Preventing Information Leaks with Jeeves · Jeeves Supports Expressive Policies def isNotCarol(oc):...
Transcript of Preventing Information Leaks with Jeeves · Jeeves Supports Expressive Policies def isNotCarol(oc):...
-
Preventing
Information Leaks
with Jeeves
Jean Yang, MITApril 8, 2015
-
Wearable
devices
Data, Data Everywhere
Jean Yang / Jeeves 2
Social
media
Electronic health
records
Online courses
-
Jean Yang / Jeeves 3
All Kinds of People Are
Writing All Kinds of
CodeOpen source
lines of code
Journalists
Medical
researchers
Social
scientists
Children
-
Jean Yang / Jeeves 4
Even Trained
Developers Leak
Information
-
Why Aren’t Existing
Approaches Enough?
Jean Yang / Jeeves 5
Exploit
Patch
But leaves system
builders a step
behind.
Defensive
protection
But people are still
showing the data
wrong.
Encrypting
Data
-
My Approach:
Privacy by Construction
Jean Yang / Jeeves 6
Factor out privacy to reduce
opportunity for leaks.
• Programmer specifies high-level policies about
how sensitive data can be used.
• Rest of program is policy-agnostic.
• System manages policies automatically.
-
Social Calendar Example
Jean Yang / Jeeves 7
Alice and Bob throw a surprise party for Carol.
-
Even Seemingly Simple
Policies Have Subtleties
Jean Yang / Jeeves 8
Guests Carol Strangers
Surprise
party for
Carol at
Chuck E.
Cheese.
Pizza with
Alice/Bob.
Private event
at Chuck E.
Cheese.
Policy: Must be guest. Policies can depend on
sensitive values and other
policies.Policy: Only visible to hosts until finalized.
Problem:
-
Enforcing Policies Can
Leak Information!
Jean Yang / Jeeves 9
Guests
Surprise
party at
Chuck E.
Cheese.
Policy: Only visible to
hosts until finalized.
Policy: Must be guest.
Guest list finalized
Guests can’t see
event
Guests can see
event
• Subtle mistake:
check for policy 1
neglects
dependency on
policy 2.
• Problem arises
when programmers
trusted to get
dependencies right.
1
2
-
Policies Are Intertwined
Across the Code
Jean Yang / Jeeves 10
“What is the most
popular location
among friends 7pm
Tuesday?”
Update to
event
subscribers
• Track information flow through derived values.
• Track where derived values flow.
Problem:
-
Jean Yang / Jeeves 11
“Policy Spaghetti”
in Real Systems
Code from
HotCRP
conference
management
system
Highlighted: conditional permissions checks everywhere.
-
Jean Yang / Jeeves 12
Programming
model.
Mathematical
guarantees.
Implementations,
web framework,
and case studies.
Automatic Enforcement
with JeevesThe well-intentioned programmer
writes same code no matter what
policies are.
-
Jeeves Factors Out
Policies
Jean Yang / Jeeves 13
• Centralized policies.
• Policy-agnostic program.
• Runtime differentiates behavior.
Model View Controller
-
Background.
Jean Yang / Jeeves 14
Jeeves programming model.
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
[PLAS ’13]
[PLAS ’13]
[draft]
[POPL ’12]
Background.
-
1. Specifying policies.
2. Specifying differentiated behavior.
3. Factoring out policies from other
code.
4. Enforcing policies that depend on
sensitive values.
Automatically Managing
Information Flow
Jean Yang / Jeeves 15
Only Jeeves supports 3 and 4.
Jeeves supports more
expressive policies
than prior work.
-
Jean Yang / Jeeves 16
Information flow controls check that only allowed flows occur [HiStar,
Flume, Resin, LIO/Hails, Jif/Sif, flow locks, F*, and more].
Related Work:
Checking Information
Flow
==
true
==
false
if viewer == : elif viewer != :
error
Programmer
tags data.
System prevents
leaks by raising
error.
Must explicitly
define and tag
alternate behavior.
My previous work.
-
Jean Yang / Jeeves 17
==
Multi-execution approaches differentiate behavior based on viewer
[secure multi-execution (Devriese et al); faceted execution (Austin and
Flanagan)].
true false
Computing with Multiple
Values
Related Work:
Must encode
policies as tags.• “Policy
spaghetti.”
• Policies can
leak
information.
-
Background.
Jean Yang / Jeeves 18
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Jeeves programming model.
Supporting
expressive policies
that can depend on
sensitive values.
2
Factoring out
information flow.
1
Challenges
-
Policy-Agnostic
Programming in Jeeves
Jean Yang / Jeeves 19
Application CodeSeparate from policies.
policies
Sensitive values
encapsulate multiple
behaviors.
Policies describe rules for
how values may flow to
output contexts.
