RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Vachharajani, Neil; Bridges, Matthew J.; Chang, Jonathan; Rangan, Ram; Ottoni, Guilherme; Blome, Jason; Reis, George A.; Vachharajani, Manish; August, David I.

doi:10.1109/micro.2004.31

Cited by 187 publications

(125 citation statements)

References 34 publications

Supporting

Mentioning

125

Contrasting

Order By: Relevance

“…However, prior methods of detecting noninterference have typically required access to the program running the system in question. These analyses either used the program for directly analyzing its code (see [9] for a survey), for running an instrumented version of the system (e.g., [10][11][12][13]), or for simulating multiple executions of the system (e.g., [14][15][16]). Traditionally, the requirement of access to the program has not been problematic since the analysis has been motivated as a tool for software engineers securing a program that they have designed.…”

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.

show abstract

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This explains why we prefer to speak of data flow rather than information flow. Moreover, even if we plan to leverage results of static analyses, like [39], we want to detect these flows at runtime. Implementations of such data-flow tracking system have been realized for the operating system [3], X11 [4], OpenOffice [5] and Java byte code and can be used as PIP component to instantiate our model.…”

Section: Related Workmentioning

confidence: 99%

Representation-Independent Data Usage Control

Pretschner

Lovat

Büchler

2012

Data Privacy Management and Autonomous Spontaneus Security

View full text Add to dashboard Cite

Abstract. Usage control is concerned with what happens to data after access has been granted. In the literature, usage control models have been defined on the grounds of events that, somehow, are related to data. In order to better cater to the dimension of data, we extend a usage control model by the explicit distinction between data and representation of data. A data flow model is used to track the flow of data in-between different representations. The usage control model is then extended so that usage control policies can address not just one single representation (e.g., delete file1.txt after thirty days) but rather all representations of the data (e.g., if file1.txt is a copy of file2.txt, also delete file2.txt). We present three proof-of-concept implementations of the model, at the operating system level, at the browser level, and at the X11 level, and also provide an ad-hoc implementation for cross-layer enforcement.

show abstract

“…For instance, the whole system emulator QEMU [3] is employed by various solutions that implement DTA [13,20,27], while TaintBochs [7] builds on the Bochs IA-32 emulator. The architecture community attempted to integrate or assist dynamic taint tracking with hardware extensions [9,10,23,24], to alleviate the significant performance impact due to extra tag processing from DBI frameworks and emulators.…”

Section: Cross-process and Cross-host Taint Trackingmentioning

confidence: 99%

“…For example, many security-oriented DTA implementations [19] do not support configurable taint sources, and mark all incoming network as tainted -We improved on inter-process taint tracking over previous system-wide tracking systems (e.g. Minos [9], TaintBochs [7], Rakscha [10], RIFLE [24]), which are based on slow full-system emulators (e.g. Xen [2], QEMU [3], Bochs [4]), by enabling cross-host and cross-process tracking on the communication channels that matter to the target applications, rather than overloading every operation in the entire system with unnecessary heavyweight taint tracking operations -We evaluate the overhead imposed by Taint-Exchange, and show that it incurs minimal overhead over the baseline tool libdft…”

Section: Introductionmentioning

confidence: 99%

Taint-Exchange: A Generic System for Cross-Process and Cross-Host Taint Tracking

Zavou

Portokalidis

Keromytis

2011

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. Dynamic taint analysis (DTA) has been heavily used by security researchers for various tasks, including detecting unknown exploits, analyzing malware, preventing information leaks, and many more. Recently, it has been also utilized to track data across processes and hosts to shed light on the interaction of distributed components, but also for security purposes. This paper presents Taint-Exchange, a generic crossprocess and cross-host taint tracking framework. Our goal is to provide researchers with a valuable tool for rapidly developing prototypes that utilize cross-host taint tracking. Taint-Exchange builds on the libdft open source data flow tracking framework for processes, so unlike previous work it does not require extensive maintenance and setup. It intercepts I/O related system calls to transparently multiplex fine-grained taint information into existing communication channels, like sockets and pipes. We evaluate Taint-Exchange using the popular lmbench suite, and show that it incurs only moderate overhead.

show abstract

RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Abstract: Even as modern computing systems allow the manipulation and distribution of massive amounts of information

Cited by 187 publications

References 34 publications

Purpose Restrictions on Information Use

Purpose Restrictions on Information Use

Representation-Independent Data Usage Control

Taint-Exchange: A Generic System for Cross-Process and Cross-Host Taint Tracking

Contact Info

Product

Resources

About