Java Information Flow: Ensuring Confidentiality and Integrity with Jif - Prof. Michael W. , Study notes of Programming Languages

The importance of securing confidential data in networked information systems and the challenges in implementing security policies. It introduces jif, a java-based information flow system that uses principals and labels to enforce fine-grained security policies. The benefits of jif, such as explicit policies and increased confidence in security, and provides examples of its implementation.

Typology: Study notes

Pre 2010

Uploaded on 02/13/2009

koofers-user-c0n-1
koofers-user-c0n-1 🇺🇸

7 documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Jif:
Java + Information Flow
Steve Zdancewic
University of Pennsylvania
Andrew Myers, Lantian Zheng, Nate Nystrom
Cornell University
2
Confidential Data
Networked information systems:
PCs store passwords, e-mail, finances,...
Businesses rely on computing
infrastructure
Military & government communications
Security of data and infrastructure is
critical [Trust in Cyberspace, Schneider et al. '99]
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Java Information Flow: Ensuring Confidentiality and Integrity with Jif - Prof. Michael W. and more Study notes Programming Languages in PDF only on Docsity!

Jif:

Java + Information Flow

Steve Zdancewic

University of Pennsylvania Andrew Myers, Lantian Zheng, Nate Nystrom Cornell University 2

Confidential Data

  • Networked information systems:
    • PCs store passwords, e-mail, finances,...
    • Businesses rely on computing infrastructure
    • Military & government communications
  • Security of data and infrastructure is

critical [Trust in Cyberspace, Schneider et al. '99]

3

Problems in Practice

  • CartManager leaks personal info of millions...
  • BJ’s wholesale club leaks 1000’s of credit cards...
  • ... Eli Lilly, major pharma- ceutical company leaks the names of 669 Prozac users. “Oops. Which is essen- tially what the company said when it found out about the error.” --ComputerUser magazine 4

Technical Challenges

  • Software is large and complex
  • Security policies are complex
    • Requires tools & automation

• Existing mechanisms are crucial, but

  • OS: Coarse granularity of access control
  • Cryptography must be applied appropriately

7

Low-level security

  • “As in all medical matters these tests and services are confidential in accordance with Pennsylvania Act 148 ” void checkHIV(Patient id) { MedRecord mr = getRecord(id); if (mr.tests.HIVpositive) { out.print(“HIV pos.”); } ... } InformationInformation leakleak 8

Jif: Java+Information Flow

  • Java
    • With some restrictions
  • Information Flow Policy Language
    • Principals and Labels
    • Principal Hierarchy (delegation)
    • Confidentiality & Integrity constraints
    • Robust Declassification & Endorsement
    • Language features (i.e. polymorphism) [Myers, Nystrom, Zdancewic, Zheng]

9

Benefits

  • Explicit, fine-grained policies
  • Program abstractions
  • Regulate end-to-end behavior
    • Information Flow vs. Access Control
  • Tools: increased confidence in security 10
  • Downloadable financial planner:

Information-flow Policy

Network Disk Accounting Software

  • Access control insufficient

13

Decentralized Labels

  • Simple Component {owner: readers}
    • {Alice: Bob, Eve}
  • Compound Labels
    • {Alice: Charles; Bob: Charles} [Myers & Liskov '97, '00] “Alice owns this data and she permits Bob & Eve to read it.” “Alice & Bob own this data but only Charles can read it.” 14

Label Lattice

^ Join

≤ Order

{} {Alice:Bob,Charles} {Alice: Bob,Eve} {Alice:} … … T … … … … Labels higher in the lattice are more restrictive. {Alice:Bob} … …

^

15

Integrity Constraints

  • Specify who can write to a piece of data
    • {Alice? Bob}
  • Both kinds of constraints
    • {Alice: Bob; Alice?} “Alice owns this data and she permits Bob to change it.” 16

Extended Types

  • Jif augments Java’s types with labels
    • int{Alice:Bob} x;
    • Object{L} o;
  • Subtyping
    • Inherited from the ≤ lattice order
  • Inference
    • All Jif expressions have labeled types
    • Programmers may elide types

19

Function Calls

if (a > 0) then {

f(4);

int{Alice:} a;

int{Bob:} b;

{Alice:; Bob:} {} {Alice:} {Bob:} Effects inside the function can leak information about the program counter. PC Label {} {}^{Alice:}={Alice:} {} 20

Method Types

  • Constrain begin and end PC labels
    • To call PC ≤ B
    • On return PC ≤ E
  • May include where clauses to specify
    • Authority (set of principals)
    • Caller’s Authority int{L 1 } method{B} (int{L 2 } arg) : {E} where authority(Alice) { … }

21

Richer Security Policies

  • More complex policies: "Alice will release her data to Bob, but only after he has paid $10."
  • Noninterference too restrictive
    • In practice programs do leak some information
    • Justification lies outside the model (i.e. cryptography) 22

Declassification

“down-cast" int{Alice:} to int{Alice:Bob} int{Alice:} a; int Paid; ... // compute Paid if (Paid==10) { int{Alice:Bob} b = declassify(a, {Alice:Bob}); ... }

25

Parameterized Classes

  • Jif allows classes to be parameterized

by labels and principals

  • Code reuse
  • e.g. Containers parameterized by labels
  • class MyClass[label L] {

int{L} x;

26

Unix cat in Jif

public static void main{}(String{}[]{} args) { String filename = args[0]; final principal p = Runtime.user(); final label lb; lb = new label{p:}; Runtime[p] runtime = Runtime.getRuntime(p); FileInputStream{lb} fis = runtime.openFileRead(filename, lb); InputStreamReader{lb} reader = new InputStreamReader{lb}(fis); BufferedReader{lb} br = new BufferedReader{lb}(reader); PrintStream{lb} out = runtime.out(); String line = br.readLine(); while (line != null) { out.println(line); line = br.readLine(); } }

27

Caveats

  • No threads
    • Information flow hard to control
    • Active area of research (still preliminary)
  • Timing channels not controlled
    • Explicit choice for practicality
    • See Agat ’01 for alternatives
  • Other differences from Java
    • Some exceptions are fatal
    • Restricted access to some System calls 28

Language-based Security

  • Denning ’75, ’ 77
  • Reynolds ’ 78
  • Smith & Volpano ’ 96 —’ 01
  • Abadi, Banerjee, Heintz, and Riecke ’ 99
  • Sabelfeld & Sands ’01,…
  • Honda & Yoshida ’01, ’ 02
  • Pottier et al. ’01, ’ 02
  • Banerjee & Naumann ’ 02
  • Many others …