-
.guests [ ]
Jeeves Supports
Expressive Policies
def isNotCarol(oc): return oc !=
Jean Yang / Jeeves 20
Output context can be of arbitrary type.
def isGuest(oc): return oc in .guests
A policy is an arbitrary function that takes the
output context and returns a Boolean value.
Policies can depend on sensitive values.
-
21Jean Yang / Jeeves
==
true false
print { } print { }
true false
Jeeves Programming
ModelProgrammer
writes policy-
agnostic
programs.
Runtime
propagates values
and policies.
Runtime
produces
differentiated
output based on
the viewer.
Programmer
specifies policies
and facets.
1 2
4
3
-
The Jeeves
Programming Model• Well-defined runtime semantics
for policy-agnostic programming with information flow policies.
• Can be implemented standaloneor embedded as a library.
• Has been adapted across runtimes in web frameworks.
Jean Yang / Jeeves 22
-
Background.
Jean Yang / Jeeves 23
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
How Jeeves works.
Handling policies
with dependencies.
1
Enforcing
policies when
state changes.
2
Challenges
-
24Jean Yang / Jeeves
if == :
x += 1
return x
x = 0
print { } print { }
1 0
Jeeves Execution Model
Runtime
propagates
values and
policies.
Runtime
solves for
values to show
based on
policies and
viewer.
21
Runtime simulates simultaneous multiple
executions.
-
Using Policies to
Produce Outputs
Jean Yang / Jeeves 25
print { }
0
( != ) ? 1 : 0
policy( )
Jeeves uses
policies to defacet
appropriately.
1 0
def isNotCarol(oc):
return oc !=
-
Jean Yang / Jeeves 26
print { }
( == ) ? :
policy( )
def isMaybeCarol(oc):
return oc ==
But What About
Dependencies?
Possible solutions:
( == ) ? :
( == ) ? :
Jeeves runtime
will pick the secret
value if allowed.
Need to find a
fixed point!
-
Jean Yang / Jeeves 27
Using Constraints to
Handle DependenciesLabel Policy
a def isGuest(oc):
return oc in .guests
𝑎 = 𝑠𝑒𝑐𝑟𝑒𝑡 ⇒ in .guests
policy( )
𝑎 ∈ {𝑠𝑒𝑐𝑟𝑒𝑡, 𝑝𝑢𝑏𝑙𝑖𝑐}
print { }
𝑎 = 𝑠𝑒𝑐𝑟𝑒𝑡 ⇒ 𝑓𝑎𝑙𝑠𝑒
¬(𝑎 = 𝑠𝑒𝑐𝑟𝑒𝑡)
⊢
⊢
0
1 0
a
• Constraints contain
only Boolean
variables.
• Always a consistent
assignment.
Evaluated with
respect to state
at time of
output.
-
Handling Indirect Flows
Jean Yang / Jeeves 28
if == :
a
x += 1
true false
aif :
x += 1
x = xold+1 xold
a
Labels follow
values through all
computations,
including
conditionals and
assignments.
-
Outputting to Sinks
Jean Yang / Jeeves 29
Σ, 𝐸𝑜𝑐 ⇓∅ Σ𝑜𝑐 , 𝑉𝑜𝑐Σ𝑜𝑐 , 𝐸𝑟 ⇓∅ Σ𝑟 , 𝑉𝑟
𝑘1…𝑘𝑛 = 𝑐𝑙𝑜𝑠𝑒𝐾(𝑙𝑎𝑏𝑒𝑙𝑠 𝐸𝑜𝑐 ∪ 𝑙𝑎𝑏𝑒𝑙𝑠(𝐸𝑟), Σ2)
𝐸𝑝 = 𝜆𝑥. 𝑡𝑟𝑢𝑒 ∧𝑓 …∧𝑓 Σ2(𝑘𝑛)
Σ𝑟 , (𝐸𝑝 𝑉𝑜𝑐) ⇓∅ Σ𝑝, 𝑉𝑝
pick 𝑝𝑐 such that 𝑝𝑐 𝑉𝑜𝑐 = 𝑜𝑐, 𝑝𝑐 𝑉𝑟 = 𝑅, 𝑝𝑐 𝑉𝑝 = 𝑡𝑟𝑢𝑒
Σ, print 𝐸𝑜𝑐 𝐸𝑟 ⇓ 𝑉𝑝, 𝑜𝑐: 𝑅
Evaluate output context
and expression to print.
Retrieve labels
and policies.Evaluate policies applied
to the output context.
Defacet using
satisfying policy
assignment.
Jeeves Runtime Semantics:
Σ, 𝑆 ⇓ 𝑉𝑝, 𝑜𝑐: 𝑅 Σ, 𝐸 ⇓𝑝𝑐 Σ′, 𝑉
Statement
evaluation
Expression
evaluation
Output
context
ResultPolicies
-
Background.
Jean Yang / Jeeves 30
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Theoretical guarantees.
Proving
enforcement with
respect to our
semantics.
2
Defining what it
means to enforce
policies.
