Disjunction Category Labels

Stefan, Deian; Russo, Alejandro; Mazières, David; Mitchell, John C.

doi:10.1007/978-3-642-29615-4_16

Cited by 37 publications

(41 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Parts of the system, namely our labels and confinement mechanism, have been formalized in [30,[39][40][41]. We remark that different from other work, our language-level concurrent confinement system is sound even in the presence of termination and timing covert channels [41].…”

Section: Trust Assumptionsmentioning

confidence: 92%

See 1 more Smart Citation

Hails: Protecting data privacy in untrusted web applications

Giffin

Levy

Stefan

et al. 2017

JCS

Self Cite

View full text Add to dashboard Cite

Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party "app" have little control over what it does with their private data. Today's platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

show abstract

Section: Trust Assumptionsmentioning

confidence: 92%

“…The particular labels used by Hails are called DC labels. We described and formalized DC labels in a separate paper [39], so limit our discussion to a brief overview of their format and use in MAC. We refer readers to the full DC labels paper for more details.…”

Section: Labels and Confinementmentioning

confidence: 99%

Hails: Protecting data privacy in untrusted web applications

Giffin

Levy

Stefan

et al. 2017

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…In particular, the TIARA design [84] first proposed the idea of a zero-kernel operating system and sketched a concrete architecture, while the ARIES project proposed using a hardware rule cache to speed up information-flow tracking [16]. In TIARA and ARIES, tags had a fixed set of fields and were of limited length, whereas, in SAFE, tags are pointers to arbitrary data structures, allowing them to represent complex IFC labels encoding sophisticated security policies [62], for instance decentralized ones [69,85]. Moreover, unlike TIARA and ARIES, which made no formal soundness claims, SAFE proposes a set of IFC rules aimed at achieving noninterference; the proof we present in this paper, though for a simplified model, provides evidence that this goal is feasible.…”

Section: Related Workmentioning

confidence: 99%

A verified information-flow architecture

Amorim

Collins

DeHon

et al. 2016

JCS

View full text Add to dashboard Cite

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model.We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

show abstract

“…There, the PUMP was used only to implement dynamic IFC; other special-purpose hardware mechanisms enforced properties such as memory safety [55] and compartmentalization [40]. Still, the PUMP design in the SAFE system was made quite flexible, since dynamic IFC is an active area of research, with various mechanisms [14], [18], [19], [48], [50], [78] and "label models" [61], [77] being proposed regularly, making baked-into-hardware solutions unattractive. A simple IFC micro-policy was studied formally for an idealized version of the SAFE processor [15].…”

Section: Related Workmentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Disjunction Category Labels

Cited by 37 publications

References 26 publications

Hails: Protecting data privacy in untrusted web applications

Hails: Protecting data privacy in untrusted web applications

A verified information-flow architecture

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Contact Info

Product

Resources

About