Abstract
Decentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language level solutions provide no guarantees against security violations on system resources, like files and sockets. Operating system solutions can mediate accesses to system resources, but are inefficient at monitoring the flow of information through fine-grained program data structures.
This paper describes Laminar, the first system to implement decentralized information flow control using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar enforces the security policies specified by the labels at runtime. Laminar is implemented using a modified Java virtual machine and a new Linux security module. This paper shows that security regions ease incremental deployment and limit dynamic security checks, allowing us to retrofit DIFC policies on four application case studies. Replacing the applications' ad-hoc security policies changes less than 10% of the code, and incurs performance overheads from 1% to 56%. Whereas prior DIFC systems only support limited types of multithreaded programs, Laminar supports a more general class of multithreaded DIFC programs that can access heterogeneously labeled data.
- DaCapo Benchmark Regression Tests. \URLhttp://jikesrvm.anu.edu.au/~dacapo/.Google Scholar
- B. Alpern, C. R. Attanasio, J. J. Barton, M. G. Burke, P. Cheng, J.-D. Choi, A. Cocchi, S. J. Fink, D. Grove, M. Hind, Susan~Flynn Hummel, D. Lieber, V. Litvinov, M. Mergen, T. Ngo, J. R. Russell, V. Sarkar, M. J. Serrano, J. Shepherd, S. Smith, V. C. Sreedhar, H. Srinivasan, and J. Whaley. The Jalapeño virtual machine. IBM Systems Journal, 39(1):211--238, 2000. Google Scholar
Digital Library
- D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA, 1973.bibitembibaK. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, April 1977.Google Scholar
- A. Birgisson, M. Dhawan, Úlfar Erlingsson, V. Ganapathy, and L. Iftode. Enforcing authorization policies using transactional memory introspection. In CCS, 2008. Google Scholar
Digital Library
- S. M. Blackburn, R. Garner, C. Hoffman, A. M. Khan, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann. The DaCapo benchmarks: Java benchmarking development and analysis. In OOPSLA, pages 169--190, 2006. Google Scholar
Digital Library
- Stephen M. Blackburn and Antony L. Hosking. Barriers: Friend or foe? In ACM International Symposium on Memory Management, pages 143--151, 2004. Google Scholar
Digital Library
- D. E. Denning. A lattice model of secure information flow. CACM, 19(5):236--243, May 1976. Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. CACM, 20(7):504--513, July 1977. Google Scholar
Digital Library
- Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book) edition, December 1985.Google Scholar
- Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. From trusted to secure: Building and executing applications that enforce system security. pages 205--218, 2007.Google Scholar
- Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, and Clifford E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Trans. Softw. Eng., 17(11), 1991. Google Scholar
Digital Library
- M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007. Google Scholar
Digital Library
- B. W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613--615, 1973. Google Scholar
Digital Library
- Henry M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984. Google Scholar
Digital Library
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In USENIX, 2001. Google Scholar
Digital Library
- Larry McVoy and Carl Staelin. lmbench: Portable tools for performance analysis. In Usenix, 1996. Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In POPL, pages 228--241, New York, NY, USA, 1999. ACM Press. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP, pages 129--142, October 1997. Google Scholar
Digital Library
- A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2001.Google Scholar
- Yang Ni, Adam Welc, Ali-Reza Adl-Tabatabai, Moshe Bach, Sion Berkowits, James Cownie, Robert Geva, Sergey Kozhukow, Ravi Narayanaswamy, Jeffrey Olivier, Serguei Preis, Bratin Saha, Ady Tal, and Xinmin Tian. Design and implementation of transactional constructs for C/C. In OOPSLA, pages 195--212, 2008. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21, 2003. Google Scholar
Digital Library
- Jonathan S. Shapiro, Jonathan~M. Smith, and David J. Farber. EROS: A fast capability system. In SOSP, 1999. Google Scholar
Digital Library
- V. Simonet and I. Rocquencourt. Flow Caml in a nutshell. In Proceedings of the first APPSEM--II workshop, pages 152--165, 2003.Google Scholar
- Standard Performance Evaluation Corporation. SPECjbb2000 Documentation, release 1.01 edition, 2001.Google Scholar
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. In MICRO, 2004. Google Scholar
Digital Library
- S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst., 25(4):11, 2007. Google Scholar
Digital Library
- C. Wright, C. Cowan, S. Smalley, J. Morris, and G. K. Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security Symposium, 2002. Google Scholar
Digital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI, 2006. Google Scholar
Digital Library
- N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In OSDI, 2008. Google Scholar
Digital Library
Index Terms
Laminar: practical fine-grained decentralized information flow control
Recommendations
Laminar: practical fine-grained decentralized information flow control
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationDecentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and ...
Practical Fine-Grained Information Flow Control Using Laminar
Decentralized Information Flow Control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and ...
Realizing Information Flow Control in ABAC Mining
Cyberspace Safety and SecurityAbstractAttribute-Based Access Control (ABAC) is an emerging access control model. It is increasingly gaining popularity, mainly because of its flexible and fine-grained access control. As a result, many Role-Based Access Control (RBAC) systems are ...







Comments