormac Flanagan Thomas Austin Benjamin Shaibu Jean Yang / Jeeves 37