Polymorphic Relaxed Noninterference

Information-flow security typing statically preserves confidentiality by enforcing noninterference. To address the practical need of selective and flexible declassification of confidential information, several approaches have developed a notion of relaxed noninterference, where security labels are either functions or types. The labels-as-types approach to relaxed noninterference supports expressive declassification policies, including recursive ones, via a simple subtyping-based ordering, and provides a local, modular reasoning principle. In this work, we extend this expressive declassification approach in order to support polymorphic declassification. First, we identify the need for bounded polymorphism through concrete examples. We then formalize polymorphic relaxed noninterference in a typed object-oriented calculus, using a step-indexed logical relation to prove that all well-typed terms are secure. Finally, we address the case of primitive types, which requires a form of ad-hoc polymorphism. Therefore, this work addresses practical hurdles to providing controlled and expressive declassification for the construction of information-flow secure systems.Comment: update affiliation/fundin

LWeb: Information Flow Security for Multi-tier Web Applications

This paper presents LWeb, a framework for enforcing label-based, information flow policies in database-using web applications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod's core monad. Second, we extend Yesod's table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb's policy language is expressive, permitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the $\lambda_{LWeb}$ calculus and mechanize the proof of noninterference in Liquid Haskell. This mechanization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build a substantial web site hosting the Build it, Break it, Fix it security-oriented programming contest. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too)

Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components

Secure compilation prevents all low-level attacks on compiled code and allows for sound reasoning about security in the source language. In this work we propose a new attacker model for secure compilation that extends the well-known notion of full abstraction to ensure protection for mutually distrustful components. We devise a compiler chain (compiler, linker, and loader) and a novel security monitor that together defend against this strong attacker model. The monitor is implemented using a recently proposed, generic tag-based protection framework called micro-policies, which comes with hardware support for efficient caching and with a formal verification methodology. Our monitor protects the abstractions of a simple object-oriented language---class isolation, the method call discipline, and type safety---against arbitrary low-level attackers

Characterizing SEAndroid Policies in the Wild

Starting from the 5.0 Lollipop release all Android processes must be run inside confined SEAndroid access control domains. As a result, Android device manufacturers were compelled to develop SEAndroid expertise in order to create policies for their device-specific components. In this paper we analyse SEAndroid policies from a number of 5.0 Lollipop devices on the market, and identify patterns of common problems we found. We also suggest some practical tools that can improve policy design and analysis. We implemented the first of such tools, SEAL.Comment: 10 pages, 3 figures. v2: Added acknowledgment to Jan-Erik Ekberg. v3: Fixed typo in abstrac

Brokering Policies and Execution Monitors for IoT Middleware

Event-based systems lie at the heart of many cloud-based Internet-of-Things (IoT) platforms. This combination of the Broker architectural style and the Publisher-Subscriber design pattern provides a way for smart devices to communicate and coordinate with one another. The present design of these cloud-based IoT frameworks lacks measures to (i) protect devices against malicious cloud disconnections, (ii) impose information flow control among communicating parties, and (iii) enforce coordination protocols in the presence of compromised devices. In this work, we propose to extend the modular event-based system architecture of Fiege et al., to incorporate brokering policies and execution monitors, in order to address the three protection challenges mentioned above. We formalized the operational semantics of our protection scheme, explored how the scheme can be used to enforce BLP-style information flow control and RBAC-style protection domains, implemented the proposal in an open-source MQTT broker, and evaluated the performance impact of the protection mechanisms

A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet

Domain Name System (DNS) domains became Internet-level identifiers for entities (like companies, organizations, or individuals) hosting services and sharing resources over the Internet. Domains can specify a set of security policies (such as, email and trust security policies) that should be followed by clients while accessing the resources or services represented by them. Unfortunately, in the current Internet, the policy specification and enforcement are dispersed, non-comprehensive, insecure, and difficult to manage. In this paper, we present a comprehensive and secure metapolicy framework for enhancing the domain expressiveness on the Internet. The proposed framework allows the domain owners to specify, manage, and publish their domain-level security policies over the existing DNS infrastructure. The framework also utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for providing security. By reusing the existing infrastructures, our framework requires minimal changes and requirements for adoption. We also discuss the initial results of the measurements performed to evaluate what fraction of the current Internet can get benefits from deploying our framework. Moreover, overheads of deploying the proposed framework have been quantified and discussed.Comment: SecureComm'1

