Date post: | 14-Aug-2015 |
Category: |
Technology |
Upload: | jxyz |
View: | 83 times |
Download: | 3 times |
Jean Yang / Jeeves 2
Wearable devices
Data, Data Everywhere
Social media
Electronic health records
Online courses
Jean Yang / Jeeves 3
All Kinds of People Are Writing All Kinds of
CodeOpen source lines of code
Journalists
Medical researchers
Social scientists
Children
Jean Yang / Jeeves 5
Why Aren’t Existing Approaches Enough?
Exploit
Patch
But leaves system builders a step
behind.
Defensive protection
But people are still showing the data
wrong.
Encrypting Data
Jean Yang / Jeeves 6
My Approach:Privacy by Construction
Factor out security and privacy to reduce opportunity for leaks.
• Programmer specifies high-level policies about how sensitive data can be used.
• Rest of program is policy-agnostic.• System manages policies automatically.
Jean Yang / Jeeves 8
Even Seemingly Simple Policies Have Subtleties
Guests Carol Strangers
Surprise party for Carol at
Chuck E. Cheese.
Pizza with Alice/Bob.
Private event at Chuck E.
Cheese.
Policy: Must be guest. Policies can depend on sensitive values and other policies.Policy: Only visible to
hosts until finalized.
Problem:
Jean Yang / Jeeves 9
Enforcing Policies Can Leak Information!
Guests
Surprise party at
Chuck E. Cheese.
Policy: Only visible to hosts until finalized.
Policy: Must be guest.
Guest list finalized
Guests can’t see event
Guests can see event
• Subtle mistake: check for policy 1 neglects dependency on policy 2.
• Problem arises when programmers trusted to get dependencies right.
1
2
Jean Yang / Jeeves 10
Policies Are Intertwined Across the Code
“What is the most popular location among friends 7pm Tuesday?”
Update to event
subscribers
• Track information flow through derived values.• Track where derived values flow.
Problem:
Jean Yang / Jeeves 11
“Policy Spaghetti”in Real Systems
Code from HotCRP
conference management
system
Highlighted: conditional permissions checks everywhere.
Jean Yang / Jeeves 13
Programming model provides mathematical
guarantees.
Implementation strategy is practically feasible.
Automatic Enforcement with Jeeves
The well-intentioned programmer writes same code no matter what
policies are.
Jean Yang / Jeeves 14
Jeeves Factors Out Policies
• Centralized policies.• Policy-agnostic
program.• Runtime differentiates
behavior.
Model View Controller
Jean Yang / Jeeves 15
Policy-Agnostic Programming in Jeeves
Application CodeSeparate from policies.
policiesSensitive values encapsulate multiple behaviors.
Policies describe rules for how values may flow to output contexts.
Jean Yang / Jeeves 16
.guests [ ]
Jeeves Supports Expressive Policies
def isNotCarol(oc): return oc !=Output context can be of arbitrary type.
def isGuest(oc): return oc in .guests
A policy is an arbitrary function that takes the output context and returns a Boolean value.
Policies can depend on sensitive values.
Jean Yang / Jeeves 17
==
true false
print { } print { }
true false
Jeeves Programming Model
Programmer writes policy-agnostic programs.
Runtime propagates values and policies.
Runtime produces differentiated output based on the viewer.
Programmer specifies policies and facets.
1 2
4
3
Jean Yang / Jeeves 18
The Jeeves Programming Model
• Well-defined runtime semantics for policy-agnostic programming with information flow policies.
• Can be implemented standalone or embedded as a library.
• Has been adapted across runtimes in web frameworks.
Jean Yang / Jeeves 20
if == :
x += 1return x
x = 0
print { } print { }
1 0
Jeeves Execution Model
Runtime propagates values and policies.
Runtime solves for values to show based on policies and viewer.
21
Runtime simulates simultaneous multiple executions.
Jean Yang / Jeeves 21
Using Policies to Produce Outputs
print { }
0
( != ) ? 1 : 0policy( )
Jeeves uses policies to defacet appropriately.
