Abstract
We present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational database implementations, and scales for realistic applications. In this paper, we present a programming model that factors out information flow policies from application code and database queries, a dynamic semantics for the underlying $^JDB$ core language, and proofs of termination-insensitive non-interference and policy compliance for the semantics. We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop. We show that in comparison to traditional applications with hand-coded policy checks, Jacqueline applications have 1) a smaller trusted computing base, 2) fewer lines of policy code, and 2) reasonable, often negligible, additional overheads.
- Django: The web framework for perfectionists with deadlines. https://www.djangoproject.com, accessed July 3, 2015.Google Scholar
- Funkload. http://funkload.nuxeo.org, accessed July 3, 2015.Google Scholar
- HotCRP bug report: Download PC review assignments obeys paper administrators. https://github.com/kohler/hotcrp/commit/ 80ff96606bbe26e242ac7ebca85b440f2dbffebb, accessed July 3, 2015.Google Scholar
- MacroPy. https://github.com/lihaoyi/macropy, accessed July 3, 2015.Google Scholar
- P. Anderson and J. Cheney. Toward provenance-based security for configuration languages. In Workshop on the Theory and Practice of Provenance, 2012. Google Scholar
Digital Library
- O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Symposium on Security and Privacy, SP, 2012. Google Scholar
Digital Library
- T. H. Austin, J. Yang, C. Flanagan, and A. Solar-Lezama. Faceted execution of policy-agnostic programs. In Workshop on Programming Languages and Analysis for Security, PLAS, 2013. Google Scholar
Digital Library
- A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In Symposium on Security and Privacy, SP, 2006. Google Scholar
Digital Library
- A. Blankstein and M. J. Freedman. Automating isolation and least privilege in web services. In Symposium on Security and Privacy, SP, 2014. Google Scholar
Digital Library
- R. Bodik, S. Chandra, J. Galenson, D. Kimelman, N. Tung, S. Barman, and C. Rodarmor. Programming with angelic nondeterminism. In Symposium on Principles of Programming Languages, POPL, 2010. Google Scholar
Digital Library
- N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In European Symposium on Programming, ESOP, volume 3924 of LNCS. Springer Verlag, 2006. Google Scholar
Digital Library
- R. Capizzi, A. Longo, V. Venkatakrishnan, and A. Sistla. Preventing information leaks through shadow executions. In Annual Computer Security Applications Conference, ACSAC, 2008. Google Scholar
Digital Library
- J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-to-end verification of security enforcement. In Conference on Programming Language Design and Implementation, PLDI, 2010. Google Scholar
Digital Library
- J. Cheney. A formal framework for provenance security. In Computer Security Foundations Symposium, CSF ’11. IEEE, 2011. Google Scholar
Digital Library
- A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In Symposium on Operating Systems Design and Implementation, OSDI, 2010. Google Scholar
Digital Library
- S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Symposium on USENIX Security, SS’07, 2007. Google Scholar
Digital Library
- R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In Conference on Programming Language Design and Implementation, PLDI, 2009. Google Scholar
Digital Library
- B. Davis and H. Chen. DBTaint: Cross-application information flow tracking via databases. In Conference on Web Application Development, WebApps’10, 2010. Google Scholar
Digital Library
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Secure multi-execution of web scripts: Theory and practice. Journal of Computer Security, 22(4), 2014. Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20(7), 1977. Google Scholar
Digital Library
- D. E. Denning, S. G. Akl, M. Morgenstern, P. G. Neumann, R. R. Schell, and M. Heckman. Views for multilevel database security. In IEEE Symposium on Security and Privacy, SP, 1986.Google Scholar
Cross Ref
- D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Symposium on Security and Privacy, SP, 2010. Google Scholar
Digital Library
- K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of accesscontrol policies. In International Conference on Software Engineering, ICSE ’05. ACM, 2005. Google Scholar
Digital Library
- D. B. Giffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. C. Mitchell, and A. Russo. Hails: Protecting data privacy in untrusted web applications. In Symposium on Operating Systems Design and Implementation, OSDI, 2012. Google Scholar
Digital Library
- G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. In ECOOP, 1997.Google Scholar
Cross Ref
- C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. Technical Report MSR-TR- 2011-94, Microsoft Research Technical Report, 2011.Google Scholar
