skip to main content
research-article

Cross-application data provenance and policy enforcement

Published:06 June 2011Publication History
Skip Abstract Section

Abstract

We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can use Garm to attach access policies to data and Garm enforces the policy on all accesses to the data (and any derived data) across all applications and executions. Garm uses static analysis to generate optimized instrumentation that traces the provenance of an application's state and the policies that apply to this state. Garm monitors the interactions of the application with the underlying operating system to enforce policies. Conceptually, Garm combines trusted computing support from the underlying operating system with a stream cipher to ensure that data protected by an access policy cannot be accessed outside of Garm's policy enforcement mechanisms. We have evaluated Garm with several common Linux applications. We found that Garm can successfully trace the provenance of data across executions of multiple applications and enforce data access policies on the application's executions.

References

  1. Bernstein, D. J. 2008. The Salsa 20 family of stream ciphers. In New Stream Cipher Designs: The eSTREAM Finalists. Springer, 84--97. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Buneman, P., Khanna, S., and Tan, W.-C. 2000. Data provenance: Some basic issues. In Proceedings of the 20th Conference on the Foundations of Software Technology and Theoretical Computer Science. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Buneman, P., Khanna, S., and Tan, W. C. 2001. Why and where: A characterization of data provenance. In Proceedings of the 8th International Conference on Database Theory. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Chandra, D. and Franz, M. 2007. Fine-grained information flow analysis and enforcement in a Java virtual machine. In Proceedings of the 23rd Annual Computer Security Applications Conference.Google ScholarGoogle Scholar
  5. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Conference on Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Clause, J., Li, W., and Orso, A. 2007. Dytan: A generic dynamic taint analysis framework. In Proceedings of the International Symposium on Software Testing and Analysis. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Dalton, M., Kannan, H., and Kozyrakis, C. 2007. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th International Symposium on Computer Architecture. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Demsky, B. 2009. Garm: Cross application data provenance and policy enforcement. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec). Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Drewry, W. and Ormandy, T. 2007. Flayer: Exposing application internals. In Proceedings of the 1st USENIX Workshop on Offensive Technologies. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. ecrypt. 2008. The eSTREAM project. http://www.ecrypt.eu.org/stream/.Google ScholarGoogle Scholar
  12. Enck, W., McDaniel, P., and Jaeger, T. 2008. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. England, P., Lampson, B., Manferdelli, J., Peinado, M., and Willman, B. 2003. A trusted open platform. Computer 36, 7, 55--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Haldar, V., Chandra, D., and Franz, M. 2005. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Hasan, R., Sion, R., and Winslett, M. 2009. The case of the fake Picasso: Preventing history forgery with secure provenance. In Proccedings of the 7th Conference on File and Storage Technologies. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hicks, B., Ahmadizadeh, K., and McDaniel, P. 2006. Understanding practical application development in security-typed languages. In Proceedings of the 22st Annual Computer Security Applications Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Hicks, B. and McDaniel, P. 2007. Channels: Runtime system infrastructure for security-typed languages. In Proceedings of the 23rd Annual Computer Security Applications Conference.Google ScholarGoogle ScholarCross RefCross Ref
  18. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., and Walter, T. 2007. A policy language for distributed usage control. In Proceedings of the 12th European Symposium on Research in Computer Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Iannela, R. 2002. Open digital rights language—version 1.1. http://ordl.net/1.1/ODRL-11.pdf.Google ScholarGoogle Scholar
  20. Lin, Z., Zhang, X., and Xu, D. 2008. Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.Google ScholarGoogle Scholar
  21. McCamant, S. and Ernst, M. D. 2008. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. 193--205. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Mitchell, C. 2005. Trusted Computing. Institution of Engineering and Technology, Stevenage; Herts, U.K.Google ScholarGoogle Scholar
  23. Muniswamy-Reddy, K.-K., Holland, D. A., Braun, U., and Seltzer, M. 2006. Provenance-aware storage systems. In Proceedings of the Annual USENIX Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Nair, S. K., Simpson, P. N. D., Crispo, B., and Tanenbaum, A. S. 2008. A virtual machine based information flow control system for policy enforcement. Electron. Notes Theoret. Comp. Sci. 197, 1, 3--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commidity software. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  26. Peinado, M., Chen, Y., England, P., and Manferdelli, J. 2004. NGSCB: A Trusted Open System. Lecture Notes in Computer Science. Springer Berlin, Germany, 86--97.Google ScholarGoogle Scholar
  27. Pretschner, A., Hilty, M., Basin, D., Schaefer, C., and Walter, T. 2008. Mechanisms for usage control. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. 240--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow security. IEEE J. Select. Areas Commun. (Special Issue on Formal Methods for Security) 21, 1, 5--19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Vachharajani, N., Bridges, M. J., Chang, J., Rangan, R., Ottoni, G., Blome, J. A., Reis, G. A., Vachharajani, M., and August, D. I. 2004. RIFLE: An architectural framework for user-centric information-flow security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Wurster, G. and van Oorschot, P. 2009. Self-signed executables: Restricting replacement of program binaries by malware. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec). Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. 2006. Making information flow explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Zeldovich, N., Boyd-Wickizer, S., and Mazières, D. 2008. Securing distributed systems with information flow control. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Cross-application data provenance and policy enforcement

        Recommendations

        Reviews

        Chenyi Hu

        In today's society, people increasingly rely on computer networks to exchange a variety of information. With the complexity of our networked world, ensuring information security has become critical, not only to protecting personal privacy, but also to national security. Therefore, many organizations have implemented technologies that combine encryption with security policy. Beyond the issues related to the efficiency and flexibility of these technologies are challenges to cross-application data provenance and policy enforcement. More explicitly, it is difficult to discover the history of how a file has reached its current state, and how to control access to a file during its transmission, when it involves the multiple machines in current software systems. To address this problem, Demsky presents a new framework for data protection called Garm. Garm encrypts policy-protected data before it is passed to the operating system, and decrypts policy-protected data before an authorized application reads it. The system can trace data provenance and enforce data access policies across multiple applications and machines. It further introduces support for tracing provenance information across executions and application boundaries. The paper describes the architecture of Garm, analyzes its provenance, and presents its limitations. Furthermore, it reports that applications of the prototype implementation on benchmark files achieved the goals as expected, with an overhead ranging from 5.34 to 13.14 on benchmarked g-zipped, tar archive, and MP3 files. The slowdown is barely noticeable, however, on interactive applications such as bash , xdvi , pico , nano , ssh , scp , and other command line utilities. The paper also presents some possible reasons that may negatively affect performance. For example, the current implementation has a 400-percent increase in the amount of memory space. In the real world, no system is absolutely secure. Demsky presents reasonable assumptions about Garm, as well as its limitations. This paper is very well written. I certainly recommend it to people who work in information security, from system architecture, to solution design, to implementation. Online Computing Reviews Service

        Access critical reviews of Computing literature here

        Become a reviewer for Computing Reviews.

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 14, Issue 1
          May 2011
          366 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/1952982
          Issue’s Table of Contents

          Copyright © 2011 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 6 June 2011
          • Accepted: 1 April 2010
          • Revised: 1 February 2010
          • Received: 1 September 2009
          Published in tissec Volume 14, Issue 1

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!