Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.
-
Upload
timothy-jennings -
Category
Documents
-
view
215 -
download
2
Transcript of Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.
Preventing Information Leaks
with Jeeves
Jean Yang, MITApril 8, 2015
Jean Yang / Jeeves 2
Wearable devices
Data, Data Everywhere
Social media
Electronic health records
Online courses
Jean Yang / Jeeves 3
All Kinds of People Are Writing All Kinds of
CodeOpen source lines of code
Journalists
Medical researchers
Social scientists
Children
Jean Yang / Jeeves 4
Even Trained Developers Leak
Information
Jean Yang / Jeeves 5
Why Aren’t Existing Approaches Enough?
Exploit
Patch
But leaves system builders a step
behind.
Defensive protection
But people are still showing the data
wrong.
Encrypting Data
Jean Yang / Jeeves 6
My Approach:Privacy by Construction
Factor out privacy to reduce opportunity for leaks.
• Programmer specifies high-level policies about how sensitive data can be used.
• Rest of program is policy-agnostic.• System manages policies automatically.
Jean Yang / Jeeves 7
Social Calendar Example
Alice and Bob throw a surprise party for Carol.
Jean Yang / Jeeves 8
Even Seemingly Simple Policies Have Subtleties
Guests Carol Strangers
Surprise party for Carol at
Chuck E. Cheese.
Pizza with Alice/Bob.
Private event at Chuck E.
Cheese.
Policy: Must be guest. Policies can depend on sensitive values and other policies.Policy: Only visible to
hosts until finalized.
Problem:
Jean Yang / Jeeves 9
Enforcing Policies Can Leak Information!
Guests
Surprise party at
Chuck E. Cheese.
Policy: Only visible to hosts until finalized.
Policy: Must be guest.
Guest list finalized
Guests can’t see event
Guests can see event
• Subtle mistake: check for policy 1 neglects dependency on policy 2.
• Problem arises when programmers trusted to get dependencies right.
1
2
Jean Yang / Jeeves 10
Policies Are Intertwined Across the Code
“What is the most popular location among friends 7pm Tuesday?”
Update to event
subscribers
• Track information flow through derived values.• Track where derived values flow.
Problem:
Jean Yang / Jeeves 11
“Policy Spaghetti”in Real Systems
Code from HotCRP
conference management
system
Highlighted: conditional permissions checks everywhere.
Jean Yang / Jeeves 12
Programming model.
Mathematical guarantees.
Implementations, web framework,
and case studies.
Automatic Enforcement with Jeeves
The well-intentioned programmer writes same code no matter what
policies are.
Jean Yang / Jeeves 13
Jeeves Factors Out Policies
• Centralized policies.• Policy-agnostic
program.• Runtime differentiates
behavior.
Model View Controller
Jean Yang / Jeeves 14
Background.
Jeeves programming model.
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
[PLAS ’13]
[PLAS ’13]
[draft]
[POPL ’12]
Background.
Jean Yang / Jeeves 15
1. Specifying policies.
2. Specifying differentiated behavior.
3. Factoring out policies from other code.
4. Enforcing policies that depend on sensitive values.
Automatically Managing Information Flow
Only Jeeves supports 3 and 4.
Jeeves supports more expressive policies
than prior work.
Jean Yang / Jeeves 16
Information flow controls check that only allowed flows occur [HiStar, Flume, Resin, LIO/Hails, Jif/Sif, flow locks, F*, and more].
Related Work:
Checking Information Flow
==
true
==
false
if viewer == : elif viewer != :
error
Programmer tags data.
System prevents leaks by raising error.
Must explicitly define and tag alternate behavior.
My previous work.
Jean Yang / Jeeves 17
==
Multi-execution approaches differentiate behavior based on viewer [secure multi-execution (Devriese et al); faceted execution (Austin and Flanagan)].
true false
Computing with Multiple Values
Related Work:
Must encode policies as tags.• “Policy
spaghetti.”• Policies can
leak information.
Jean Yang / Jeeves 18
Background.
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Jeeves programming model.
Supporting expressive policies that can depend on sensitive values.
2
Factoring out information flow.
1
Challenges
Jean Yang / Jeeves 19
Policy-Agnostic Programming in Jeeves
Application CodeSeparate from policies.
policiesSensitive values encapsulate multiple behaviors.
Policies describe rules for how values may flow to output contexts.
