4 research outputs found

    Shai: Enforcing Data-Specific Policies with Near-Zero Runtime Overhead

    Full text link
    Data retrieval systems such as online search engines and online social networks must comply with the privacy policies of personal and selectively shared data items, regulatory policies regarding data retention and censorship, and the provider's own policies regarding data use. Enforcing these policies is difficult and error-prone. Systematic techniques to enforce policies are either limited to type-based policies that apply uniformly to all data of the same type, or incur significant runtime overhead. This paper presents Shai, the first system that systematically enforces data-specific policies with near-zero overhead in the common case. Shai's key idea is to push as many policy checks as possible to an offline, ahead-of-time analysis phase, often relying on predicted values of runtime parameters such as the state of access control lists or connected users' attributes. Runtime interception is used sparingly, only to verify these predictions and to make any remaining policy checks. Our prototype implementation relies on efficient, modern OS primitives for sandboxing and isolation. We present the design of Shai and quantify its overheads on an experimental data indexing and search pipeline based on the popular search engine Apache Lucene

    Dynamic abstraction model checking

    Get PDF
    Model checking has attracted considerable attention since this technique is an automatic technique for verifying finite state concurrent systems. It is a formal method to verify if a software system or hardware system meets its properties. Nowadays, model checkers have become indispensable tools in hardware and software design and implementation, since they can reduce human efforts. Time and feasibility of the model checking process depends up on the size and complexity of the formal system model. However, the state space explosion problem still remains a major hurdle, as the number of global states can be enormous. There are many methods to improve the speed of model checkers and abstraction technology is one of them. Abstraction amounts to removing or simplifying details, as well as removing entire components of the concrete model irrelevant to the specifications. In practice, abstraction-based methods have been essential to verify designs of different fields of industrial complexity. Manual abstraction is ad hoc and error-prone; hence, automatic abstraction strategies are desirable for verifying actual hardware and software design. This thesis presents a new approach to check the model using two abstractions---Universal Abstraction and Existential Abstraction. These new techniques can check both the Existential fragment of Computational Tree Logic (ECTL) and the Universal fragment of Computational Tree Logic (ACTL) specifications. I developed a Model Checker, called LOTUS, building upon these new techniques with a traditional fixed point algorithm on Linux. Experimental results confirmed the feasibility and validity of this new dynamic model checking technique. The input grammar is designed and implemented using Bison and YACC on Linux. The process for this new technique follows. First, automatically construct two abstraction models according to the specifications defined in the input file by the user. Second, LOTUS verifies whether the abstraction model satisfies the specifications and outputs the conclusion. Lotus can produce the final output, if the conclusion is credible; otherwise, refine the two abstraction models according to the counterexamples or witnesses produced by the abstraction model. This process is repeated until the abstraction model is equivalent to the concrete model or the authentic conclusion can be obtained. In this thesis, I aim to provide a complete picture of this dynamic model-checking algorithm, ranging from design details to implementation-related issues and experiments of the Philosopher Dinning Problem. The main contributions of this approach include three aspects. First, Dynamic Abstraction Algorithm can check both ECTL and ACTL within abstraction methods. Second, a transition abstraction is introduced in this thesis with the purpose is to make the model checker easier to implement. Third, refinement of both abstraction models according to either witness or counterexample is actually modifying the transitions. This method may reduce time and space consumption

    Comprehensive and Practical Policy Compliance in Data Retrieval Systems

    Get PDF
    Data retrieval systems such as online search engines and online social networks process many data items coming from different sources, each subject to its own data use policy. Ensuring compliance with these policies in a large and fast-evolving system presents a significant technical challenge since bugs, misconfigurations, or operator errors can cause (accidental) policy violations. To prevent such violations, researchers and practitioners develop policy compliance systems. Existing policy compliance systems, however, are either not comprehensive or not practical. To be comprehensive, a compliance system must be able to enforce users' policies regarding their personal privacy preferences, the service provider's own policies regarding data use such as auditing and personalization, and regulatory policies such as data retention and censorship. To be practical, a compliance system needs to meet stringent requirements: (1) runtime overhead must be low; (2) existing applications must run with few modifications; and (3) bugs, misconfigurations, or actions by unprivileged operators must not cause policy violations. In this thesis, we present the design and implementation of two comprehensive and practical compliance systems: Thoth and Shai. Thoth relies on pure runtime monitoring: it tracks data flows by intercepting processes' I/O, and then it checks the associated policies to allow only policy-compliant flows at runtime. Shai, on the other hand, combines offline analysis and light-weight runtime monitoring: it pushes as many policy checks as possible to an offline (flow) analysis by predicting the policies that data-handling processes will be subject to at runtime, and then it compiles those policies into a set of fine-grained I/O capabilities that can be enforced directly by the underlying operating system
    corecore