Presentation is loading. Please wait.

Presentation is loading. Please wait.

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Published byAlvin Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University."— Presentation transcript:

1 Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University Ithaca NY 14853

2 18 July 00End-to-end security, untrusted hosts — Andrew Myers 2 Research directions End-to-end security by program rewriting In-lined reference monitors Asynchronous proactive secret sharing Gossip protocols Mobile code integrity: –NAP protocols (primary-backup revisited) –Cryptographic-based privilege management

3 18 July 00End-to-end security, untrusted hosts — Andrew Myers 3 Protecting confidentiality Historically: privacy protection largely a military concern (confidentiality, secrecy) Future: many commercial, end-user needs Assurance for shared information services –on-line shopping, e-mail and home page services Programs with access to private information –spreadsheets, Quicken, word processors,... Military, commercial privacy needs converging? top secret secret classified unclassified

4 18 July 00End-to-end security, untrusted hosts — Andrew Myers 4 Privacy vs complexity Problem: complex systems, untrusted parts –both distributed and single-host computation Harder to protect confidential information ?

5 18 July 00End-to-end security, untrusted hosts — Andrew Myers 5 Example: airplane design Boeing Air Force marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Hosts Data Programs war simulations cost projections CAD aircraft simulations

6 18 July 00End-to-end security, untrusted hosts — Andrew Myers 6 Policies vs. Mechanisms Problem: policy/mechanism mismatch –Conventional mechanisms (e.g., access control): control whether A is allowed to transmit to B –Privacy policy: information I can only be obtained by users U (no matter how it is transformed) –Access control is point-to-point; policy is end-to-end How to map privacy policy onto a mechanism? (we already do this by hand!) AB ? I U

7 18 July 00End-to-end security, untrusted hosts — Andrew Myers 7 Mechanisms Discretionary access control: doesn’t control propagation AB ?... Mandatory access control: expensive, restrictive AB ? L top secret secret classified unclassified L

8 18 July 00End-to-end security, untrusted hosts — Andrew Myers 8 Static analysis of information flow Idea: add privacy policies as annotations to programs (types) : e.g., J IF language (Java Information Flow) int {L} x; // L is an end-to-end privacy policy J IF : security-typed language Uses decentralized label model

9 18 July 00End-to-end security, untrusted hosts — Andrew Myers 9 Static information flow Type-check information flow statically –efficient –validates all possible run-time information flows: more precise, less restrictive –allows modular composition –hybrid dynamic/static schemes possible

10 18 July 00End-to-end security, untrusted hosts — Andrew Myers 10 Compiler architecture Program Java source J IF compiler Label annotations Java compiler Class file (Bytecode) Source-to-source translator (J IF  Java) Mostly just removes annotations Class file (Bytecode) Label annotations

11 18 July 00End-to-end security, untrusted hosts — Andrew Myers 11 Single-machine model Source J IF compiler Bytecode Trust Host Executin g program

12 18 July 00End-to-end security, untrusted hosts — Andrew Myers 12 Airplane design Boeing Air Force marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Hosts Data Programs War simulations Cost projections CAD aircraft simulations

13 18 July 00End-to-end security, untrusted hosts — Andrew Myers 13 Avoiding trusted compiler Source J IF compiler Bytecode Trust Host Executin g program verifier Java trick: substitute trusted verifier for compiler Need expressive security type system for intermediate / assembly code Trust

14 18 July 00End-to-end security, untrusted hosts — Andrew Myers 14 Avoiding trusted hosts Security invariant: host distrusted by principal p should not see p’s confidential data Problem: multi-party computation may involve confidential data from several parties Run only on completely trusted hosts? –expensive –bottleneck Computation across available hosts

15 18 July 00End-to-end security, untrusted hosts — Andrew Myers 15 Secure program partitioning New approach to secure distributed systems Write programs without explicit code locations or inter-host communication Automatically transform code to run securely on current hosts source compiler intermediate code Host splitter Host code partition authenticated trust declarations

16 18 July 00End-to-end security, untrusted hosts — Andrew Myers 16 Caveats Programs annotated with security information –but: annotations are types Communication model: inter-host messages cannot be intercepted, damaged –but: private-key encryption can be used Some covert channels (e.g., timing) still exist

17 18 July 00End-to-end security, untrusted hosts — Andrew Myers 17 Status New, expressive intermediate language with support for security types, program transformations –Next: security-typed assembly language –verifier Rewrite rules for automatic program partitioning across hosts –Next: optimizing transformations for performance –partitioning back end for J IF compiler –partitioning verifier Core technology is in place

18 18 July 00End-to-end security, untrusted hosts — Andrew Myers 18 Conclusions Decentralized enforcement of end-to-end security policies appears surprisingly feasible Application: assurance for distributed services Other project research directions: –In-lined reference monitors –Asynchronous proactive secret sharing –Gossip protocols –Mobile code integrity

Download ppt "Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University."

Similar presentations

Privacy & Other Issues. Acceptable Use Policies When you sign up for an account at school or from an Internet Service Provider, you agree to their rules.

Privacy & Other Issues. Acceptable Use Policies When you sign up for an account at school or from an Internet Service Provider, you agree to their rules.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb. 2000 Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.

Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Access Control Methodologies

Access Control Methodologies
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.

Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario –workstations.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.

Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.

Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.

Similar presentations

Ads by Google