Abstract
Decentralized Information Flow Control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language solutions provide no guarantees against security violations on system resources such as files and sockets. Operating system solutions mediate accesses to system resources but are either inefficient or imprecise at monitoring the flow of information through fine-grained program data structures. This article describes Laminar, the first system to implement DIFC using a unified set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels and access the labeled data in security methods. Laminar enforces the security policies specified by the labels at runtime. Laminar is implemented using a modified Java virtual machine and a new Linux security module. This article shows that security methods ease incremental deployment and limit dynamic security checks by retrofitting DIFC policies on four application case studies. Replacing the applications' ad hoc security policies changes less than 10% of the code and incurs performance overheads from 5% to 56%. Compared to prior DIFC systems, Laminar supports a more general class of multithreaded DIFC programs efficiently and integrates language and OS abstractions.
- B. Alpern, C. R. Attanasio, J. J. Barton, M. G. Burke, P. Cheng, J.-D. Choi, A. Cocchi, S. J. Fink, D. Grove, M. Hind, S. F. Hummel, D. Lieber, V. Litvinov, M. Mergen, T. Ngo, J. R. Russell, V. Sarkar, M. J. Serrano, J. Shepherd, S. Smith, V. C. Sreedhar, H. Srinivasan, and J. Whaley. 2000. The jalapeño virtual machine. IBM Systems Journal 39, 1 (2000), 211--238. Google ScholarDigital Library
- O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. 2012. Sharing mobile code securely with information flow control. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 191--205. Google ScholarDigital Library
- A. Askarov, D. Zhang, and A. C. Myers. 2010. Predictive black-box mitigation of timing channels. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). ACM, New York, NY, USA, 297--307. DOI:http://doi.acm.org/10.1145/1866307.1866341 Google ScholarDigital Library
- D. E. Bell and L. J. LaPadula. 1973. Secure Computer Systems: Mathematical Foundations. Technical Report MTR-2547, Vol. 1. MITRE Corp., Bedford, MA. Google Scholar
- K. J. Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372. USAF Electronic Systems Division, Bedford, MA. Google Scholar
- A. Birgisson, M. Dhawan, Úlfar Erlingsson, V. Ganapathy, and L. Iftode. 2008. Enforcing authorization policies using transactional memory introspection. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). ACM, New York, NY, USA, 223--234. DOI:http://doi.acm. org/10.1145/1455770.1455800 Google ScholarDigital Library
- S. M. Blackburn, R. Garner, C. Hoffman, A. M. Khan, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann. 2006. The DaCapo benchmarks: Java benchmarking development and analysis. In Proceedings of the 21st ACM SIGPLAN Conference on Object-Oriented Programing, Systems, Languages, and Applications (OOPSLA'06). ACM, 169--190. Google ScholarDigital Library
- S. M. Blackburn and A. L. Hosking. 2004. Barriers: Friend or foe? In Proceedings of the 4th International Symposium on Memory Management. ACM Press, New York, NY, USA, 143--151. DOI:http://doi.acm. org/10.1145/1029873.1029891 Google ScholarDigital Library
- C. Boyapati, R. Lee, and M. Rinard. 2002. Ownership types for safe programming: Preventing data races and deadlocks. In Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'02). ACM, New York, NY, USA, 211--230. DOI:http:// doi.acm.org/10.1145/582419.582440 Google ScholarDigital Library
- D. Chandra and M. Franz. 2007. Fine-grained information flow analysis and enforcement in a java virtual machine. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07). IEEE Computer Society, 463--475.Google Scholar
- S. Chong and A. C. Myers. 2005. Language-based information erasure. In Proceedings of the 18th IEEE Workshop on Computer Security Foundations (CSFW'05). IEEE Computer Society, Washington, DC, USA, 241--254. DOI:http://dx.doi.org/10.1109/CSFW.2005.19 Google ScholarDigital Library
- S. Chong and A. C. Myers. 2006. Decentralized robustness. In Proceedings of the 19th IEEE Workshop on Computer Security Foundations (CSFW'06). IEEE Computer Society, Washington, DC, USA, 242--256. Google ScholarDigital Library
- D. E. Denning. 1976. A lattice model of secure information flow. Communications of the ACM 19, 5 (May 1976), 236--243. Google ScholarDigital Library
- D. E. Denning and P. J. Denning. 1977. Certification of programs for secure information flow. Communications of the ACM 20, 7 (July 1977), 504--513. Google ScholarDigital Library
- Department of Defense. 1985. Department of Defense Trusted Computer System Evaluation Criteria (DOD 5200.28-STD (The Orange Book) ed.). Google ScholarDigital Library