1 0
def isNotCarol(oc): return oc !=
Jean Yang / Jeeves 22
print { }
( == ) ? : policy( )
def isMaybeCarol(oc): return oc ==
But What About Dependencies?
Possible solutions:
( == ) ? :
( == ) ? :
Jeeves runtime will pick the secret value if allowed.
Need to find a fixed point!
Jean Yang / Jeeves 23
Using Constraints to Handle Dependencies
Label Policy
a def isGuest(oc): return oc in .guests
in .guestspolicy( )
𝑎∈ {𝑠𝑒𝑐𝑟𝑒𝑡 ,𝑝𝑢𝑏𝑙𝑖𝑐 }print { }
𝑎=𝑠𝑒𝑐𝑟𝑒𝑡⇒ 𝑓𝑎𝑙𝑠𝑒¬(𝑎=𝑠𝑒𝑐𝑟𝑒𝑡 )
⊢⊢
0
1 0
a
• Constraints contain only Boolean variables.
• Always a consistent assignment.
Evaluated with respect to state at time of output.
Jean Yang / Jeeves 24
Tracking Policies Through Execution
if == :a
x += 1
true false
aif :
x += 1
x = xold+1 xold
a
Labels follow values through all computations, including conditionals and assignments.
Policy compliance guaranteed
Jean Yang / Jeeves 25
Web server code
Target Domain: Database-Backed Web
Applications
Application Queries Database
Jean Yang / Jeeves 26
Facets in the Application and Database
ApplicationQueries
select * from Userswhere location =
SQL Database
Application All data SQL Databaseselect * from Users
Database queries can leak information!
Impractical and potentially slow!
Solution: Use object-relational mapping to facet the database. Map facets onto non-faceted relational database.
Jean Yang / Jeeves 27
Jeeves runtime
Jacqueline Web Framework
Application
Frontend Database
@jeevesViewer
Propagate
policies.
Attach policies.
Defac
et
valu
es b
ased
on p
olici
es
and
viewer
.
Programmer is responsible
Framework is responsible
Jean Yang / Jeeves 28
Django-like data schema for describing fields.
Policy for ‘location’ field.
Helper functions for policy include queries.
Public value for ‘location’ field.
Jean Yang / Jeeves 29
Compare to Django
DEPLOYED
FOR PLOOC
2014!Conference
management systemCourse manager Health record
manager(based on
representative HIPAA fragment)
Implemented in Jacqueline
Jean Yang / Jeeves 32
CMS Running Times
Tests from Amazon AWS machine via HTTP requests from another machine.
0 200 400 600 800 10000
0.05
0.1
0.15
0.2
Single paper
Jacqueline Django
Papers in database
Tim
e t
o s
ho
w p
ag
e (
s)
0 200 400 600 800 10000
2
4
6
8
10
12
All Papers
Jacqueline Django
Papers in databaseT
ime
to
sh
ow
pa
ge
(s)
Jean Yang / Jeeves 33
Policy-Agnostic Programming in Jeeves
Design of a policy-agnostic programming
language[POPL ‘12]
Semantics and guarantees[PLAS ’13]
Web framework, and case studies[in submission]
==
Other functionality
PoliciesSensitive
values
Jean Yang / Jeeves 34
Python/DBCore team
Language evaluation and case studies
Semantics
Jeeves Team
Armando Solar-Lezama
Thomas AustinCormac Flanagan
TravisHance
BenjaminShaibu
Pat Long &Jesse Klimov
Lena Abdalla
Amadu Durham
Ariel Jacobs
Scala
Kuat Yessenov
Jean Yang
Jean Yang / Jeeves 35
Applying Policy-Agnostic Ideas at Home1. Associate policies with data.
2. Make rest of program aware of data’s policies.
It pays to think about policy enforcement systematically: can get end-to-end guarantees—often with negligible overheads!Works not just for security and privacy, but also for other customization!