Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control.

Published byPrudence Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control."— Presentation transcript:

1 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers Presented by Shiyi Wei

2 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 2 JFlow Java language certain features omitted + Information flow annotations decentralized label model JFlow source JFlow source.java JFlow compiler JFlow compiler Static checking of flow annotations Jflow.lang.Label Jflow.lang.Principal Labeled types, classes, etc.

3 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Motivation  Background  Decentralized label model  Language description  Extended language  Examples  Limitations  JFlow compiler  Static type and label checking 3 Overview

4 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Privacy data protection  Statically check information flows within programs that might manipulate the data Fine-grained tracking of security classes Without the run-time overhead  Previous work  Not practical  Too limited/restrictive  JFlow: a usable programming model 4 Motivation

5 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Information leakage  Explicit flow  Implicit flow 5 Motivation boolean secret; … int pub = 0; if(secret) pub = 1; int secret; … int pub = secret;

6 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Decentralized label model  Form L = {o 1 : r 1, r 2 ; o 2 : r 2, r 3 }  Assignment x/L2 := v/L1 Can be assigned iff – L2 is at least as restrictive as L1  Joining of labels Least upper bound  Declassification Strict information flow control is too restrictive 6 Background Reference: http://courses.cs.vt.edu/cs6204/Privacy-Security/Presentations/Decentralized-Information-Flow.pdf

7 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 7 Background  Information leakage  Explicit flow  Implicit flow 7 boolean secret; //secret: L1 … int pub = 0; //pub: L2 if(secret) pub = 1; //1: ? int secret; //secret: L1 … int pub = secret; //pub: L2

8 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Labeled types  Implicit flows  Run-time labels  Authority and declassification  Run-time principals  Classes  Methods 8 Language Description

9 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Labeled type  An ordinary Java type  A label  Written as: t{l}  Examples int{p:} x; //principal p owns and p can read x int{x} y; //y is as restricted as x is int z; //the label is inferred automatically or by default  Type checking vs. label checking 9 Labeled Types

10 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Implicit flows  Channels created by the control flow structure  Program-counter label (pc)  With every statement and expression  Information learned from the statement or expression evaluated 10 Implicit Flows int{public} x; //pc = {} boolean{secret} b; //pc = {} … int x= 0; //pc = {} if(b) { //pc = {} x = 1; //pc = {b} } The label of x({public}) is not at least as restrictive as the label of 1({secret})

11 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  New primitive type: label  When the label cannot be determined statically  E.g. static float{*lb} compute(int x{*lb}, label lb) *lb: the label contained in the variable lb Variables of type label are final  switch label statement  The statement executed is the first whose associated label is at least as restrictive as the expression label 11 Run-time Labels

12 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  switch label example  Transfer an integer from the x to the y 12 Run-time Labels label{L} lb; int{*lb} x; int{p:} y; switch label(x) { case (int{y} z) y = z; else throw new UnsafeTransfer(); }

13 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Authority:  The capability to act for some principals  Controls the ability to declassify data  actsFor(p1, p2) S  Execute S if p1 can act for p2; otherwise skipped  declassify(e, L)  Relabel the result of e with the label L  Relax policies owned by principals in the authority 13 Authority and Declassification

14 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  New primitive type: principal  A policy may use final variable of type principal to name an owner or reader “Run-time principals are needed in order to model systems that are heterogeneous with respect to the principals in the system, without resorting to declassification” 14 Run-time Principals class Account { final principal customer; String{customer:} name; float{customer:} balance; }

15 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Parameterized classes  Important for building reusable data structures  E.g. Java Vector class is parameterized on label L 15 Classes

16 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  {secret} {public} => Vector[{secret}] ≤ Vector[{public}] ?  Covariant label  When the above relation is sound  No method argument or mutable instance variable may be labeled using the parameter  Class implicit label parameter: {this} A covariant parameter 16 Classes

17 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  authority clause  Name principals external to the program, or principal parameters  E.g. class passwordFile authority(root) { … } 17 Classes

18 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  JFlow method delaration  The return value, the arguments, and the exceptions may each be individually labeled  Arguments are always implicitly final 18 Methods

19 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  JFlow method declaration  begin-label Restriction on pc at the point of invocation of method  end-label The final pc; information can be learned by observing whether the method terminates normally 19 Methods