- M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard os abstractions. In Symposium on Operating Systems Principles, SOSP, 2007. Google Scholar
Digital Library
- J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Symposium on Operating Systems Principles, SOSP. ACM, 2009. Google Scholar
Digital Library
- L. Lourenço and L. Caires. Information flow analysis for valued-indexed data security compartments. In Trustworthy Computing, 2013.Google Scholar
- T. Lunt, D. Denning, R. Schell, M. Heckman, and W. Shockley. The seaview security model. Software Engineering, IEEE Transactions on, 16(6), 1990. Google Scholar
Digital Library
- A. Milicevic, D. Jackson, M. Gligoric, and D. Marinov. Modelbased, event-driven programming paradigm for interactive web applications. In International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, Onward!, 2013. Google Scholar
Digital Library
- L. D. Moura and N. Björner. Z3: An efficient SMT solver. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08. Springer Verlag, 2008. Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, POPL, 1999. Google Scholar
Digital Library
- J. P. Near and D. Jackson. Rubicon: bounded verification of web applications. In Symposium on the Foundations of Software Engineering, SIGSOFT/FSE ’12. ACM, 2012. Google Scholar
Digital Library
- Office for Civil Rights. Summary of the HIPAA privacy rule, 2003.Google Scholar
- F. Pottier and V. Simonet. Information flow inference for ML. ACM Transactions on Programming Languages and Systems, 25(1):117–158, Jan. 2003. Google Scholar
Digital Library
- M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee, Jr. Enhancing server availability and security through failure-oblivious computing. In Symposium on Operating Systems Design & Implementation, OSDI, 2004. Google Scholar
Digital Library
- M. Rinard, C. Cadar, and H. H. Nguyen. Exploring the acceptability envelope. In Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA ’05. ACM, 2005. Google Scholar
Digital Library
- H. Samimi, E. D. Aung, and T. D. Millstein. Falling back on executable specifications. In ECOOP, 2010. Google Scholar
Digital Library
- H. Samimi, M. Schäfer, S. Artzi, T. Millstein, F. Tip, and L. Hendren. Automated repair of html generation errors in php applications using string constraint solving. In International Conference on Software Engineering, ICSE, 2012. Google Scholar
Digital Library
- D. Schoepe, D. Hedin, and A. Sabelfeld. SeLINQ: Tracking information across application-database boundaries. In International Conference on Functional Programming, ICFP, 2014. Google Scholar
Digital Library
- D. R. Smith. A generative approach to aspect-oriented programming. In GPCE, 2004.Google Scholar
Cross Ref
- A. Solar-Lezama. 2nd workshop on programming languages technology for massive open online courses. http: //people.csail.mit.edu/asolar/plooc2014/, accessed February 25, 2016.Google Scholar
- N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with valuedependent types. In International Conference on Functional Programming, ICFP, 2011. Google Scholar
Digital Library
- E. Walkingshaw, C. Kästner, M. Erwig, S. Apel, and E. Bodden. Variational data structures: Exploring tradeoffs in computing with variability. In International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, Onward!, 2014. Google Scholar
Digital Library
- A. Warwick. Facebook photo leak flaw raises security concerns. http://www.computerweekly.com/news/2240242708/ Facebook-photo-leak-flaw-raises-security-concerns, March 2015. {Online; posted 20-March-2015}.Google Scholar
- J. Yang, K. Yessenov, and A. Solar-Lezama. A language for automatically enforcing privacy policies. In Symposium on Principles of Programming Languages, POPL, 2012. Google Scholar
Digital Library
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Symposium on Operating Systems Principles, SOSP, October 2009. Google Scholar
Digital Library
- A. Rules from λ jeeves We show the most relevant rules from the dynamic semantics for the Jeeves core language λ jeevesGoogle Scholar
Index Terms
Precise, dynamic information flow for database-backed applications
Recommendations
Precise, dynamic information flow for database-backed applications
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational ...
Information Flow Monitoring as Abstract Interpretation for Relational Logic
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations SymposiumA number of systems have been developed for dynamic information flow control (IFC). In such systems, the security policy is expressed by labeling input and output channels, it is enforced by tracking and checking labels on data. Systems have been proven ...
Contextual and Granular Policy Enforcement in Database-backed Applications
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications SecurityDatabase-backed applications rely on inlined policy checks to process users' private and confidential data in a policy-compliant manner as traditional database access control mechanisms cannot enforce complex policies. However, application bugs due to ...







Comments