Presentation is loading. Please wait.

Presentation is loading. Please wait.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Published byJan Tainter Modified over 9 years ago

Similar presentations

Presentation on theme: "Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University."— Presentation transcript:

1 Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University

2 2 Protecting Confidential Data Programs manipulate valuable data –web-based e-mail, shopping, financial planning –B2B transactions, military information systems,... Important Features –Confidentiality is crucial –Distribution is unavoidable –Heterogeneous trust Challenges –Complex policies –Complex software –Correct use of access control & cryptography A C B "Alice trusts A & C" "Bob trusts B & C"

3 3 Tools for Security Automatic tools –Check the use of enforcement mechanisms –Increase confidence in security Language-based tools –Raise the level of abstraction –Consider information flow through entire system (program) Use the security policy to guide distribution

4 4 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

5 5 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Describes the computation and the principals' security policies.

6 6 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Verifies that the program obeys the security policies.

7 7 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Describes the trust relationships between principals and hosts.

8 8 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Partitions the data and computation among hosts, so that policies are obeyed.

9 9 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime Performs dynamic access control checks and encrypts communication.

10 10 Security Assurance Goal: Resulting distributed program performs the same computation as the source and also satisfies the security policies. Guarantee: Principal P's security policy is violated only if a host that P trusts fails or is subverted. Example: A C B "Alice trusts A & C" "Bob trusts B & C" If B fails, Alice's policy is obeyed, Bob's policy may be violated.

11 11 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

12 12 Confidentiality Policies in Jif Confidentiality labels: int{Alice} a; "a is Alice's private int" Integrity labels: int{?Alice} a; "Alice must trust a" Combined labels: int{Alice, ?Alice} a; (Both constraints) int{Alice} a1, a2; int{Bob} b; // Insecure a1 = b; b = a1; // Secure a1 = a2;

13 13 Policy Operations in Jif Declassification: int{Alice} a; declassify(a to Bob); Endorse: int{?Bob} b; endorse(b by Alice); But (!) Alice must trust the integrity of decision to perform the policy operation. –Compiler guarantees the integrity "type-cast int{Alice} to int{Bob}"

14 14 Example: Oblivious Transfer int m 1 ; int m 2 ; AliceBob request(n) Alice has two integers: m 1 and m 2. Alice's Policy: "Bob gets to choose exactly one of m 1 and m 2." Bob's Policy: "Alice doesn't get to know which item I request." Classic Result: "Impossible to solve using 2 principals, with perfect security." answer(m n )

15 15 Oblivious Transfer (Java) int m1, m2; // Alice's data boolean accessed; int n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2; }

16 16 int{Alice} m1, m2; // Alice's data boolean accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2; } Adding Confidentiality Labels Verification Fails

17 17 int{Alice} m1, m2; // Alice's data boolean accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); } Using Declassification Verification Fails

18 18 Integrity Constraints int{Alice} m1, m2; // Alice's data boolean{?Alice} accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); } Verification Fails

19 19 Using Endorsement int{Alice} m1, m2; // Alice's data boolean{?Alice} accessed; int{Bob} n, ans; // Bob's data n = choose(); // Bob's choice if (!accessed) { // Transfer accessed = true; if (endorse(n by Alice) == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob); }

20 20 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

21 21 Trust Configurations Labels describe the trust relationship between principals and the available hosts. Confidentiality: Host A:{Alice} "Alice trusts host A not to leak her confidential data." Integrity: Host A:{?Alice} "Alice trusts host A not to corrupt her high-integrity data." int{Alice} m 1 ; m 1 can be sent to A int{Bob} n; n cannot be sent to A

22 22 Two-Host Configuration AB {Alice, ?Alice}{Bob, ?Bob}

23 23 Splitter output: No Solution! AB {Alice, ?Alice}{Bob, ?Bob} Can't find a host for the expression: endorse(n by Alice) It requires a host that has Alice's integrity yet can hold Bob's private data.

24 24 Splitter Output AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; }

25 25 Splitter Output is Java AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Data and all of the code except 'choose()' are located at T.

26 26 Run-time Calls AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Resulting code links against the runtime.

27 27 Security Assurance AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Alice's policy is enforced.

28 28 Network Overhead AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T n = choose(); if (!accessed) {... } int m1, m2; bool accessed; int n, ans; int choose() {... return n; } Nothing located at host A!

