Hails: Protecting data privacy in untrusted web applications

Giffin, Daniel B.; Levy, Azriel; Stefan, Deian; Terei, David; Mazières, David; Mitchell, John C.; Russo, Alejandro

doi:10.3233/jcs-15801

Cited by 41 publications

(72 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Floating label systems DC-labels are usually part of floating label systems like LIO [22], Hails [9], and COWL [23]. Such systems associate a current label, L pc , with every computational task-this label plays a role similar to the program counter (PC) in more traditional language-based IFC approaches [19].…”

Section: Downgradingmentioning

confidence: 99%

“…Disjunction Category Labels (DC-labels) are a practical and expressive label format that can capture the security concerns of principals. IFC systems and DC-labels can provide strong, expressive, and practical information security guarantees, preventing exploitation of, for example, cross-site scripting and code injection vulnerabilities [9,10,19,23,26].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

It’s My Privilege: Controlling Downgrading in DC-Labels

Waye

Buiras

King

et al. 2015

Security and Trust Management

Self Cite

View full text Add to dashboard Cite

Abstract. Disjunction Category Labels (DC-labels) are an expressive label format used to classify the sensitivity of data in information-flow control systems. DC-labels use capability-like privileges to downgrade information. Inappropriate use of privileges can compromise security, but DC-labels provide no mechanism to ensure appropriate use. We extend DC-labels with the novel notions of bounded privileges and robust privileges. Bounded privileges specify and enforce upper and lower bounds on the labels of data that may be downgraded. Bounded privileges are simple and intuitive, yet can express a rich set of desirable security policies. Robust privileges can be used only in downgrading operations that are robust, i.e., the code exercising privileges cannot be abused to release or certify more information than intended. Surprisingly, robust downgrades can be expressed in DC-labels as downgrading operations using a weakened privilege. We provide sound and complete run-time security checks to ensure downgrading operations are robust. We illustrate the applicability of bounded and robust privileges in a case study as well as by identifying a vulnerability in an existing DC-label-based application.

show abstract

Section: Downgradingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

It’s My Privilege: Controlling Downgrading in DC-Labels

Waye

Buiras

King

et al. 2015

Security and Trust Management

Self Cite

View full text Add to dashboard Cite

show abstract

“…They support the development of realistic applications in which new principals and labels are created dynamically (Giffin et al 2012), and they are a key ingredient in recently proposed mechanisms for soundly recovering from IFC violations (Hriţcu et al 2013a;. While for simplicity we consider neither dynamic labels nor recoverable exceptions, our register machine does have first-class public labels.…”

Section: First-class Public Labelsmentioning

confidence: 99%

Testing noninterference, quickly

Hriţcu¹,

Lampropoulos

Spector-Zabusky

et al. 2016

J. Funct. Prog.

View full text Add to dashboard Cite

Information-flow control mechanisms are difficult both to design and to prove correct. To reduce the time wasted on doomed proof attempts due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of increasingly complex information-flow abstract machines, leading up to a sophisticated register machine with a novel and highly permissive flow-sensitive dynamic enforcement mechanism that is sound in the presence of first-class public labels. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important for efficient testing. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for more than 45 bugs. Moreover, we show how testing guides the discovery of the sophisticated invariants needed for the noninterference proof of our most complex machine.

show abstract

“…o b j e c t s . g e t ( 23 e v e n t=s e l f , g u e s t=c t x t ) != None ) 24 25 c l a s s E v e n t G u e s t ( JModel ) :…”

Section: @ S T a T I C M E T H O Dmentioning

confidence: 99%

“…SeLINQ [42], the work of Lourenço and Caires [29], and Ur/Web use static types. DBTaint [18], Passe [9], and Hails [24] perform dynamic analysis. SIF [16] combines static labels and dynamic checks.…”

Section: Related Workmentioning

confidence: 99%

Precise, dynamic information flow for database-backed applications

Yang

Hance²,

Austin

et al. 2016

Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

We present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational database implementations, and scales for realistic applications. In this paper, we present a programming model that factors out information flow policies from application code and database queries, a dynamic semantics for the underlying λ JDB core language, and proofs of termination-insensitive non-interference and policy compliance for the semantics. We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop. We show that in comparison to traditional applications with hand-coded policy checks, Jacqueline applications have 1) a smaller trusted computing base, 2) fewer lines of policy code, and 2) reasonable, often negligible, overheads.

show abstract

Hails: Protecting data privacy in untrusted web applications

Cited by 41 publications

References 52 publications

It’s My Privilege: Controlling Downgrading in DC-Labels

It’s My Privilege: Controlling Downgrading in DC-Labels

Testing noninterference, quickly

Precise, dynamic information flow for database-backed applications

Contact Info

Product

Resources

About