49,096 research outputs found
Polymorphic Relaxed Noninterference
Information-flow security typing statically preserves confidentiality by
enforcing noninterference. To address the practical need of selective and
flexible declassification of confidential information, several approaches have
developed a notion of relaxed noninterference, where security labels are either
functions or types. The labels-as-types approach to relaxed noninterference
supports expressive declassification policies, including recursive ones, via a
simple subtyping-based ordering, and provides a local, modular reasoning
principle. In this work, we extend this expressive declassification approach in
order to support polymorphic declassification. First, we identify the need for
bounded polymorphism through concrete examples. We then formalize polymorphic
relaxed noninterference in a typed object-oriented calculus, using a
step-indexed logical relation to prove that all well-typed terms are secure.
Finally, we address the case of primitive types, which requires a form of
ad-hoc polymorphism. Therefore, this work addresses practical hurdles to
providing controlled and expressive declassification for the construction of
information-flow secure systems.Comment: update affiliation/fundin
LWeb: Information Flow Security for Multi-tier Web Applications
This paper presents LWeb, a framework for enforcing label-based, information
flow policies in database-using web applications. In a nutshell, LWeb marries
the LIO Haskell IFC enforcement library with the Yesod web programming
framework. The implementation has two parts. First, we extract the core of LIO
into a monad transformer (LMonad) and then apply it to Yesod's core monad.
Second, we extend Yesod's table definition DSL and query functionality to
permit defining and enforcing label-based policies on tables and enforcing them
during query processing. LWeb's policy language is expressive, permitting
dynamic per-table and per-row policies. We formalize the essence of LWeb in the
calculus and mechanize the proof of noninterference in Liquid
Haskell. This mechanization constitutes the first metatheoretic proof carried
out in Liquid Haskell. We also used LWeb to build a substantial web site
hosting the Build it, Break it, Fix it security-oriented programming contest.
The site involves 40 data tables and sophisticated policies. Compared to
manually checking security policies, LWeb imposes a modest runtime overhead of
between 2% to 21%. It reduces the trusted code base from the whole application
to just 1% of the application code, and 21% of the code overall (when counting
LWeb too)
Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components
Secure compilation prevents all low-level attacks on compiled code and allows
for sound reasoning about security in the source language. In this work we
propose a new attacker model for secure compilation that extends the well-known
notion of full abstraction to ensure protection for mutually distrustful
components. We devise a compiler chain (compiler, linker, and loader) and a
novel security monitor that together defend against this strong attacker model.
The monitor is implemented using a recently proposed, generic tag-based
protection framework called micro-policies, which comes with hardware support
for efficient caching and with a formal verification methodology. Our monitor
protects the abstractions of a simple object-oriented language---class
isolation, the method call discipline, and type safety---against arbitrary
low-level attackers
Characterizing SEAndroid Policies in the Wild
Starting from the 5.0 Lollipop release all Android processes must be run
inside confined SEAndroid access control domains. As a result, Android device
manufacturers were compelled to develop SEAndroid expertise in order to create
policies for their device-specific components. In this paper we analyse
SEAndroid policies from a number of 5.0 Lollipop devices on the market, and
identify patterns of common problems we found. We also suggest some practical
tools that can improve policy design and analysis. We implemented the first of
such tools, SEAL.Comment: 10 pages, 3 figures. v2: Added acknowledgment to Jan-Erik Ekberg. v3:
Fixed typo in abstrac
Brokering Policies and Execution Monitors for IoT Middleware
Event-based systems lie at the heart of many cloud-based Internet-of-Things
(IoT) platforms. This combination of the Broker architectural style and the
Publisher-Subscriber design pattern provides a way for smart devices to
communicate and coordinate with one another. The present design of these
cloud-based IoT frameworks lacks measures to (i) protect devices against
malicious cloud disconnections, (ii) impose information flow control among
communicating parties, and (iii) enforce coordination protocols in the presence
of compromised devices. In this work, we propose to extend the modular
event-based system architecture of Fiege et al., to incorporate brokering
policies and execution monitors, in order to address the three protection
challenges mentioned above. We formalized the operational semantics of our
protection scheme, explored how the scheme can be used to enforce BLP-style
information flow control and RBAC-style protection domains, implemented the
proposal in an open-source MQTT broker, and evaluated the performance impact of
the protection mechanisms
A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet
Domain Name System (DNS) domains became Internet-level identifiers for
entities (like companies, organizations, or individuals) hosting services and
sharing resources over the Internet. Domains can specify a set of security
policies (such as, email and trust security policies) that should be followed
by clients while accessing the resources or services represented by them.
Unfortunately, in the current Internet, the policy specification and
enforcement are dispersed, non-comprehensive, insecure, and difficult to
manage.
