Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.

Preventing Information Leaks

with Jeeves

Jean Yang, MITApril 8, 2015

Jean Yang / Jeeves 2

Wearable devices

Data, Data Everywhere

Social media

Electronic health records

Online courses


All Kinds of People Are Writing All Kinds of

CodeOpen source lines of code

Journalists

Medical researchers

Social scientists

Children


Even Trained Developers Leak

Information


Why Aren’t Existing Approaches Enough?

Exploit

Patch

But leaves system builders a step

behind.

Defensive protection

But people are still showing the data

wrong.

Encrypting Data


My Approach:Privacy by Construction

Factor out privacy to reduce opportunity for leaks.

• Programmer specifies high-level policies about how sensitive data can be used.

• Rest of program is policy-agnostic.• System manages policies automatically.


Social Calendar Example

Alice and Bob throw a surprise party for Carol.


Even Seemingly Simple Policies Have Subtleties

Guests Carol Strangers

Surprise party for Carol at

Chuck E. Cheese.

Pizza with Alice/Bob.

Private event at Chuck E.

Cheese.

Policy: Must be guest. Policies can depend on sensitive values and other policies.Policy: Only visible to

hosts until finalized.

Problem:


Enforcing Policies Can Leak Information!

Guests

Surprise party at

Chuck E. Cheese.

Policy: Only visible to hosts until finalized.

Policy: Must be guest.

Guest list finalized

Guests can’t see event

Guests can see event

• Subtle mistake: check for policy 1 neglects dependency on policy 2.

• Problem arises when programmers trusted to get dependencies right.

1

2


Policies Are Intertwined Across the Code

“What is the most popular location among friends 7pm Tuesday?”

Update to event

subscribers

• Track information flow through derived values.• Track where derived values flow.

Problem:


“Policy Spaghetti”in Real Systems

Code from HotCRP

conference management

system

Highlighted: conditional permissions checks everywhere.


Programming model.

Mathematical guarantees.

Implementations, web framework,

and case studies.

Automatic Enforcement with Jeeves

The well-intentioned programmer writes same code no matter what

policies are.


Jeeves Factors Out Policies

• Centralized policies.• Policy-agnostic

program.• Runtime differentiates

behavior.

Model View Controller


Background.

Jeeves programming model.

How Jeeves works.

Theoretical guarantees.

Implementation & evaluation.

This Talk

[PLAS ’13]

[PLAS ’13]

[draft]

[POPL ’12]

Background.


1. Specifying policies.

2. Specifying differentiated behavior.

3. Factoring out policies from other code.

4. Enforcing policies that depend on sensitive values.

Automatically Managing Information Flow

Only Jeeves supports 3 and 4.

Jeeves supports more expressive policies

than prior work.


Information flow controls check that only allowed flows occur [HiStar, Flume, Resin, LIO/Hails, Jif/Sif, flow locks, F*, and more].

Related Work:

Checking Information Flow

==

true

==

false

if viewer == : elif viewer != :

error

Programmer tags data.

System prevents leaks by raising error.

Must explicitly define and tag alternate behavior.

My previous work.


==

Multi-execution approaches differentiate behavior based on viewer [secure multi-execution (Devriese et al); faceted execution (Austin and Flanagan)].

true false

Computing with Multiple Values

Related Work:

Must encode policies as tags.• “Policy

spaghetti.”• Policies can

leak information.


Background.

Jeeves programming model

How Jeeves works.



This Talk

Jeeves programming model.

Supporting expressive policies that can depend on sensitive values.

2

Factoring out information flow.

1

Challenges


Policy-Agnostic Programming in Jeeves

Application CodeSeparate from policies.

policiesSensitive values encapsulate multiple behaviors.

Policies describe rules for how values may flow to output contexts.


.guests [ ]

Jeeves Supports Expressive Policies

def isNotCarol(oc): return oc !=Output context can be of arbitrary type.

def isGuest(oc): return oc in .guests

A policy is an arbitrary function that takes the output context and returns a Boolean value.