- P. Efstathopoulos. 2008. Policy Management and Decentralized Debugging in the Asbestos Operating System. Ph.D. Dissertation. University of California, Los Angeles. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy (SSP'82). IEEE Computer Society, 11--20.Google Scholar
- G. Le Guernic. 2007. Automaton-based confidentiality monitoring of concurrent programs. In Proceedings of 20th IEEE Computer Security Foundations Symposium (CSF'07). IEEE Computer Society, 218--232. Google ScholarDigital Library
- N. Hardy. 1988. The confused deputy: (Or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36--38. Google ScholarDigital Library
- B. Hicks, S. Rueda, T. Jaeger, and P. McDaniel. 2007. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the 2007 USENIX Annual Technical Conference (ATC'07). USENIX Association, 205--218. Google ScholarDigital Library
- M. Huisman, P. Worah, and K. Sunesen. 2006. A temporal logic characterisation of observational determinism. In Proceedings of the 19th IEEE Workshop on Computer Security (CSFW'06). IEEE Computer Society, Washington, DC, USA, 3. DOI:http://dx.doi.org/10.1109/CSFW.2006.6 Google ScholarDigital Library
- P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. 1991. A retrospective on the VAX VMM security kernel. IEEE Transactions in Software Engineering 17, 11 (1991), 1147--1165. Google ScholarDigital Library
- V. Kashyap, B. Wiedermann, and B. Hardekopf. 2011. Timing- and termination-sensitive secure information flow: Exploring a new approach. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 413--428. Google ScholarDigital Library
- M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. 2007. Information flow control for standard OS abstractions. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07). ACM, New York, NY, USA, 321--334. DOI:http://doi.acm.org/ 10.1145/1294261.1294293 Google ScholarDigital Library
- B. W. Lampson. 1973. A note on the confinement problem. Communications of the ACM 16, 10 (1973), 613--615. Google ScholarDigital Library
- H. M. Levy. 1984. Capability-Based Computer Systems. Digital Press, Bedford, MA. Google ScholarDigital Library
- J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. 2009. Fabric: A platform for secure distributed computation and storage. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP'09). ACM, New York, NY, USA, 321--334. DOI:http://doi.acm.org/10.1145/ 1629575.1629606 Google ScholarDigital Library
- P. Loscocco and S. Smalley. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA, 29--42. DOI:http://dl.acm.org/citation.cfm?id=647054.715771 Google ScholarDigital Library
- J. Manson, W. Pugh, and S. V. Adve. 2005. The Java Memory Model. Retrieved from http://dl.dropbox.com/ u/1011627/journal.pdf. Google ScholarDigital Library
- L. McVoy and C. Staelin. 1996. LMbench: Portable tools for performance analysis. In Proceedings of the 1996 USENIX Annual Technical Conference (ATEC'96). USENIX Association, 279--294. Google ScholarDigital Library
- A. C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'99). ACM Press, New York, NY, USA, 228--241. Google ScholarDigital Library
- A. C. Myers and B. Liskov. 1997. A decentralized model for information flow control. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP'97). ACM, 129--142. Google ScholarDigital Library
- A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. 2001. Jif: Java Information Flow. Retrieved July 2001 from http://www.cs.cornell.edu/jif.Google Scholar
- A. C. Myers, A. Sabelfeld, and S. Zdancewic. 2004. Enforcing robust declassification. In Proceedings of the 17th IEEE Workshop on Computer Security Foundations (CSFW'04). IEEE Computer Society, 172--186. Google ScholarDigital Library
- S. K. Nair. 2009. Remote Policy Enforcement Using Java Virtual Machine. Ph.D. Dissertation. Vrije University, Amsterdam.Google Scholar
- S. K. Nair, P. N. D. Simpson, B. Crispo, and A. S. Tanenbaum. 2008. A virtual machine based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci. 197, 1 (Feb. 2008), 3--16. Google ScholarDigital Library
- Y. Ni, A. Welc, A.-R. Adl-Tabatabai, M. Bach, S. Berkowits, J. Cownie, R. Geva, S. Kozhukow, R. Narayanaswamy, J. Olivier, S. Preis, B. Saha, A. Tal, and X. Tian. 2008. Design and implementation of transactional constructs for C/C++. In Proceedings of the 23rd ACM SIGPLAN Conference on Object-Oriented Programming Systems Languages and Applications (OOPSLA'08). ACM, New York, NY, USA, 195--212. DOI:http://doi.acm.org/10.1145/1449955.1449780 Google ScholarDigital Library
- J. Ouyang, P. M. Chen, J. Flinn, and S. Narayanasamy. 2013. ...and region serializability for all. In Proceedings of the 5th USENIX Workshop on Hot Topics in Parallelism. USENIX.Google Scholar
- W. Pugh. 2005. May 12th Description of Final Fields. Retrieved from http://www.cs.umd.edu/~pugh/java/memoryModel/may-12.pdf.Google Scholar
- I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel. 2009. Laminar: Practical fine-grained decentralized information flow control. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'09). ACM, 63--74. Google ScholarDigital Library