20 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Examples 20 Methods static int{x;y} add(int x, int y) {return x + y; } boolean compare_str(String name, String pwd):{name; pwd} throws(Null PointerException) {… } boolean store{L}(int{} x) throws(NotFound) {… }

21 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  JFlow method declaration 21 Methods

22 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 22 Example: passwordFile pc = {user; password; root} return label: {user; password} declassification: remove root

23 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 23 Example: Protected Caller must have sufficient label to get the data

24 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Threads  Single-threaded programs  Timing channels  Gain information by timing code with system clock  HashCode  JFlow class must implement its own hashCode  Finalizers  Run in a separate thread from the main program 24 Limitations

25 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Resource exhaustion  OutOfMemoryError  Wall-clock timing channels  Unchecked exceptions  Backward compatibility  Not backward compatible with Java 25 Limitations

26 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Label-checking rules  Throwing and catching exceptions  Run-time label checking  Checking method calls 26 Static Checking

27 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 27 Label-checking Rules X: path labels n: normal termination nv: normal value A: enviroment T: a type L: a label A literal expression always terminates normally and that its value is labeled with the current pc An empty statement always terminates normally, with the same pc as at its start The value of a variable is labeled with both the label of the variable an the current pc Assignment to a variable Two statements S1 and S2 performed in sequence

28 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 28 Translation  Most annotations are erased  Type labels -> Java type  Class parameters  Built-in types are translated  label -> jflow.lang.Label  principal -> jflow.lang.Principal  Two constructs translate to intersting code  actsFor  switch label

Download ppt "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style JFlow: Practical Mostly-Static Information Flow Control."

Similar presentations

Optional Static Typing Guido van Rossum (with Paul Prescod, Greg Stein, and the types-SIG)

Optional Static Typing Guido van Rossum (with Paul Prescod, Greg Stein, and the types-SIG)
ICE1341 Programming Languages Spring 2005 Lecture #13 Lecture #13 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #13 Lecture #13 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Programming Languages and Paradigms

Programming Languages and Paradigms
Written by: Dr. JJ Shepherd

Written by: Dr. JJ Shepherd
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
The Fundamental Rule for Testing Methods Every method should be tested in a program in which every other method in the testing program has already been.

The Fundamental Rule for Testing Methods Every method should be tested in a program in which every other method in the testing program has already been.
JAVA: An Introduction to Problem Solving & Programming, 6 th Ed. By Walter Savitch ISBN 0132162709 © 2012 Pearson Education, Inc., Upper Saddle River,

JAVA: An Introduction to Problem Solving & Programming, 6 th Ed. By Walter Savitch ISBN © 2012 Pearson Education, Inc., Upper Saddle River,
JAVA: An Introduction to Problem Solving & Programming, 5 th Ed. By Walter Savitch and Frank Carrano. ISBN 0136130887 © 2008 Pearson Education, Inc., Upper.

JAVA: An Introduction to Problem Solving & Programming, 5 th Ed. By Walter Savitch and Frank Carrano. ISBN © 2008 Pearson Education, Inc., Upper.
Exception Handling. Introduction An exception is an abnormal condition that arises in a code sequence at run time. In computer languages that do not support.

Exception Handling. Introduction An exception is an abnormal condition that arises in a code sequence at run time. In computer languages that do not support.
Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.

Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
CSI 3120, Exception handling, page 1 Exception and Event Handling Credits Robert W. Sebesta, Concepts of Programming Languages, 8 th ed., 2007 Dr. Nathalie.

CSI 3120, Exception handling, page 1 Exception and Event Handling Credits Robert W. Sebesta, Concepts of Programming Languages, 8 th ed., 2007 Dr. Nathalie.
JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.

JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.
CPSC150 Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level 1 CPSC150 Exceptions When things.

CPSC150 Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level 1 CPSC150 Exceptions When things.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Liang, Introduction to Java Programming, Fifth Edition, (c) 2005 Pearson Education, Inc. All rights reserved. 0-13-148952-6 1 Chapter 17 Exceptions and.

Liang, Introduction to Java Programming, Fifth Edition, (c) 2005 Pearson Education, Inc. All rights reserved Chapter 17 Exceptions and.
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
1 Generics and Using a Collection Generics / Parameterized Classes Using a Collection Customizing a Collection using Inheritance Inner Classes Use of Exceptions.

1 Generics and Using a Collection Generics / Parameterized Classes Using a Collection Customizing a Collection using Inheritance Inner Classes Use of Exceptions.

Similar presentations

Ads by Google