Policies can depend on sensitive values.


==

true false

print { } print { }

true false

Jeeves Programming Model

Programmer writes policy-agnostic programs.

Runtime propagates values and policies.

Runtime produces differentiated output based on the viewer.

Programmer specifies policies and facets.

1 2

4

3


The Jeeves Programming Model

• Well-defined runtime semantics for policy-agnostic programming with information flow policies.

• Can be implemented standalone or embedded as a library.

• Has been adapted across runtimes in web frameworks.


Background.


How Jeeves works.



This Talk

How Jeeves works.

Handling policies with dependencies.1

Enforcing policies when state changes.

2

Challenges


if == :

x += 1return x

x = 0

print { } print { }

1 0

Jeeves Execution Model

Runtime propagates values and policies.

Runtime solves for values to show based on policies and viewer.

21

Runtime simulates simultaneous multiple executions.


Using Policies to Produce Outputs

print { }

0

( != ) ? 1 : 0policy( )

Jeeves uses policies to defacet appropriately.

1 0

def isNotCarol(oc): return oc !=


print { }

( == ) ? : policy( )

def isMaybeCarol(oc): return oc ==

But What About Dependencies?

Possible solutions:

( == ) ? :

( == ) ? :

Jeeves runtime will pick the secret value if allowed.

Need to find a fixed point!


Using Constraints to Handle Dependencies

Label Policy

a def isGuest(oc): return oc in .guests

in .guestspolicy( )

𝑎∈ {𝑠𝑒𝑐𝑟𝑒𝑡 ,𝑝𝑢𝑏𝑙𝑖𝑐 }print { }

𝑎=𝑠𝑒𝑐𝑟𝑒𝑡⇒ 𝑓𝑎𝑙𝑠𝑒¬(𝑎=𝑠𝑒𝑐𝑟𝑒𝑡 )

⊢⊢

0

1 0

a

• Constraints contain only Boolean variables.

• Always a consistent assignment.

Evaluated with respect to state at time of output.


Handling Indirect Flowsif == :

a

x += 1

true false

aif :

x += 1

x = xold+1 xold

a

Labels follow values through all computations, including conditionals and assignments.


Outputting to Sinks

Σ ,𝐸𝑜𝑐⇓∅ Σ𝑜𝑐 ,𝑉 𝑜𝑐

Σ𝑜𝑐 ,𝐸 𝑟⇓∅ Σ𝑟 ,𝑉 𝑟

)

Σ𝑟 ,(𝐸¿¿𝑝𝑉 𝑜𝑐)⇓∅ Σ𝑝 ,𝑉 𝑝¿pick𝑝𝑐such that 𝑝𝑐 (𝑉 𝑜𝑐 )=𝑜𝑐 ,𝑝𝑐 (𝑉 𝑟 )=𝑅 ,𝑝𝑐 (𝑉 𝑝 )=𝑡𝑟𝑢𝑒

Σ , print {𝐸𝑜𝑐 }𝐸𝑟⇓𝑉 𝑝 ,𝑜𝑐 :𝑅

Evaluate output context and expression to print.

Retrieve labels and policies.

Evaluate policies applied to the output context.

Defacet using satisfying policy

assignment.

Jeeves Runtime Semantics:

Σ , 𝑆⇓𝑉 𝑝 ,𝑜𝑐 :𝑅 Σ ,𝐸⇓𝑝𝑐 Σ′ ,𝑉Statement

evaluationExpression evaluation

Output context

ResultPolicies


Background.


How Jeeves works.



This Talk


Proving enforcement with respect to our semantics.

2

Defining what it means to enforce policies.

1

Challenges


Non-Interference

a

if == :

x += 1

print { }

0

0 1a

aif == :

x += 1

Jeeves Challenge: Compute labels from program—may have dependencies on secret values!

Secret values should not affect public output.


a

if == :

x += 1

print { }

0

0 1a

aif == :

x += 1

Jeeves Theorem: All executions where a must be public produce equivalent outputs.