1
Challenges
-
Non-Interference
Jean Yang / Jeeves 31
a
if == :
x += 1
print { }
0
0 1
a
aif == :
x += 1
Jeeves Challenge:
Compute labels
from program—may
have dependencies
on secret values!
Secret values should not affect public output.
-
Jean Yang / Jeeves 32
a
if == :
x += 1
print { }
0
0 1
a
aif == :
x += 1
Jeeves Theorem:
All executions where
a must be public
produce equivalent
outputs.
Jeeves Non-Interference
and Policy Compliance
Can’t tell apart secret values
that require a to be public.
-
𝑓: 𝑅 ∃𝑉. ∅, 𝑆1 ⇓ 𝑉, 𝑓: 𝑅} = {𝑓: 𝑅 | ∃𝑉. ∅, 𝑆2 ⇓ 𝑉, 𝑓: 𝑅}
𝑆2 = 𝑝𝑟𝑖𝑛𝑡 𝑒 𝐶[ ]𝑆1 = 𝑝𝑟𝑖𝑛𝑡 𝑒 𝐶[ ]
Jeeves Policy
Compliance TheoremSuppose we have
Jean Yang / Jeeves 33
𝐸1 𝐸𝑃𝑎
Then the set of values 𝑆1 evaluates to is equivalent to the set of values 𝑆2 evaluates to.
Where 𝑎 must be public.
𝐸2 𝐸𝑃𝑎
Need to account for policies that depend on sensitive values!
-
Background.
Jean Yang / Jeeves 34
Jeeves programming model
How Jeeves works.
Theoretical guarantees.
Implementation & evaluation.
This Talk
Implementation and evaluation.
Adapting the
approach for web
applications.
1
Scaling the
approach.
2
Challenges
-
Facets in the Application
and Database
Jean Yang / Jeeves 35
ApplicationQueries
select * from Users
where location =
SQL
Database
Application All data SQL
Databaseselect * from Users
Database
queries can
leak
information!
Impractical
and
potentially
slow!
Solution: Facet the database. Implemented as an object-
relational mapping supporting uniform facet representation.
-
Jeeves runtime
Jacqueline Web
Framework
Jean Yang / Jeeves 36
Application
Frontend Database
@jeevesViewerAttach policies.
Programmer is responsible
Framework is responsible
-
Jean Yang / Jeeves 37
Django-like
data schema
for describing
fields.
Policy for
‘location’ field.
Helper
functions for
policy include
queries.
Public value for
‘location’ field.
-
Jean Yang / Jeeves 38
Conference
management system
Course manager Medical records
(HIPAA)
Implemented in Jeeves
Questions1.How does faceted execution scale?
2.How does faceting the database affect
queries?
-
Demo
Jean Yang / Jeeves 39
-
CMS Running Times
Jean Yang / Jeeves 40
Database size does not affect
query speed.
Showing sensitive data grows
linearly.
0
0.05
0.1
0.15
0.2
0.25
0 200 400Tim
e to load p
age (
s)
Number of papers in DB
Show Single Paper
512 users 1024 users
0
10
20
30
40
50
0 200 400Tim
e to load p
age(s
)
Number of papers in DB
Show All Papers
512 users 1024 users
Tests from Amazon AWS machine via HTTP requests from another machine.
-
Evaluation Lessons
• Faceted execution is expensive.
• Policy-agnostic programming
does not always need faceted
execution.
• Many opportunities for
optimization in web frameworks.
Jean Yang / Jeeves 41
-
Policy-Agnostic
Programming in Jeeves
Jean Yang / Jeeves 42
Design of a policy-
agnostic
programming
language
[POPL ‘12]
Semantics and
guarantees
[PLAS ’13]
Implementation,
web framework,
and case studies
[in submission]
==
Other functionality
PoliciesSensitive
values
-
Jean Yang / Jeeves 43
F*: type-checking
security properties.
[ICFP ’11; JFP ‘13]
Ask Reeves: verified
privacy policies.
[patent filed]
Verified
Type-
checked
Verve: a provably
type-safe OS.
[PLDI ’10 (Best Paper);
CACM ‘10]
My Interests in
Provable Guarantees
Lessons
• Difficult to write secure and private programs.
• Even more difficult to prove them correct.
• Easier if we can get privacy by construction.
-
Jean Yang / Jeeves 44
The Future of Policy-
Agnostic Programming
• Factor out policies from other code.
• Rely on compiler and runtime to
differentiate behavior.
-
• Programmability.– Languages for different kinds of policies.
– Tools for verifying and visualizing policies.
• Scaling.– Policy-agnostic semantics with minimal faceting.
– Building foundations with policy management in mind.
Jean Yang / Jeeves 45
Making Policy-Agnostic
Programming Work
Web
frameworks
Databases Web browsers
-
Parting Thoughts
By reducing opportunity for
programmer error, we can
eliminate whole classes of
privacy leaks.
Jean Yang / Jeeves 46