Enforcing the confidentiality and integrity of information is critical in distributed applications. Production systems typically use some form of authorization mechanism to protect information, but these mechanisms do not typically provide end-to-end information security guarantees. Information flow control mechanisms provide end-to-end security, but their guarantees break down when trust relationships may change dynamically, a common scenario in production environments. This dissertation presents flow-limited authorization, a new foundation for enforcing information security. Flow-limited authorization is an approach to authorization in that it can be used to reason about whether a principal is permitted to perform an action. It is an approach to information flow control in that it can be used to reason about whether a flow of information is secure.This dissertation presents the theoretical foundation of this approach, the FlowLimited Authorization Model (FLAM). FLAM uses a novel principal algebra that unifies authority and information flow policies and a logic for making secure authorization and information flow decisions. This logic ensures that such decisions cannot be influenced by attackers or leak confidential information.We embed the FLAM logic in a core programming model, the Flow-Limited Authorization Calculus (FLAC). FLAC programs selectively enable flows of information; the type system ensures that attackers cannot create unauthorized flows. A well-typed FLAC not only ensures proper authorization, but also secure information flow.The FLAC approach to secure programming is instantiated in FLAME, a library and to measure them, and how to build better abstractions based on them. Gün Sirer sparked my interest in decentralized systems and instilled in me an appreciation of clean, readable code. Fred Schneider reminds me that it is our job to explain, not our reader's job to understand; he has helped bring more clarity to many ideas in this dissertation.The graduate students at Cornell have also been a vital part of my time here. Cornell Ph.D. students excel at self-organization, and because of that I have never lacked for an opportunity to play frisbee, to "play" hockey, or to socialize with other graduate students. Aaron Rosenberg, from the English department, kept me sane with frequent squash games, along with good converstation about being old students and new dads. They are all both funny and intelligent, and it was a great pleasure bouncing ideas off of them, talking about topics from type theory to effective doorstop mechanisms, and reacting to the foul balls from the baseball field that occasionally hit our window.The students of the Applied Programming Languages group have been great col- There are also many people without whom I would likely not have made it to Cornell in the first place. My parents, Jamie and Celia Barnett, constantly supported my curiosity and growth and never let the fact we lived in a small town in Mississippi get in the way of that. They also overcame their initial electrica...
Mobile code is now a nearly inescapable component of modern computing, thanks to client-side code that runs within web browsers. The usual tension between security and functionality is particularly acute in a mobile-code setting, and current platforms disappoint on both dimensions. We introduce a new architecture for secure mobile code, with which developers can use, publish, and share mobile code securely across trust domains. This architecture enables new kinds of distributed applications, and makes it easier to reuse and evolve code from untrusted providers. The architecture gives mobile code considerable expressive power: it can securely access distributed, persistent, shared information from multiple trust domains, unlike web applications bound by the same-origin policy. The core of our approach is analyzing how flows of information within mobile code affect confidentiality and integrity. Because mobile code is untrusted, this analysis requires novel constraints on information flow and authority. We show that these constraints offer principled enforcement of strong security while avoiding the limitations of current mobile-code security mechanisms. We evaluate our approach by demonstrating a variety of mobilecode applications, showing that new functionality can be offered along with strong security.
Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference.We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler. * Work done while at Harvard University arXiv:1708.08596v2 [cs.CR] 31 Aug 2017Proof. This follows by induction on the typing derivation for values.Lemma 2 (Substitution). If Γ, x : τ 1 ; pc $ e : τ and Γ; pc $ v : τ 1 , then Γ; pc $ erx Þ Ñ vs : τ .Proof. By induction on the derivation of Γ, x : τ 1 ; pc $ e : τ using Lemma 1.Lemma 3 (pc reduction). If Γ; pc $ e : τ and pc 1 Ď pc, then Γ; pc 1 $ e : τ .Proof. By induction on the derivation of Γ; pc $ e : τ .Theorem 8 (Subject reduction). If Γ; pc $ e : τ and xe, ty ÝÑ Ñ xe 1 , t 1 y then Γ; pc $ e 1 : τ .Proof. This proof follows by an inductive case analysis on the operational semantics in Figures 18 and 22. There are a few interesting cases.Case B-EXPAND: This case handles a context (B), we will do a sub-case analysis on each such expression type.
Distributed information systems are prevalent in modern computing but difficult to build securely. Because systems commonly span domains of trust, host nodes share data and code of varying degrees of trustworthiness. Modern systems are often open and extensible, making security even harder to reason about. Unfortunately, standard methods for software construction do not help programmers enough with ensuring their software is secure. Fabric is a system and language for building open, distributed, extensible information systems that are secure by construction. Fabric is a decentralized system that allows nodes to securely share both data and code despite mutual distrust. All resources are labeled with confidentiality and integrity policies that are enforced through a combination of compile-time and run-time mechanisms.The Fabric language offers a high-level but powerful model of computation. All resources appear as objects in the language, and the distribution and persistence of code and data are largely transparent to programmers. Fabric supports both data-shipping and query/RPC styles of computation: computation and information can both move between nodes. Optimistic, nested transactions ensure consistency across all objects and nodes. Fabric programs can securely share mobile code across trust domains, enabling more reuse and evolution of code and supporting new kinds of secure applications not possible in other distributed systems. Results from applications built using Fabric suggest that Fabric enforces strong security while offering a clean, concise, powerful programming model with good performance. An open-source prototype is available for download.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