Jeeves Non-Interference and Policy Compliance

Can’t tell apart secret values that require a to be public.


{ 𝑓 :𝑅|∃𝑉 .∅ ,𝑆1⇓𝑉 , 𝑓 :𝑅 }={ 𝑓 :𝑅∨∃𝑉 .∅ ,𝑆2⇓𝑉 , 𝑓 :𝑅 }

𝑆2=𝑝𝑟𝑖𝑛𝑡 {𝑒 }𝐶 [ ]𝑆1=𝑝𝑟𝑖𝑛𝑡 {𝑒 }𝐶 [ ]

Jeeves Policy Compliance Theorem

Suppose we have𝐸1𝐸𝑃

𝑎

Then the set of values evaluates to is equivalent to the set of values evaluates to.

Where must be public.

𝐸2𝐸𝑃

𝑎

Need to account for policies that depend on sensitive values!


Background.


How Jeeves works.



This Talk

Implementation and evaluation.

Adapting the approach for web applications.

1

Scaling the approach.2

Challenges


Facets in the Application and Database

ApplicationQueries

select * from Userswhere location =

SQL Database

Application All data SQL Databaseselect * from Users

Database queries can leak information!

Impractical and potentially slow!

Solution: Facet the database. Implemented as an object-relational mapping supporting uniform facet representation.


Jeeves runtime

Jacqueline Web Framework

Application

Frontend Database

@jeevesViewer

Propagate

policies.

Attach policies.

Defac

et

valu

es b

ased

on v

iewer

.

Programmer is responsible

Framework is responsible


Django-like data schema for describing fields.

Policy for ‘location’ field.

Helper functions for policy include queries.

Public value for ‘location’ field.


DEPLOYED

FOR PLOOC

2014!Conference

management systemCourse manager Medical records

(HIPAA)

Implemented in Jeeves

Questions1.How does faceted execution scale?2.How does faceting the database affect

queries?


Demo


CMS Running Times

Database size does not affect query speed.

Showing sensitive data grows linearly.

0 100 200 300 400 5000

0.050.1

0.150.2

0.25

Show Single Paper

512 users 1024 users

Number of papers in DB

Tim

e to

load

pag

e (s

)

0 100 200 300 400 5000

1020304050

Show All Papers

512 users 1024 users

Number of papers in DB

Tim

e to

load

pag

e(s)

Tests from Amazon AWS machine via HTTP requests from another machine.


Evaluation Lessons

• Faceted execution is expensive.• Policy-agnostic programming

does not always need faceted execution.

• Many opportunities for optimization in web frameworks.


Policy-Agnostic Programming in Jeeves

Design of a policy-agnostic programming

language[POPL ‘12]

Semantics and guarantees[PLAS ’13]

Implementation, web framework, and case studies[in submission]

==

Other functionality

PoliciesSensitive

values


F*: type-checking security properties.[ICFP ’11; JFP ‘13]

Ask Reeves: verified privacy policies.[patent filed]

Verified

Type-checked

Verve: a provablytype-safe OS.

[PLDI ’10 (Best Paper);CACM ‘10]

My Interests inProvable Guarantees

Lessons• Difficult to write secure and private programs.• Even more difficult to prove them correct.• Easier if we can get privacy by construction.


The Future of Policy-Agnostic Programming

• Factor out policies from other code.• Rely on compiler and runtime to

differentiate behavior.


• Programmability.– Languages for different kinds of policies.– Tools for verifying and visualizing policies.

• Scaling.– Policy-agnostic semantics with minimal faceting.– Building foundations with policy management in mind.

Making Policy-Agnostic Programming Work

Web frameworks

Databases Web browsers


Parting Thoughts

By reducing opportunity for

programmer error, we can

eliminate whole classes of

privacy leaks.

Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.

Documents

Transcript of Preventing Information Leaks with Jeeves Jean Yang, MIT April 8, 2015.