In this paper, we present a comprehensive and secure metapolicy framework for
enhancing the domain expressiveness on the Internet. The proposed framework
allows the domain owners to specify, manage, and publish their domain-level
security policies over the existing DNS infrastructure. The framework also
utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for
providing security. By reusing the existing infrastructures, our framework
requires minimal changes and requirements for adoption. We also discuss the
initial results of the measurements performed to evaluate what fraction of the
current Internet can get benefits from deploying our framework. Moreover,
overheads of deploying the proposed framework have been quantified and
discussed.Comment: SecureComm'1
A Declarative Framework for Specifying and Enforcing Purpose-aware Policies
Purpose is crucial for privacy protection as it makes users confident that
their personal data are processed as intended. Available proposals for the
specification and enforcement of purpose-aware policies are unsatisfactory for
their ambiguous semantics of purposes and/or lack of support to the run-time
enforcement of policies.
In this paper, we propose a declarative framework based on a first-order
temporal logic that allows us to give a precise semantics to purpose-aware
policies and to reuse algorithms for the design of a run-time monitor enforcing
purpose-aware policies. We also show the complexity of the generation and use
of the monitor which, to the best of our knowledge, is the first such a result
in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International
Workshop on Security and Trust Management (STM 2015
On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud (Extended Version)
The ability to enforce robust and dynamic access controls on cloud-hosted
data while simultaneously ensuring confidentiality with respect to the cloud
itself is a clear goal for many users and organizations. To this end, there has
been much cryptographic research proposing the use of (hierarchical)
identity-based encryption, attribute-based encryption, predicate encryption,
functional encryption, and related technologies to perform robust and private
access control on untrusted cloud providers. However, the vast majority of this
work studies static models in which the access control policies being enforced
do not change over time. This is contrary to the needs of most practical
applications, which leverage dynamic data and/or policies. In this paper, we
show that the cryptographic enforcement of dynamic access controls on untrusted
platforms incurs computational costs that are likely prohibitive in practice.
Specifically, we develop lightweight constructions for enforcing role-based
access controls (i.e., ) over cloud-hosted files using
identity-based and traditional public-key cryptography. This is done under a
threat model as close as possible to the one assumed in the cryptographic
literature. We prove the correctness of these constructions, and leverage
real-world datasets and recent techniques developed by the
access control community to experimentally analyze, via simulation, their
associated computational costs. This analysis shows that supporting revocation,
file updates, and other state change functionality is likely to incur
prohibitive overheads in even minimally-dynamic, realistic scenarios. We
identify a number of bottlenecks in such systems, and fruitful areas for future
work that will lead to more natural and efficient constructions for the
cryptographic enforcement of dynamic access controls.Comment: 26 pages; extended version of the IEEE S&P pape
Pyronia: Intra-Process Access Control for IoT Applications
Third-party code plays a critical role in IoT applications, which generate
and analyze highly privacy-sensitive data. Unlike traditional desktop and
server settings, IoT devices mostly run a dedicated, single application. As a
result, vulnerabilities in third-party libraries within a process pose a much
bigger threat than on traditional platforms.
We present Pyronia, a fine-grained access control system for IoT applications
written in high-level languages. Pyronia exploits developers' coarse-grained
expectations about how imported third-party code operates to restrict access to
files, devices, and specific network destinations, at the granularity of
individual functions. To efficiently protect such sensitive OS resources,
Pyronia combines three techniques: system call interposition, stack inspection,
and memory domains. This design avoids the need for application refactoring, or
unintuitive data flow analysis, while enforcing the developer's access policy
at run time. Our Pyronia prototype for Python runs on a custom Linux kernel,
and incurs moderate performance overhead on unmodified Python applications.Comment: 19 pages, 3 figure
Self-enforcing Game Theory-based Resource Allocation for LoRaWAN Assisted Public Safety Communications
Public safety networks avail to disseminate information during emergency
situations through its dedicated servers. Public safety networks accommodate
public safety communication (PSC) applications to track the location of its
utilizers and enable to sustain transmissions even in the crucial scenarios.
Despite that, if the traditional setups responsible for PSCs are unavailable,
it becomes prodigiously arduous to handle any of the safety applications, which
may cause havoc in the society. Dependence on a secondary network may assist to
solve such an issue. But, the secondary networks should be facilely deployable
and must not cause exorbitant overheads in terms of cost and operation. For
this, LoRaWAN can be considered as an ideal solution as it provides low power
and long-range communication. However, an excessive utilization of the
secondary network may result in high depletion of its own resources and can
lead to a complete shutdown of services, which is a quandary at hand. As a
solution, this paper proposes a novel network model via a combination of
LoRaWAN and traditional public safety networks, and uses a self-enforcing
agreement based game theory for allocating resources efficiently amongst the
available servers. The proposed approach adopts memory and energy constraints
as agreements, which are satisfied through Nash equilibrium. The numerical
results show that the proposed approach is capable of efficiently allocating
the resources with sufficiently high gains for resource conservation, network
sustainability, resource restorations and probability to continue at the
present conditions even in the complete absence of traditional Access Points
(APs) compared with a baseline scenario with no failure of nodes.Comment: 16 Pages, 11 Figures, 2 Table
- …