ABSTRACT
Decentralized information flow control (DIFC) operating systems provide applications with mechanisms for enforcing information flow policies for their data. However, significant obstacles keep such operating systems from achieving widespread adoption. One key obstacle is that DIFC operating systems provide only low-level mechanisms for allowing application programmers to enforce their desired policies. It can be difficult for the programmer to ensure that their use of these mechanisms enforces their high-level policies, while at the same time not breaking the underlying functionality of their application. These are issues both for programmers who would develop new applications for a DIFC operating system and for programmers who would port existing applications to a DIFC operating system. Our work significantly eases these tasks. We present as automatic technique that takes as input a program with no DIFC code, and two policies: one that specifies prohibited information flows and one that specifies flows that must be allowed. Our technique then produces a new version of the input program that satisfies the two policies. To evaluate out technique, we implemented it in an automatic tool, called Swim (for Secure What I Mean), and applied it to a set of real-world programs and policies. The results of our evaluation demonstrate that the technique is sufficiently expressive to produce programs for real-world policies, and that it can produce such programs efficiently. It thus represents a significant contribution towards developing systems with strong end-to-end information flow guarantees.
- }}Apache. http://www.apache.org.Google Scholar
- }}S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communicating sequential processes. J. ACM, 31(3):560{599, 1984. Google ScholarDigital Library
- }}S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In SOSP, 2007. Google ScholarDigital Library
- }}ClamAV. http://www.clamav.net.Google Scholar
- }}M. R. Clarkson, S. Chong, and A. C. Myers. Civitas: Toward a secure voting system. SP, 2008. Google ScholarDigital Library
- }}B. Dutertre and L. de Moura. The Yices SMT solver. http://yices.csl.sri.com/tool-paper.pdf, August 2006.Google Scholar
- }}P. Efstathopoulos and E. Kohler. Manageable negrained information flow. SIGOPS Oper. Syst. Rev., 42(4):301{313, 2008. Google ScholarDigital Library
- }}V. Ganesh and D. Dill. A decision procesure for bit-vectors and arrays. In CAV, 2007. Google ScholarDigital Library
- }}W. R. Harris, S. Jha, and T. Reps. DIFC programs by automatic instrumentation. http://cs.wisc.edu/wrharris/publications/tr-1673.pdf, 2010.Google Scholar
- }}W. R. Harris, N. A. Kidd, S. Chaki, S. Jha, and T. Reps. Verifying information flow control over unbounded processes. In FM, 2009. Google ScholarDigital Library
- }}B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In ACSAC, 2006. Google ScholarDigital Library
- }}G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. Lopes, J. Loingtier, and J. Irwin. Aspect-oriented programming. In ECOOP, 1997.Google ScholarCross Ref
- }}M. Krohn and E. Tromer. Noninterference for a practical DIFC-based operating system. In SP, 2009. Google ScholarDigital Library
- }}M. Krohn, A. Yip, M. Brodsky, N. Cli er, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007. Google ScholarDigital Library
- }}MoinMoin. The MoinMoin wiki engine, Dec. 2006.Google Scholar
- }}L. D. Moura and N. Bj"rner. Z3: An efficient SMT solver. In TACAS, 2008. Google ScholarDigital Library
- }}A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP, 1997. Google ScholarDigital Library
- }}G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In CC, 2002. Google ScholarDigital Library
- }}OpenVPN. http://www.openvpn.net.Google Scholar
- }}N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In SP, 2008. Google ScholarDigital Library
- }}S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazieres. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst., 25(4):11, 2007. Google ScholarDigital Library
- }}A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In SOSP, 2009. Google ScholarDigital Library
- }}N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In OSDI, 2006. Google ScholarDigital Library
Index Terms
- DIFC programs by automatic instrumentation
Recommendations
Information flow control for standard OS abstractions
SOSP '07Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to ...
Automatic analysis of DIFC systems using noninterference with declassification
AbstractInformation flow control (IFC) can effectively resist Trojans and viruses that steal information from systems, and is usually adopted to protect the confidentiality of systems with a high security level. However, covert channel attacks can bypass ...
Poster: towards formal verification of DIFC policies
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityDecentralized information flow control (DIFC) is a recent important innovation with flexible mechanisms to improve the availability of traditional information flow models. However, the flexibility of DIFC models also makes specifying and managing DIFC ...
Comments