Automatically Enforcing Information Flow Armando SolarLezama From work
- Slides: 35
Automatically Enforcing Information Flow Armando Solar-Lezama From work led by Jean Yang
Information flow is hard to get right. Jean Yang / Jeeves 2
Jean Yang / Jeeves 3
Many possible points of failure. Desired Policy Implementation Policy Only friends can see GPS location. get. Location(user) Policy find. All. Users(location) Policy find. Top. Locations()
Increasingly complex policies. Desired Policy Only friends can see GPS location. who are local within next five hours
Jeeves Goal: Separate Policy and Functionality Policy Implementation Only friends can see GPS location. Other Implementation get. Location(user) find. All. Users(location) find. Top. Locations()
Jeeves for Web Applications Django +Jeeves = Jelf Python Jeeves Jean Yang / Jeeves 7
THE JEEVES LANGUAGE Jean Yang / Jeeves 8
In Jeeves, associate policies with data for automatic enforcement. Only friends can see GPS location. data policy
The Jeeves Language | policies find. All. Users(Cornell) You have no friends in this location. Jean Yang / Jeeves 10
Sensitive Values a = mk. Label() { low, high } loc = mk. Sensitive(a, gps. Coords, country) High value Low value Label Policies restrict (a, loc. (is. Near(oc, jean)) Label. Output channel Policy Core Functionality msg = “Jean’s location is ” + as. Str(loc) Contextual Enforcement print {owen} msg “Jean’s location is N 42 , W 71. ” print {rishabh} msg “Jean’s location is in the United States. ” Jean Yang / Jeeves 11
Faceted Execution + gps. Coords | country a “Jean’s location is” “… N 42 , W 71. ” | “… in the United States. ” a print {rishabh} “Jean’s location is in the United States. ” Jean Yang / Jeeves 12
Jeeves Policies restrict(a, loc. is. Near(oc, jean)) oc = rishabh a = high is. Near(rishabh, jean) a = high false a = low Notes • Policies may refer to sensitive values. • There is always a consistent assignment. • Notion of maximal functionality: if a label is allowed to be high, we set it to high. Jean Yang / Jeeves 13
Classical Security Lattice of access levels. Level 3: top secret. Level 2: highly classified. Level 1: privileged information. Jean Yang / Jeeves 16
Classical Security + Level 3 Level 0 Level 3 Viewers must have access for the highest level. Jean Yang / Jeeves 17
Jeeves Security | p + Jean Yang / Jeeves 18
Jeeves Non-Interference Theorem Given a sensitive value H | L a Takes into account when label depends on sensitive values! all executions where a must be low produce equivalent outputs no matter the value of H. Jean Yang / Jeeves 19
Jeeves Non-Interference Theorem restrict a: loc. (distance(oc, location) < 25) protected location viewer Jean Yang / Jeeves Viewer within radius: a is allowed to be high. 20
Jeeves Non-Interference Theorem restrict a: loc. (distance(oc, location) < 25) viewer protected location Jean Yang / Jeeves Viewer outside radius: a must be low. Viewer should not be able to distinguish actual location from any other of these points. 21
PYTHON JEEVES AND JELF Jean Yang / Jeeves 22
Python Implementation For faceted execution, overload operators and perform source transform. Store policies in runtime environment mk. Label restrict + 3 | 42 a 1 Policy environment 4 | 43 a Use an SMT solver to check label assignments. print {rishabh} … 43 Jean Yang / Jeeves 23
Jelf Web Framework Pr oj ba ect v vie sed alu we on es r. Jeeves runtime Frontend Application | policies Attach policies. Viewer Database @jeeves Programmer is responsible Framework is responsible Jean Yang / Jeeves 24
Sample Schema Code class User. Profile(Model): username = Char. Field() location = Char. Field() # More fields here… @public_value(“location”) def jeeves_get_public_location(user): return get. Country(user. location) @label_for(“lc”, “location”) @jeeves def jeeves_restrict_loc(user, ctxt): return (user. is. Friends(ctxt) and user. location. is. Near(ctxt. location)) Jean Yang / Jeeves 25
Jelf DB Interaction Naive Jeeves Application Database Application logic Select * from Users with location = “ 02134” Jelf Everything This is very slow! Jean Yang / Jeeves 26
Jelf DB Interaction Jeeves Application Database Application logic Select * from Users with location = “ 02134” Jelf [Joe, 02134] This is very dangerous! Jean Yang / Jeeves 27
Jelf DB Interaction Jeeves Application logic Faceted Database Select * from Users with location = “ 02134” Jelf Jean Yang / Jeeves , 28
Representing a Faceted DB , , , Jean Yang / Jeeves , … 29
Representing a Faceted DB User Location Joe 01234 Tim 02340 Evan 24456 Jill 01999 Jean Yang / Jeeves 30
Representing a Faceted DB Metadata User Location L 1, 2, high Joe 01234 L 1, 2, low Joe USA Tim 02340 L 2, 3, high Tim 02340 Evan 24456 L 2, 3, low Tim USA Jill 01999 L 3, 4, high Evan 24456 L 3, 4, high Evan USA L 4, 5, high Jill 01999 Select * from Users with location = “ 02134” Jean Yang / Jeeves 31
Case study: Conference Management System D E Y LO P C E O D O PL R FO 014! 2 Jean Yang / Jeeves 32
Jelf CMS Policy Code Language Javascript Python HTML CSS Total LOC 1826 1604 897 212 4539 Jean Yang / Jeeves Policy LOC 0 131 0 0 131 (2. 9%) 33
Comparison: Hot. CRP Language PHP Javascript CSS Perl SQL C++ Total LOC Policy LOC 34889 >2326 2566 0 2503 0 1422 0 389 many 237 0 42006 2322 (5. 5%) Jean Yang / Jeeves 34
Jelf Running Times Action Showing all papers Submitting a paper Viewing a paper Submitting a review Hard-coded 0. 05 s 0. 07 s 0. 05 s Jean Yang / Jeeves Jelf 0. 48 s 0. 19 s 0. 15 s 35
Ongoing Case Studies Course manager Medical records (HIPAA) Jean Yang / Jeeves Protein signaling 36
Jeeves Team Jean Yang Travis Hance Cormac Flanagan Thomas Austin Benjamin Shaibu Jean Yang / Jeeves 37
- Informal vs formal social control
- Relational constraints in dbms
- Atlas linear algebra
- Exe: automatically generating inputs of death
- Exe: automatically generating inputs of death
- Venerated quarrel
- Armando sierralta
- Sketch program synthesis
- Armando maglio
- Armando solar-lezama
- It has become appallingly obvious that our technology
- Dr rivero armando
- Armando cosentino
- Vertical resultado
- Armando jorge carneiro
- Armando iturralde
- Armando iacovantuono
- Armando romanelli
- Pasticceria armando via del bosco
- Armando gabbrielli
- Armando sierralta
- Armando cordova cortazar
- Define armando
- Natalya rousanova
- Armando sierralta
- Dr armando rivero
- Yucef merhi
- Armando lacerda
- Colegio ing armando i santacruz
- Armando plata sandoval
- Armando bought 45 baseball cards
- Air entrainment nebulizer
- Cylinder oxygen
- T piece oxygen delivery
- Turbulent flow vs laminar flow
- Internal and external flow