1. By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart

2. Word Press root hack – Facebook & Twitter accounts compromised Monster.com attack 146,000 accounts compromised UN Website - Defaced via SQL Injection Payroll Site Closes on Security Worries Hacker Accesses Thousands of Personal Data Files at CSU Chico FTC Investigates PETCO.com Security Hole Major Breach of UCLA’s Computer Files Restructured Text Include Directive Does Not Respect ACLs

3. SQL injection Man in the middle Spoofing Serverside Malware e.g. Farmville Clientside Malware

4. Alice’s Data Bob’s Data Vulnerable Web App

5. Variation of classic information flow control Ability to improve the security of complex applications even in the presence of potential exploits e.g. third party plugins Services are distributed and policies are enforced at the userspace level User cannot directly interact with the kernel API for secure cloud based application development Opposite of centralized flow control which requires individual attention for each application

6. Divides processes into two categories: Trusted and Non-trusted Untrusted - do most of computation - constrained by transparent DIFC controls Trusted- conscious of DIFC - manage the privacy and integrity controls that constrain untrusted processes

7. Provides security against aforementioned threats Utilizes DIFC and process level security Tags and labels are used to track data as it flows through a cloud based system Tags have no meaning to the user, but to the processes the tags represent levels of security xor integrity There are two types of labels, Security (Sp) and Integrity (Ip) Security tags are grouped within a security label and vesa versa

8. { “Financial Reports” “HR Documents” } Tag Label

9. Security (Sq) - As a matter of security all process are allowed to add tags to its label to access the private data associated with it but doesn’t allow the processes to declassify it until it has permissions from the owner of the tag. Integrity (Iq) - As a matter of integrity all process are allowed to declassify tag from its label, to read lower integrity files but doesn’t allow the processes to add tag again, without the owner’s permission.

10. The aim of this model is to track the flow of data by controlling process, message and its label changes. Rule 1. A system is secure if every change made to the label of the process are safe Rule 2. All allowed communications are “safe”

11. For a process q, let label set “L” consists of S q or I q, and the new value of label L ′ with S ′ q or I ′ q, The change from L to L ′ is safe if and only if: {L ′ −L} + ∪ {L−L ′ } − ⊆ O p. qp {L` −L} + ⊆ O p { Sq`- Sq } + = Oq = { t+, t-, b+ } Sq = { t } Oq = { t+, t-, b+ } Sq` = { t, b } Sp = { b } Sq = { t,b} Oq = { t+, t-, b- } Sq` = { b } Sp = { b } {L −L`} - ⊆ O p { Sq- Sq` } - = Oq = { t+, t-, b- }

12. qp Sq = { b} Oq = { t+, t-, b- }Sp = { b } Oq={ b+, b,-h+}Sq = { b, t} Oq = { t+, t-, b- }Sp = { b } Oq={ b+, b,-h+}Sq = { b} Oq = { t+, t-, b- }Sp = { b, h } Oq={ b+, b,-h+}

13. Process (p) Process (q)Process (r) S p = { a } S q = { } O q = { a, b } S r = { b } Rule 3. Communication by sending a message is safe iff S r − O r ⊆ S q ∪ O q I q −O q ⊆ I r ∪ O r.

14. AB C S a = { a} O q = { a+, h-,h+ }S p = { a } O q ={ a+, a-,h+} S c = { c } O q ={ c+, c-,k+} S p ` = { a,c}

15. Rule 4. A readable endpoint e is safe iff (S e −S p ) ⊆ D p. Rule 5 A writable endpoint e is safe iff (S p −S e ) ⊆ Dp For any tag t є S p and t є S e Or any tag t є S e and t є S p It must be that t є D p Writing Reading Process p e S e = { H } S p = { F } D p = { F, H }

16. a process can read or write to a outside flume contorl (network, terminal, printer, remote host to the network or console if and only if it can decrease its secrecy label to {} Process r Internet S r = {}

17. Wiki Malicious Application Blue’s data Red’s data Public data Authentication Tag B s = { b } R s = { r } S b = { b } O b = { b+ b- r+ p+ } S b = { b, r } O b = { b+ b- r+ p+ } {} S b = { r } O b = { b+ b- r+ p+} S r = { r } Or = { r+ r- b+ p+} S b = { b, r } O b = { b+ b- r+ p+}

21. Label &Tag Id Application Header Permissions Data

22. http://www.informationweek.com/news/security/atta cks/229401577 http://www.informationweek.com/news/security/atta cks/229401577 http://www.sosp2007.org/talks/sosp112-krohn.pdf Information Flow Control for Standard OS Abstractions: SOSP ’07 October 14-17 2007 Securing the Web with Decentralized Information Flow Control: Lecture by Krohn MIT http://www.youtube.com/watch?v=hO5XWLVoi24 http://www.youtube.com/watch?v=hO5XWLVoi24