ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Manageable fine-grained information flow
Full text PdfPdf (274 KB)
Source
European Conference on Computer Systems archive
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008 table of contents
Glasgow, Scotland UK
SESSION: OS Security table of contents
Pages 301-313  
Year of Publication: 2008
ISBN:978-1-60558-013-5
Also published in ...
Authors
Petros Efstathopoulos  University of California, Los Angeles, Los Angeles, CA, USA
Eddie Kohler  University of California, Los Angeles, Los Angeles, CA, USA
Sponsors
SIGOPS: ACM Special Interest Group on Operating Systems
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 12,   Downloads (12 Months): 123,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1352592.1352624
What is a DOI?

ABSTRACT

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers fine-grained control over security policy and privilege management. DIFC developers can partition much application functionality into untrusted components bound by a kernel- or language-enforced security policy. Unless a (usually smaller and less exposed) trusted component is exploited, the effects of an application compromise are contained by the policy.

Although system-based DIFC can simultaneously achieve high performance and effective isolation, it offers a challenging programming model. Fine-grained policy specifications are spread over several application pieces. Common programming errors may be indistinguishable from policy exploit attempts, the system cannot expose developers to information about these errors, complicating debugging. Static checking (as in language based systems) and new system primitives can reduce these problems, but for dynamic applications like web servers, they do not eliminate them.

In this paper we propose subsystems that make decentralized information flow more manageable. First, a policy description language specifies an application-wide security policy in one localized place; communication restrictions are compiled into lower-level labels. Second, information flow-safe debugging mechanisms let developers debug DIFC applications without violating security policies. Although these mechanisms are preliminary, we demonstrate their effectiveness using applications similar to those developed for Asbestos and other DIFC systems.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Sample policy implementations. http://read.cs.ucla.edu/~pefstath/policies/.
 
2
M. Brodsky, P. Efstathopoulos, F. Kaashoek, E. Kohler, M. Krohn, D. Mazieres, R. Morris, S. VanDeBogart, and A. Yip. Toward secure services from untrusted developers. Technical Report TR-2007-041, Massachusetts Institute of Technology Computer Science and Artificial Intelligence Laboratory, 2007. http://hdl.handle.net/1721.1/38453.
3
Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web application via automatic partitioning, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
4
Stephen Chong , K. Vikram , Andrew C. Myers, SIF: enforcing confidentiality and integrity in web applications, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
5
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
 
6
Trusted Computer System Evaluation Criteria (Orange Book) Department of Defense, Dec. 1985. DoD 5200.28-STD.
 
7
P. A. Karger and A. J. Herbert. An augmented capability architecture to support lattice security and traceability of access. In Proceedings of 1984 IEEE Symposium on Security and Privacy, Apr. 1984.
8
Maxwell Krohn , Alexander Yip , Micah Brodsky , Natan Cliffer , M. Frans Kaashoek , Eddie Kohler , Robert Morris, Information flow control for standard OS abstractions, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
9
Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
 
10
M. D. McIlroy , J. A. Reeds, Multilevel security in the UNIX tradition, Software—Practice & Experience, v.22 n.8, p.673-694, Aug. 1992  [doi>10.1002/spe.4380220805]
11
Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States  [doi>10.1145/292540.292561]
12
Andrew C. Myers , Barbara Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Software Engineering and Methodology (TOSEM), v.9 n.4, p.410-442, Oct. 2000  [doi>10.1145/363516.363526]
 
13
Ray Spencer , Stephen Smalley , Peter Loscocco , Mike Hibler , David Andersen , Jay Lepreau, The flask security architecture: system support for diverse security policies, Proceedings of the 8th conference on USENIX Security Symposium, p.11-11, August 23-26, 1999, Washington, D.C.
14
Steve Vandebogart , Petros Efstathopoulos , Eddie Kohler , Maxwell Krohn , Cliff Frey , David Ziegler , Frans Kaashoek , Robert Morris , David Mazières, Labels and event processes in the Asbestos operating system, ACM Transactions on Computer Systems (TOCS), v.25 n.4, p.11-es, December 2007  [doi>10.1145/1314299.1314302]
 
15
R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proceedings of 2003 USENIX Annual Technical Conference, June 2003.
 
16
Nickolai Zeldovich , Silas Boyd-Wickizer , Eddie Kohler , David Mazières, Making information flow explicit in HiStar, Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, p.19-19, November 06-08, 2006, Seattle, WA

CITED BY
Alexander Yip , Neha Narula , Maxwell Krohn , Robert Morris, Privacy-preserving browser-side scripting with BFlow, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging
          Subjects: Debugging aids
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls


General Terms:
Design, Management, Security


Keywords:
debugging, decentralized information flow control, labels, policy language

Collaborative Colleagues:
Petros Efstathopoulos: colleagues
Eddie Kohler: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player