Download Java Information Flow: Ensuring Confidentiality and Integrity with Jif - Prof. Michael W. and more Study notes Programming Languages in PDF only on Docsity!
Jif:
Java + Information Flow
Steve Zdancewic
University of Pennsylvania Andrew Myers, Lantian Zheng, Nate Nystrom Cornell University 2
Confidential Data
- Networked information systems:
- PCs store passwords, e-mail, finances,...
- Businesses rely on computing infrastructure
- Military & government communications
- Security of data and infrastructure is
critical [Trust in Cyberspace, Schneider et al. '99]
3
Problems in Practice
- CartManager leaks personal info of millions...
- BJ’s wholesale club leaks 1000’s of credit cards...
- ... Eli Lilly, major pharma- ceutical company leaks the names of 669 Prozac users. “Oops. Which is essen- tially what the company said when it found out about the error.” --ComputerUser magazine 4
Technical Challenges
- Software is large and complex
- Security policies are complex
- Requires tools & automation
• Existing mechanisms are crucial, but
- OS: Coarse granularity of access control
- Cryptography must be applied appropriately
7
Low-level security
- “As in all medical matters these tests and services are confidential in accordance with Pennsylvania Act 148 ” void checkHIV(Patient id) { MedRecord mr = getRecord(id); if (mr.tests.HIVpositive) { out.print(“HIV pos.”); } ... } InformationInformation leakleak 8
Jif: Java+Information Flow
- Java
- Information Flow Policy Language
- Principals and Labels
- Principal Hierarchy (delegation)
- Confidentiality & Integrity constraints
- Robust Declassification & Endorsement
- Language features (i.e. polymorphism) [Myers, Nystrom, Zdancewic, Zheng]
9
Benefits
- Explicit, fine-grained policies
- Program abstractions
- Regulate end-to-end behavior
- Information Flow vs. Access Control
- Tools: increased confidence in security 10
- Downloadable financial planner:
Information-flow Policy
Network Disk Accounting Software
- Access control insufficient
13
Decentralized Labels
- Simple Component {owner: readers}
- Compound Labels
- {Alice: Charles; Bob: Charles} [Myers & Liskov '97, '00] “Alice owns this data and she permits Bob & Eve to read it.” “Alice & Bob own this data but only Charles can read it.” 14
Label Lattice
^ Join
≤ Order
{} {Alice:Bob,Charles} {Alice: Bob,Eve} {Alice:} … … T … … … … Labels higher in the lattice are more restrictive. {Alice:Bob} … …
^
15
Integrity Constraints
- Specify who can write to a piece of data
- Both kinds of constraints
- {Alice: Bob; Alice?} “Alice owns this data and she permits Bob to change it.” 16
Extended Types
- Jif augments Java’s types with labels
- int{Alice:Bob} x;
- Object{L} o;
- Subtyping
- Inherited from the ≤ lattice order
- Inference
- All Jif expressions have labeled types
- Programmers may elide types
19
Function Calls
if (a > 0) then {
f(4);
int{Alice:} a;
int{Bob:} b;
{Alice:; Bob:} {} {Alice:} {Bob:} Effects inside the function can leak information about the program counter. PC Label {} {}^{Alice:}={Alice:} {} 20
Method Types
- Constrain begin and end PC labels
- To call PC ≤ B
- On return PC ≤ E
- May include where clauses to specify
- Authority (set of principals)
- Caller’s Authority int{L 1 } method{B} (int{L 2 } arg) : {E} where authority(Alice) { … }
21
Richer Security Policies
- More complex policies: "Alice will release her data to Bob, but only after he has paid $10."
- Noninterference too restrictive
- In practice programs do leak some information
- Justification lies outside the model (i.e. cryptography) 22
Declassification
“down-cast" int{Alice:} to int{Alice:Bob} int{Alice:} a; int Paid; ... // compute Paid if (Paid==10) { int{Alice:Bob} b = declassify(a, {Alice:Bob}); ... }
25
Parameterized Classes
- Jif allows classes to be parameterized
by labels and principals
- Code reuse
- e.g. Containers parameterized by labels
- class MyClass[label L] {
int{L} x;
26
Unix cat in Jif
public static void main{}(String{}[]{} args) { String filename = args[0]; final principal p = Runtime.user(); final label lb; lb = new label{p:}; Runtime[p] runtime = Runtime.getRuntime(p); FileInputStream{lb} fis = runtime.openFileRead(filename, lb); InputStreamReader{lb} reader = new InputStreamReader{lb}(fis); BufferedReader{lb} br = new BufferedReader{lb}(reader); PrintStream{lb} out = runtime.out(); String line = br.readLine(); while (line != null) { out.println(line); line = br.readLine(); } }
27
Caveats
- No threads
- Information flow hard to control
- Active area of research (still preliminary)
- Timing channels not controlled
- Explicit choice for practicality
- See Agat ’01 for alternatives
- Other differences from Java
- Some exceptions are fatal
- Restricted access to some System calls 28
Language-based Security
- Denning ’75, ’ 77
- Reynolds ’ 78
- Smith & Volpano ’ 96 —’ 01
- Abadi, Banerjee, Heintz, and Riecke ’ 99
- Sabelfeld & Sands ’01,…
- Honda & Yoshida ’01, ’ 02
- Pottier et al. ’01, ’ 02
- Banerjee & Naumann ’ 02
- Many others …