Jean Yang / Jeeves 20
.guests [ ]
Jeeves Supports Expressive Policies
def isNotCarol(oc): return oc !=Output context can be of arbitrary type.
def isGuest(oc): return oc in .guests
A policy is an arbitrary function that takes the output context and returns a Boolean value.
Policies can depend on sensitive values.
Jean Yang / Jeeves 21
==
true false
print { } print { }
true false
Jeeves Programming Model
Programmer writes policy-agnostic programs.
Runtime propagates values and policies.
Runtime produces differentiated output based on the viewer.
Programmer specifies policies and facets.
1 2
4
3
Jean Yang / Jeeves 22
The Jeeves Programming Model
• Well-defined runtime semantics for policy-agnostic programming with information flow policies.
• Can be implemented standalone or embedded as a library.
• Has been adapted across runtimes in web frameworks.
Jean Yang / Jeeves 23
Background.
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
How Jeeves works.
Handling policies with dependencies.1
Enforcing policies when state changes.
2
Challenges
Jean Yang / Jeeves 24
if == :
x += 1return x
x = 0
print { } print { }
1 0
Jeeves Execution Model
Runtime propagates values and policies.
Runtime solves for values to show based on policies and viewer.
21
Runtime simulates simultaneous multiple executions.
Jean Yang / Jeeves 25
Using Policies to Produce Outputs
print { }
0
( != ) ? 1 : 0policy( )
Jeeves uses policies to defacet appropriately.
1 0
def isNotCarol(oc): return oc !=
Jean Yang / Jeeves 26
print { }
( == ) ? : policy( )
def isMaybeCarol(oc): return oc ==
But What About Dependencies?
Possible solutions:
( == ) ? :
( == ) ? :
Jeeves runtime will pick the secret value if allowed.
Need to find a fixed point!
Jean Yang / Jeeves 27
Using Constraints to Handle Dependencies
Label Policy
a def isGuest(oc): return oc in .guests
in .guestspolicy( )
𝑎∈ {𝑠𝑒𝑐𝑟𝑒𝑡 ,𝑝𝑢𝑏𝑙𝑖𝑐 }print { }
𝑎=𝑠𝑒𝑐𝑟𝑒𝑡⇒ 𝑓𝑎𝑙𝑠𝑒¬(𝑎=𝑠𝑒𝑐𝑟𝑒𝑡 )
⊢⊢
0
1 0
a
• Constraints contain only Boolean variables.
• Always a consistent assignment.
Evaluated with respect to state at time of output.
Jean Yang / Jeeves 28
Handling Indirect Flowsif == :
a
x += 1
true false
aif :
x += 1
x = xold+1 xold
a
Labels follow values through all computations, including conditionals and assignments.
Jean Yang / Jeeves 29
Outputting to Sinks
Σ ,𝐸𝑜𝑐⇓∅ Σ𝑜𝑐 ,𝑉 𝑜𝑐
Σ𝑜𝑐 ,𝐸 𝑟⇓∅ Σ𝑟 ,𝑉 𝑟
)
Σ𝑟 ,(𝐸¿¿𝑝𝑉 𝑜𝑐)⇓∅ Σ𝑝 ,𝑉 𝑝¿pick𝑝𝑐such that 𝑝𝑐 (𝑉 𝑜𝑐 )=𝑜𝑐 ,𝑝𝑐 (𝑉 𝑟 )=𝑅 ,𝑝𝑐 (𝑉 𝑝 )=𝑡𝑟𝑢𝑒
Σ , print {𝐸𝑜𝑐 }𝐸𝑟⇓𝑉 𝑝 ,𝑜𝑐 :𝑅
Evaluate output context and expression to print.
Retrieve labels and policies.
Evaluate policies applied to the output context.
Defacet using satisfying policy
assignment.
Jeeves Runtime Semantics:
Σ , 𝑆⇓𝑉 𝑝 ,𝑜𝑐 :𝑅 Σ ,𝐸⇓𝑝𝑐 Σ′ ,𝑉Statement
evaluationExpression evaluation
Output context
ResultPolicies
Jean Yang / Jeeves 30
Background.
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Theoretical guarantees.
Proving enforcement with respect to our semantics.
2
Defining what it means to enforce policies.
1
Challenges
Jean Yang / Jeeves 31
Non-Interference
a
if == :
x += 1
print { }
0
0 1a
aif == :
x += 1
Jeeves Challenge: Compute labels from program—may have dependencies on secret values!
Secret values should not affect public output.