A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International Workshop on Security and Trust Management (STM 2015

On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud (Extended Version)

The ability to enforce robust and dynamic access controls on cloud-hosted data while simultaneously ensuring confidentiality with respect to the cloud itself is a clear goal for many users and organizations. To this end, there has been much cryptographic research proposing the use of (hierarchical) identity-based encryption, attribute-based encryption, predicate encryption, functional encryption, and related technologies to perform robust and private access control on untrusted cloud providers. However, the vast majority of this work studies static models in which the access control policies being enforced do not change over time. This is contrary to the needs of most practical applications, which leverage dynamic data and/or policies. In this paper, we show that the cryptographic enforcement of dynamic access controls on untrusted platforms incurs computational costs that are likely prohibitive in practice. Specifically, we develop lightweight constructions for enforcing role-based access controls (i.e., $\mathsf{RBAC}_0$) over cloud-hosted files using identity-based and traditional public-key cryptography. This is done under a threat model as close as possible to the one assumed in the cryptographic literature. We prove the correctness of these constructions, and leverage real-world $\mathsf{RBAC}$ datasets and recent techniques developed by the access control community to experimentally analyze, via simulation, their associated computational costs. This analysis shows that supporting revocation, file updates, and other state change functionality is likely to incur prohibitive overheads in even minimally-dynamic, realistic scenarios. We identify a number of bottlenecks in such systems, and fruitful areas for future work that will lead to more natural and efficient constructions for the cryptographic enforcement of dynamic access controls.Comment: 26 pages; extended version of the IEEE S&P pape

Pyronia: Intra-Process Access Control for IoT Applications

Third-party code plays a critical role in IoT applications, which generate and analyze highly privacy-sensitive data. Unlike traditional desktop and server settings, IoT devices mostly run a dedicated, single application. As a result, vulnerabilities in third-party libraries within a process pose a much bigger threat than on traditional platforms. We present Pyronia, a fine-grained access control system for IoT applications written in high-level languages. Pyronia exploits developers' coarse-grained expectations about how imported third-party code operates to restrict access to files, devices, and specific network destinations, at the granularity of individual functions. To efficiently protect such sensitive OS resources, Pyronia combines three techniques: system call interposition, stack inspection, and memory domains. This design avoids the need for application refactoring, or unintuitive data flow analysis, while enforcing the developer's access policy at run time. Our Pyronia prototype for Python runs on a custom Linux kernel, and incurs moderate performance overhead on unmodified Python applications.Comment: 19 pages, 3 figure

Self-enforcing Game Theory-based Resource Allocation for LoRaWAN Assisted Public Safety Communications

Public safety networks avail to disseminate information during emergency situations through its dedicated servers. Public safety networks accommodate public safety communication (PSC) applications to track the location of its utilizers and enable to sustain transmissions even in the crucial scenarios. Despite that, if the traditional setups responsible for PSCs are unavailable, it becomes prodigiously arduous to handle any of the safety applications, which may cause havoc in the society. Dependence on a secondary network may assist to solve such an issue. But, the secondary networks should be facilely deployable and must not cause exorbitant overheads in terms of cost and operation. For this, LoRaWAN can be considered as an ideal solution as it provides low power and long-range communication. However, an excessive utilization of the secondary network may result in high depletion of its own resources and can lead to a complete shutdown of services, which is a quandary at hand. As a solution, this paper proposes a novel network model via a combination of LoRaWAN and traditional public safety networks, and uses a self-enforcing agreement based game theory for allocating resources efficiently amongst the available servers. The proposed approach adopts memory and energy constraints as agreements, which are satisfied through Nash equilibrium. The numerical results show that the proposed approach is capable of efficiently allocating the resources with sufficiently high gains for resource conservation, network sustainability, resource restorations and probability to continue at the present conditions even in the complete absence of traditional Access Points (APs) compared with a baseline scenario with no failure of nodes.Comment: 16 Pages, 11 Figures, 2 Table