- A. Russo and A. Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium (CSF'10). IEEE Computer Society, 186--199. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. 2006. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1 (September 2006), 5--19. Google ScholarDigital Library
- J. S. Shapiro, J. M. Smith, and D. J. Farber. 1999. EROS: A fast capability system. In Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles (SOSP'99). ACM, 170--185. Google ScholarDigital Library
- P. Shroff, S. Smith, and M. Thober. 2007. Dynamic dependency monitoring to secure information flow. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF'07). IEEE Computer Society, 203--217. Google ScholarDigital Library
- V. Simonet and I. Rocquencourt. 2003. Flow Caml in a nutshell. In Proceedings of the 1st APPSEM-II Workshop. 152--165.Google Scholar
- Standard Performance Evaluation Corporation. 2001. SPECjbb2000 Documentation (release 1.01 ed.).Google Scholar
- M. Tiwari, X. Li, H. M. G. Wassel, F. T. Chong, and T. Sherwood. 2009a. Execution leases: A hardware-supported mechanism for enforcing strong non-interference. In Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'42). ACM, 493--504. Google ScholarDigital Library
- M. Tiwari, H. M. G. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and T. Sherwood. 2009b. Complete information flow tracking from the gates up. In Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'XIV). ACM, 109--120. Google ScholarDigital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. 2004. RIFLE: An architectural framework for user-centric information-flow security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'04). Google ScholarDigital Library
- S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. 2007. Labels and event processes in the Asbestos operating system. ACM Transactions on Computer Systems 25, 4 (2007), 11. Google ScholarDigital Library
- V. N. Venkatakrishnan, W. Xu, D. C. DuVarney, and R. Sekar. 2006. Provably correct runtime enforcement of non-interference properties. In Proceedings of the 8th International Conference on Information and Communications Security (ICICS'06). Springer-Verlag, 332--351. Google ScholarDigital Library
- D. Volpano and G. Smith. 1999. Probabilistic noninterference in a concurrent language. J. Comput. Secur. 7, 2--3 (Nov. 1999), 231--253. Google ScholarDigital Library
- C. Wright, C. Cowan, S. Smalley, J. Morris, and G. K. Hartman. 2002. Linux security modules: General security support for the Linux kernel. In Proceedings of the USENIX Security Symposium. USENIX Association, 17--31. Google ScholarDigital Library
- S. Zdancewic and A. C. Myers. 2003. Observational determinism for concurrent program security. In Proceedings of the IEEE Computer Security Foundations Workshop (CSFW'03). 29--43.Google Scholar
- Steve Zdancewic and Andrew C. Myers. 2001. Robust declassification. In Proceedings of the 14th IEEE Workshop on Computer Security Foundations (CSFW'01). IEEE Computer Society, Washington, DC, USA, 15--23. DOI:http://dl.acm.org/citation.cfm?id=872752.873524 Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. 2006. Making information flow explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI'06). USENIX Association, 263--278. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, and D. Mazières. 2008. Securing distributed systems with information flow control. In Proceedings of the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI'08). USENIX Association, 293--308. Google ScholarDigital Library
- N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. 2008. Hardware enforcement of application security policies using tagged memory. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI'08). USENIX Association, 225--240. Google ScholarDigital Library
- Danfeng Zhang, Aslan Askarov, and Andrew C. Myers. 2011. Predictive mitigation of timing channels in interactive systems. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS'11). ACM, 563--574. Google ScholarDigital Library
- D. Zhang, A. Askarov, and A. C. Myers. 2012. Language-based control and mitigation of timing channels. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'12). ACM, New York, NY, USA, 99--110. DOI:http://doi.acm.org/10.1145/2254064.2254078 Google ScholarDigital Library
Index Terms
- Practical Fine-Grained Information Flow Control Using Laminar
Recommendations
Laminar: practical fine-grained decentralized information flow control
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationDecentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and ...
Laminar: practical fine-grained decentralized information flow control
PLDI '09Decentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and ...
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityNoninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
Comments