29 29 Another Secure Solution AB {Alice, ?Alice}{Bob, ?Bob}{Alice, ?Alice, Bob} T goto(B); int n'= get(n,B); if (n' == 1) set(ans, m1); else... int m1, m2; int choose() {... return n; } bool accessed;int n, ans; n = choose(); goto(T); goto(A); if (!accessed){ accessed=true; goto(T); }

30 30 Secure Program Partitioning Source Code Policy Trust info Compiler Splitter subprograms Host 1Host 2Host 3 runtime

31 31 Data Transfer Val getField(Host h, ObjID o, Field f) Val setField(Host h, ObjID o, Field f, Val v) void forward(Host h, Frame f, Var vr, Val v) Control Transfer void rgoto(Host h, Frame f, EntryPt e, Token t) void lgoto(Token t) void sync(Host h, Frame f, EntryPt e, Token t) Implementation –Performs access control checks –Encrypts network communication –Capability mechanism protects control transfers Core Runtime Protocol

32 32 Control Transfer Integrity {?Alice} (Trusted)(Less Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) Alice's privileged code

33 33 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) (Less Trusted)

34 34 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) 1. sync 2. rgoto 3. lgoto TTTT (Less Trusted)

35 35 Control Transfer Integrity {?Alice} (Trusted) {?Alice} (Trusted)... goto(B);... declassify(X)... goto(A);... declassify(Y) TT (Less Trusted) TT

36 36 Capabilities Protocol Theorem: When trusted hosts follow the protocol, there is at most one valid capability available to less trusted hosts. Means that less trusted hosts have no choice about how privileges are restored to the computation.

37 37 Prototype: Jif/split Jif/split: 7400 loc Runtime: 1700 loc 4 small benchmarks: –< 300 lines of code each –2 hand implemented in Java using RMI Experimental results: (LAN setting) –Running time overhead vs. hand implemented: 20% to 120% –Message count overhead vs. hand implemented: -25% to 25% –Costs seem reasonable –Need to try bigger programs

38 38 Secure Program Partitioning Language-based Confidentiality Policies –Compiler splits a program among heterogeneously trusted hosts. –Guided by security policies –Resulting distributed program satisfies the policies Benefits: –End-to-end security –Decentralized –Automatic –Explicit Policies

39 39 http://www.cs.cornell.edu/jif

40 40 Oblivious Transfer Impossibility "It is well known (and easy to see) that in a two-player scenario with noiseless communication, OT [Oblivious Transfer]... with information-theoretic security is not possible, even if only passive cheating is assumed, and players are allowed infinite computing power." – Damgård, Kilian, Slavail On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions, EUROCRYPTO '99

41 41 Access Control Checks Static constraints for read/write are compiled into access control checks Host A checks that {Alice}  {Alice,?Alice,Bob} –verifies signature of S –checks that S  {A, S} –if so, replies with m1 setField requires integrity checks t1 = getField(Alice, m1); {Alice, ?Alice, Bob} S {Alice, ?Alice} A int{Alice, ?Alice} m1; get(m1) K(S)

42 42 Partitioning Jif Programs Solve a constraint system to determine possible hosts Use dynamic programming & heuristics to find an efficient solution Rewrite program, inserting calls to runtime system –data forwarding and control transfers Outputs: A collection of Java code fragments with host assignments

43 43 Static Constraints Consider a field: int{Alice:;?:Alice} f; Host H : confidentiality label C integrity label I Constraints: {Alice:}  C I  {?:Alice} Read-channels: Uses(f)  C Generalize to program statements Constraints on declassify()

Download ppt "Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University."

Similar presentations

Operating System Security

Operating System Security
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.

Towards Static Flow-based Declassification for Legacy and Untrusted Programs Bruno P. S. Rocha Sruthi Bandhakavi Jerry den Hartog William H. Winsborough.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Comp 212: Intermediate Programming Lecture 18 – Java Generics By: Anupam Chanda.

Comp 212: Intermediate Programming Lecture 18 – Java Generics By: Anupam Chanda.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
METHOD OVERRIDING Sub class can override the methods defined by the super class. Overridden Methods in the sub classes should have same name, same signature.

METHOD OVERRIDING Sub class can override the methods defined by the super class. Overridden Methods in the sub classes should have same name, same signature.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb. 2000 Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.

Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell.

Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.

Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.

Similar presentations

Ads by Google