skip to main content
article

Precise, dynamic information flow for database-backed applications

Published:02 June 2016Publication History
Skip Abstract Section

Abstract

We present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational database implementations, and scales for realistic applications. In this paper, we present a programming model that factors out information flow policies from application code and database queries, a dynamic semantics for the underlying $^JDB$ core language, and proofs of termination-insensitive non-interference and policy compliance for the semantics. We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop. We show that in comparison to traditional applications with hand-coded policy checks, Jacqueline applications have 1) a smaller trusted computing base, 2) fewer lines of policy code, and 2) reasonable, often negligible, additional overheads.

References

  1. Django: The web framework for perfectionists with deadlines. https://www.djangoproject.com, accessed July 3, 2015.Google ScholarGoogle Scholar
  2. Funkload. http://funkload.nuxeo.org, accessed July 3, 2015.Google ScholarGoogle Scholar
  3. HotCRP bug report: Download PC review assignments obeys paper administrators. https://github.com/kohler/hotcrp/commit/ 80ff96606bbe26e242ac7ebca85b440f2dbffebb, accessed July 3, 2015.Google ScholarGoogle Scholar
  4. MacroPy. https://github.com/lihaoyi/macropy, accessed July 3, 2015.Google ScholarGoogle Scholar
  5. P. Anderson and J. Cheney. Toward provenance-based security for configuration languages. In Workshop on the Theory and Practice of Provenance, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Symposium on Security and Privacy, SP, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. T. H. Austin, J. Yang, C. Flanagan, and A. Solar-Lezama. Faceted execution of policy-agnostic programs. In Workshop on Programming Languages and Analysis for Security, PLAS, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Symposium on Security and Privacy, SP, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. A. Blankstein and M. J. Freedman. Automating isolation and least privilege in web services. In Symposium on Security and Privacy, SP, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. R. Bodik, S. Chandra, J. Galenson, D. Kimelman, N. Tung, S. Barman, and C. Rodarmor. Programming with angelic nondeterminism. In Symposium on Principles of Programming Languages, POPL, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In European Symposium on Programming, ESOP, volume 3924 of LNCS. Springer Verlag, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. R. Capizzi, A. Longo, V. Venkatakrishnan, and A. Sistla. Preventing information leaks through shadow executions. In Annual Computer Security Applications Conference, ACSAC, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-to-end verification of security enforcement. In Conference on Programming Language Design and Implementation, PLDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. Cheney. A formal framework for provenance security. In Computer Security Foundations Symposium, CSF ’11. IEEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In Symposium on Operating Systems Design and Implementation, OSDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Symposium on USENIX Security, SS’07, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In Conference on Programming Language Design and Implementation, PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. B. Davis and H. Chen. DBTaint: Cross-application information flow tracking via databases. In Conference on Web Application Development, WebApps’10, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Secure multi-execution of web scripts: Theory and practice. Journal of Computer Security, 22(4), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20(7), 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. E. Denning, S. G. Akl, M. Morgenstern, P. G. Neumann, R. R. Schell, and M. Heckman. Views for multilevel database security. In IEEE Symposium on Security and Privacy, SP, 1986.Google ScholarGoogle ScholarCross RefCross Ref
  22. D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Symposium on Security and Privacy, SP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of accesscontrol policies. In International Conference on Software Engineering, ICSE ’05. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. D. B. Giffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. C. Mitchell, and A. Russo. Hails: Protecting data privacy in untrusted web applications. In Symposium on Operating Systems Design and Implementation, OSDI, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. In ECOOP, 1997.Google ScholarGoogle ScholarCross RefCross Ref
  26. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. Technical Report MSR-TR- 2011-94, Microsoft Research Technical Report, 2011.Google ScholarGoogle Scholar
  27. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard os abstractions. In Symposium on Operating Systems Principles, SOSP, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Symposium on Operating Systems Principles, SOSP. ACM, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. L. Lourenço and L. Caires. Information flow analysis for valued-indexed data security compartments. In Trustworthy Computing, 2013.Google ScholarGoogle Scholar
  30. T. Lunt, D. Denning, R. Schell, M. Heckman, and W. Shockley. The seaview security model. Software Engineering, IEEE Transactions on, 16(6), 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. A. Milicevic, D. Jackson, M. Gligoric, and D. Marinov. Modelbased, event-driven programming paradigm for interactive web applications. In International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, Onward!, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. L. D. Moura and N. Björner. Z3: An efficient SMT solver. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08. Springer Verlag, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. A. C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, POPL, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. J. P. Near and D. Jackson. Rubicon: bounded verification of web applications. In Symposium on the Foundations of Software Engineering, SIGSOFT/FSE ’12. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Office for Civil Rights. Summary of the HIPAA privacy rule, 2003.Google ScholarGoogle Scholar
  36. F. Pottier and V. Simonet. Information flow inference for ML. ACM Transactions on Programming Languages and Systems, 25(1):117–158, Jan. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee, Jr. Enhancing server availability and security through failure-oblivious computing. In Symposium on Operating Systems Design & Implementation, OSDI, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. M. Rinard, C. Cadar, and H. H. Nguyen. Exploring the acceptability envelope. In Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA ’05. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. H. Samimi, E. D. Aung, and T. D. Millstein. Falling back on executable specifications. In ECOOP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. H. Samimi, M. Schäfer, S. Artzi, T. Millstein, F. Tip, and L. Hendren. Automated repair of html generation errors in php applications using string constraint solving. In International Conference on Software Engineering, ICSE, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. D. Schoepe, D. Hedin, and A. Sabelfeld. SeLINQ: Tracking information across application-database boundaries. In International Conference on Functional Programming, ICFP, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. D. R. Smith. A generative approach to aspect-oriented programming. In GPCE, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  43. A. Solar-Lezama. 2nd workshop on programming languages technology for massive open online courses. http: //people.csail.mit.edu/asolar/plooc2014/, accessed February 25, 2016.Google ScholarGoogle Scholar
  44. N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with valuedependent types. In International Conference on Functional Programming, ICFP, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. E. Walkingshaw, C. Kästner, M. Erwig, S. Apel, and E. Bodden. Variational data structures: Exploring tradeoffs in computing with variability. In International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, Onward!, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. A. Warwick. Facebook photo leak flaw raises security concerns. http://www.computerweekly.com/news/2240242708/ Facebook-photo-leak-flaw-raises-security-concerns, March 2015. {Online; posted 20-March-2015}.Google ScholarGoogle Scholar
  47. J. Yang, K. Yessenov, and A. Solar-Lezama. A language for automatically enforcing privacy policies. In Symposium on Principles of Programming Languages, POPL, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Symposium on Operating Systems Principles, SOSP, October 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. A. Rules from λ jeeves We show the most relevant rules from the dynamic semantics for the Jeeves core language λ jeevesGoogle ScholarGoogle Scholar

Index Terms

  1. Precise, dynamic information flow for database-backed applications

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 51, Issue 6
      PLDI '16
      June 2016
      726 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2980983
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation
        June 2016
        726 pages
        ISBN:9781450342612
        DOI:10.1145/2908080
        • General Chair:
        • Chandra Krintz,
        • Program Chair:
        • Emery Berger

      Copyright © 2016 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 2 June 2016

      Check for updates

      Qualifiers

      • article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!