New Approaches to Mobile Code
Download
Report
Transcript New Approaches to Mobile Code
Containment and Integrity
for Mobile Code
End-to-end security, untrusted hosts
Andrew Myers
Fred Schneider
Department of Computer Science
Cornell University
Ithaca NY 14853
Research directions
•
•
•
•
•
End-to-end security by program rewriting
In-lined reference monitors
Asynchronous proactive secret sharing
Gossip protocols
Mobile code integrity:
– NAP protocols (primary-backup revisited)
– Cryptographic-based privilege management
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
2
Protecting confidentiality
• Historically: privacy protection largely a military
concern (confidentiality, secrecy)
•
•
top secret
secret
classified
unclassified
Future: many commercial, end-user needs
Assurance for shared information services
– on-line shopping, e-mail and home page services
•
Programs with access to private information
– spreadsheets, Quicken, word processors,...
•
Military, commercial privacy needs converging?
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
3
Privacy vs complexity
?
•
Problem: complex systems, untrusted parts
– both distributed and single-host computation
•
Harder to protect confidential information
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
4
Example: airplane design
Boeing
Air Force
Hosts
marketing plans, aircraft designs
Data other customers’ info
Programs
18 July 00
CAD
aircraft simulations
military secrets,
other suppliers’ info
war simulations
cost projections
End-to-end security, untrusted hosts — Andrew Myers
5
Policies vs. Mechanisms
?
A
U
B
I
•
Problem: policy/mechanism mismatch
– Conventional mechanisms (e.g., access control): control
whether A is allowed to transmit to B
– Privacy policy: information I can only be obtained by users U
(no matter how it is transformed)
– Access control is point-to-point; policy is end-to-end
• How to map privacy policy onto a mechanism?
(we already do this by hand!)
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
6
Mechanisms
• Discretionary access control: doesn’t control
propagation
?
A
•
...
B
Mandatory access control: expensive, restrictive
?
A
B
L
18 July 00
L
End-to-end security, untrusted hosts — Andrew Myers
top secret
secret
classified
unclassified
7
Static analysis of information flow
•
Idea: add privacy policies as annotations to
programs (types) : e.g., JIF language (Java
Information Flow)
int {L} x; // L is an end-to-end privacy policy
•
•
JIF: security-typed language
Uses decentralized label model
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
8
Static information flow
•
Type-check information flow statically
– efficient
– validates all possible run-time information flows:
more precise, less restrictive
– allows modular composition
– hybrid dynamic/static schemes
possible
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
9
Compiler architecture
•
•
Source-to-source translator (JIFJava)
Mostly just removes annotations
Program
JIF
compiler
Class file
(Bytecode)
Java source
Label
annotations
Label
annotations
Java
compiler
Class file
(Bytecode)
Label
annotations
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
10
Single-machine model
Source
JIF
compiler
Trust
Bytecode
Host
Executin
g
program
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
Trust
11
Airplane design
Boeing
Air Force
Hosts
marketing plans, aircraft designs
Data other customers’ info
Programs
18 July 00
CAD
aircraft simulations
military secrets,
other suppliers’ info
War simulations
Cost projections
End-to-end security, untrusted hosts — Andrew Myers
12
Avoiding trusted compiler
• Java trick: substitute trusted
verifier for compiler
• Need expressive security type
system for intermediate /
assembly code
Host
Source
JIF
compiler
Trust
Bytecode
verifier
Trust
Executin
g
program
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
13
Avoiding trusted hosts
•
•
•
Security invariant: host distrusted by
principal p should not see p’s confidential
data
Problem: multi-party computation may
involve confidential data from several parties
Run only on completely trusted hosts?
– expensive
– bottleneck
•
Computation across available hosts
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
14
Secure program partitioning
•
•
•
New approach to secure distributed systems
Write programs without explicit code locations
or inter-host communication
source
Automatically transform code
compiler
to run securely on current hosts
intermediate code
authenticated
trust declarations
splitter
18 July 00
code partition
code partition
code partition
Host
Host
Host
End-to-end security, untrusted hosts — Andrew Myers
15
Caveats
•
Programs annotated with security information
– but: annotations are types
•
Communication model: inter-host messages
cannot be intercepted, damaged
– but: private-key encryption can be used
•
Some covert channels (e.g., timing) still exist
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
16
Status
•
New, expressive intermediate language with
support for security types, program
transformations
– Next: security-typed assembly language
– verifier
•
Rewrite rules for automatic program
partitioning across hosts
– Next: optimizing transformations for performance
– partitioning back end for JIF compiler
– partitioning verifier
•
Core technology is in place
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
17
Conclusions
•
•
•
Decentralized enforcement of end-to-end
security policies appears surprisingly feasible
Application: assurance for distributed
services
Other project research directions:
– In-lined reference monitors
– Asynchronous proactive secret sharing
– Gossip protocols
– Mobile code integrity
18 July 00
End-to-end security, untrusted hosts — Andrew Myers
18