Containment and Integrity for Mobile Code End-to-end security, untrusted hosts

1. Containment and Integrityfor Mobile CodeEnd-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University Ithaca NY 14853

2. Research directions • End-to-end security by program rewriting • In-lined reference monitors • Asynchronous proactive secret sharing • Gossip protocols • Mobile code integrity: • NAP protocols (primary-backup revisited) • Cryptographic-based privilege management End-to-end security, untrusted hosts — Andrew Myers

3. Protecting confidentiality • Historically: privacy protection largely a military concern (confidentiality, secrecy) • Future: many commercial, end-user needs • Assurance for shared information services • on-line shopping, e-mail and home page services • Programs with access to private information • spreadsheets, Quicken, word processors,... • Military, commercial privacy needs converging? top secretsecretclassifiedunclassified End-to-end security, untrusted hosts — Andrew Myers

4. Privacy vs complexity • Problem: complex systems, untrusted parts • both distributed and single-host computation • Harder to protect confidential information ? End-to-end security, untrusted hosts — Andrew Myers

5. Example: airplane design Boeing Air Force Hosts marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Data CAD aircraft simulations war simulations cost projections Programs End-to-end security, untrusted hosts — Andrew Myers

6. Policies vs. Mechanisms ? • Problem: policy/mechanism mismatch • Conventional mechanisms (e.g., access control): control whether A is allowed to transmit to B • Privacy policy: information I can only be obtained by users U (no matter how it is transformed) • Access control is point-to-point; policy is end-to-end • How to map privacy policy onto a mechanism?(we already do this by hand!) A B U I End-to-end security, untrusted hosts — Andrew Myers

7. Mechanisms • Discretionary access control: doesn’t control propagation ? A B ... • Mandatory access control: expensive, restrictive ? A B top secretsecretclassifiedunclassified L L End-to-end security, untrusted hosts — Andrew Myers

8. Static analysis of information flow • Idea: add privacy policies as annotations to programs (types) : e.g., JIF language (Java Information Flow) int {L} x;// L is an end-to-end privacy policy • JIF: security-typed language • Uses decentralized label model End-to-end security, untrusted hosts — Andrew Myers

9. Static information flow • Type-check information flow statically • efficient • validates all possible run-time information flows: more precise, less restrictive • allows modular composition • hybrid dynamic/static schemespossible End-to-end security, untrusted hosts — Andrew Myers

10. Compiler architecture • Source-to-source translator (JIFJava) • Mostly just removes annotations JIF compiler Java compiler Java source Program Label annotations Class file (Bytecode) Label annotations Class file (Bytecode) Label annotations End-to-end security, untrusted hosts — Andrew Myers

11. Single-machine model Source JIF compiler Trust Bytecode Host Executingprogram Trust End-to-end security, untrusted hosts — Andrew Myers

12. Airplane design Boeing Air Force Hosts marketing plans, aircraft designs other customers’ info military secrets, other suppliers’ info Data CAD aircraft simulations War simulations Cost projections Programs End-to-end security, untrusted hosts — Andrew Myers

13. Avoiding trusted compiler Source Java trick: substitute trusted verifier for compiler Need expressive security type system for intermediate / assembly code JIF compiler Trust Bytecode verifier Host Trust Executingprogram End-to-end security, untrusted hosts — Andrew Myers

14. Avoiding trusted hosts • Security invariant: host distrusted by principal p should not see p’s confidential data • Problem: multi-party computation may involve confidential data from several parties • Run only on completely trusted hosts? • expensive • bottleneck • Computation across available hosts End-to-end security, untrusted hosts — Andrew Myers

15. Secure program partitioning • New approach to secure distributed systems • Write programs without explicit code locations or inter-host communication • Automatically transform codeto run securely on current hosts source compiler intermediate code authenticated trust declarations splitter code partition code partition code partition Host Host Host End-to-end security, untrusted hosts — Andrew Myers

16. Caveats • Programs annotated with security information • but: annotations are types • Communication model: inter-host messages cannot be intercepted, damaged • but: private-key encryption can be used • Some covert channels (e.g., timing) still exist End-to-end security, untrusted hosts — Andrew Myers

17. Status • New, expressive intermediate language with support for security types, program transformations • Next: security-typed assembly language • verifier • Rewrite rules for automatic program partitioning across hosts • Next: optimizing transformations for performance • partitioning back end for JIF compiler • partitioning verifier • Core technology is in place End-to-end security, untrusted hosts — Andrew Myers

18. Conclusions • Decentralized enforcement of end-to-end security policies appears surprisingly feasible • Application: assurance for distributed services • Other project research directions: • In-lined reference monitors • Asynchronous proactive secret sharing • Gossip protocols • Mobile code integrity End-to-end security, untrusted hosts — Andrew Myers