Abstract
We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can use Garm to attach access policies to data and Garm enforces the policy on all accesses to the data (and any derived data) across all applications and executions. Garm uses static analysis to generate optimized instrumentation that traces the provenance of an application's state and the policies that apply to this state. Garm monitors the interactions of the application with the underlying operating system to enforce policies. Conceptually, Garm combines trusted computing support from the underlying operating system with a stream cipher to ensure that data protected by an access policy cannot be accessed outside of Garm's policy enforcement mechanisms. We have evaluated Garm with several common Linux applications. We found that Garm can successfully trace the provenance of data across executions of multiple applications and enforce data access policies on the application's executions.
- Bernstein, D. J. 2008. The Salsa 20 family of stream ciphers. In New Stream Cipher Designs: The eSTREAM Finalists. Springer, 84--97. Google Scholar
Digital Library
- Buneman, P., Khanna, S., and Tan, W.-C. 2000. Data provenance: Some basic issues. In Proceedings of the 20th Conference on the Foundations of Software Technology and Theoretical Computer Science. Google Scholar
Digital Library
- Buneman, P., Khanna, S., and Tan, W. C. 2001. Why and where: A characterization of data provenance. In Proceedings of the 8th International Conference on Database Theory. Google Scholar
Digital Library
- Chandra, D. and Franz, M. 2007. Fine-grained information flow analysis and enforcement in a Java virtual machine. In Proceedings of the 23rd Annual Computer Security Applications Conference.Google Scholar
- Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Conference on Security. Google Scholar
Digital Library
- Clause, J., Li, W., and Orso, A. 2007. Dytan: A generic dynamic taint analysis framework. In Proceedings of the International Symposium on Software Testing and Analysis. Google Scholar
Digital Library
- Dalton, M., Kannan, H., and Kozyrakis, C. 2007. Raksha: A flexible information flow architecture for software security. In Proceedings of the 34th International Symposium on Computer Architecture. Google Scholar
Digital Library
- Demsky, B. 2009. Garm: Cross application data provenance and policy enforcement. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec). Google Scholar
Digital Library
- Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--243. Google Scholar
Digital Library
- Drewry, W. and Ormandy, T. 2007. Flayer: Exposing application internals. In Proceedings of the 1st USENIX Workshop on Offensive Technologies. Google Scholar
Digital Library
- ecrypt. 2008. The eSTREAM project. http://www.ecrypt.eu.org/stream/.Google Scholar
- Enck, W., McDaniel, P., and Jaeger, T. 2008. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference. Google Scholar
Digital Library
- England, P., Lampson, B., Manferdelli, J., Peinado, M., and Willman, B. 2003. A trusted open platform. Computer 36, 7, 55--62. Google Scholar
Digital Library
- Haldar, V., Chandra, D., and Franz, M. 2005. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference. Google Scholar
Digital Library
- Hasan, R., Sion, R., and Winslett, M. 2009. The case of the fake Picasso: Preventing history forgery with secure provenance. In Proccedings of the 7th Conference on File and Storage Technologies. Google Scholar
Digital Library
- Hicks, B., Ahmadizadeh, K., and McDaniel, P. 2006. Understanding practical application development in security-typed languages. In Proceedings of the 22st Annual Computer Security Applications Conference. Google Scholar
Digital Library
- Hicks, B. and McDaniel, P. 2007. Channels: Runtime system infrastructure for security-typed languages. In Proceedings of the 23rd Annual Computer Security Applications Conference.Google Scholar
Cross Ref
- Hilty, M., Pretschner, A., Basin, D., Schaefer, C., and Walter, T. 2007. A policy language for distributed usage control. In Proceedings of the 12th European Symposium on Research in Computer Security. Google Scholar
Digital Library
- Iannela, R. 2002. Open digital rights language—version 1.1. http://ordl.net/1.1/ODRL-11.pdf.Google Scholar
- Lin, Z., Zhang, X., and Xu, D. 2008. Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.Google Scholar
- McCamant, S. and Ernst, M. D. 2008. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. 193--205. Google Scholar
Digital Library
- Mitchell, C. 2005. Trusted Computing. Institution of Engineering and Technology, Stevenage; Herts, U.K.Google Scholar
- Muniswamy-Reddy, K.-K., Holland, D. A., Braun, U., and Seltzer, M. 2006. Provenance-aware storage systems. In Proceedings of the Annual USENIX Technical Conference. Google Scholar
Digital Library
- Nair, S. K., Simpson, P. N. D., Crispo, B., and Tanenbaum, A. S. 2008. A virtual machine based information flow control system for policy enforcement. Electron. Notes Theoret. Comp. Sci. 197, 1, 3--16. Google Scholar
Digital Library
- Newsome, J. and Song, D. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commidity software. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Peinado, M., Chen, Y., England, P., and Manferdelli, J. 2004. NGSCB: A Trusted Open System. Lecture Notes in Computer Science. Springer Berlin, Germany, 86--97.Google Scholar
- Pretschner, A., Hilty, M., Basin, D., Schaefer, C., and Walter, T. 2008. Mechanisms for usage control. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. 240--244. Google Scholar
Digital Library
- Sabelfeld, A. and Myers, A. C. 2003. Language-based information-flow security. IEEE J. Select. Areas Commun. (Special Issue on Formal Methods for Security) 21, 1, 5--19. Google Scholar
Digital Library
- Vachharajani, N., Bridges, M. J., Chang, J., Rangan, R., Ottoni, G., Blome, J. A., Reis, G. A., Vachharajani, M., and August, D. I. 2004. RIFLE: An architectural framework for user-centric information-flow security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Google Scholar
Digital Library
- Wurster, G. and van Oorschot, P. 2009. Self-signed executables: Restricting replacement of program binaries by malware. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec). Google Scholar
Digital Library
- Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazières, D. 2006. Making information flow explicit in HiStar. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Zeldovich, N., Boyd-Wickizer, S., and Mazières, D. 2008. Securing distributed systems with information flow control. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. Google Scholar
Digital Library
Index Terms
Cross-application data provenance and policy enforcement
Recommendations
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesWhile preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
Model-Based Monitoring and Policy Enforcement of Services
SERVICES '09: Proceedings of the 2009 Congress on Services - IRuntime monitoring is necessary for continuous quality assurance of Web services. In a monitoring system, sensors with policies are widely used to collect runtime execution data, detect behavior anomalies and generate alerts. Hard-coded sensors and ...
Verification and enforcement of access control policies
Access control mechanisms protect critical resources of systems from unauthorized access. In a policy-based management approach, administrators define user privileges as rules that determine the conditions and the extent of users' access rights. As ...








Comments