Jean Yang / Jeeves 32
a
if == :
x += 1
print { }
0
0 1a
aif == :
x += 1
Jeeves Theorem: All executions where a must be public produce equivalent outputs.
Jeeves Non-Interference and Policy Compliance
Can’t tell apart secret values that require a to be public.
Jean Yang / Jeeves 33
{ 𝑓 :𝑅|∃𝑉 .∅ ,𝑆1⇓𝑉 , 𝑓 :𝑅 }={ 𝑓 :𝑅∨∃𝑉 .∅ ,𝑆2⇓𝑉 , 𝑓 :𝑅 }
𝑆2=𝑝𝑟𝑖𝑛𝑡 {𝑒 }𝐶 [ ]𝑆1=𝑝𝑟𝑖𝑛𝑡 {𝑒 }𝐶 [ ]
Jeeves Policy Compliance Theorem
Suppose we have𝐸1𝐸𝑃
𝑎
Then the set of values evaluates to is equivalent to the set of values evaluates to.
Where must be public.
𝐸2𝐸𝑃
𝑎
Need to account for policies that depend on sensitive values!
Jean Yang / Jeeves 34
Background.
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Implementation and evaluation.
Adapting the approach for web applications.
1
Scaling the approach.2
Challenges
Jean Yang / Jeeves 35
Facets in the Application and Database
ApplicationQueries
select * from Userswhere location =
SQL Database
Application All data SQL Databaseselect * from Users
Database queries can leak information!
Impractical and potentially slow!
Solution: Facet the database. Implemented as an object-relational mapping supporting uniform facet representation.
Jean Yang / Jeeves 36
Jeeves runtime
Jacqueline Web Framework
Application
Frontend Database
@jeevesViewer
Propagate
policies.
Attach policies.
Defac
et
valu
es b
ased
on v
iewer
.
Programmer is responsible
Framework is responsible
Jean Yang / Jeeves 37
Django-like data schema for describing fields.
Policy for ‘location’ field.
Helper functions for policy include queries.
Public value for ‘location’ field.
Jean Yang / Jeeves 38
DEPLOYED
FOR PLOOC
2014!Conference
management systemCourse manager Medical records
(HIPAA)
Implemented in Jeeves
Questions1.How does faceted execution scale?2.How does faceting the database affect
queries?
Jean Yang / Jeeves 39
Demo
Jean Yang / Jeeves 40
CMS Running Times
Database size does not affect query speed.
Showing sensitive data grows linearly.
0 100 200 300 400 5000
0.050.1
0.150.2
0.25
Show Single Paper
512 users 1024 users
Number of papers in DB
Tim
e to
load
pag
e (s
)
0 100 200 300 400 5000
1020304050
Show All Papers
512 users 1024 users
Number of papers in DB
Tim
e to
load
pag
e(s)
Tests from Amazon AWS machine via HTTP requests from another machine.
Jean Yang / Jeeves 41
Evaluation Lessons
• Faceted execution is expensive.• Policy-agnostic programming
does not always need faceted execution.
• Many opportunities for optimization in web frameworks.
Jean Yang / Jeeves 42
Policy-Agnostic Programming in Jeeves
Design of a policy-agnostic programming
language[POPL ‘12]
Semantics and guarantees[PLAS ’13]
Implementation, web framework, and case studies[in submission]
==
Other functionality
PoliciesSensitive
values
Jean Yang / Jeeves 43
F*: type-checking security properties.[ICFP ’11; JFP ‘13]
Ask Reeves: verified privacy policies.[patent filed]
Verified
Type-checked
Verve: a provablytype-safe OS.
[PLDI ’10 (Best Paper);CACM ‘10]
My Interests inProvable Guarantees
Lessons• Difficult to write secure and private programs.• Even more difficult to prove them correct.• Easier if we can get privacy by construction.
Jean Yang / Jeeves 44
The Future of Policy-Agnostic Programming
• Factor out policies from other code.• Rely on compiler and runtime to
differentiate behavior.
Jean Yang / Jeeves 45
• Programmability.– Languages for different kinds of policies.– Tools for verifying and visualizing policies.
• Scaling.– Policy-agnostic semantics with minimal faceting.– Building foundations with policy management in mind.
Making Policy-Agnostic Programming Work
Web frameworks
Databases Web browsers
Jean Yang / Jeeves 46
Parting Thoughts
By reducing opportunity for
programmer error, we can
eliminate whole classes of
privacy leaks.