Information Flow Model for Commercial Security

Information flow in Discretionary Access Control (DAC) is a well-known difficult problem. This paper formalizes the fundamental concepts and establishes a theory of information flow security. A DAC system is information flow secure (IFS), if any data never flows into the hands of owner’s enemies (explicitly denial access list.

Towards an implementation of information flow security using semantic web technologies

Controlling the flow of sensitive data has been widely acknowledged as a critical aspect for securing web information systems. A common limitation of previous approaches for the implementation of the information flow control is their proposal of new scripting languages. This makes them infeasible to be applied to existing systems written in traditional programming languages as these systems need to be redeveloped in the proposed scripting language. This paper proposes a methodology that offers a common interlinqua through the use of Semantic Web technologies for securing web information systems independently of their programming language. © 2012 IEEE

Strong and Provably Secure Database Access Control

Existing SQL access control mechanisms are extremely limited. Attackers can leak information and escalate their privileges using advanced database features such as views, triggers, and integrity constraints. This is not merely a problem of vendors lagging behind the state-of-the-art. The theoretical foundations for database security lack adequate security definitions and a realistic attacker model, both of which are needed to evaluate the security of modern databases. We address these issues and present a provably secure access control mechanism that prevents attacks that defeat popular SQL database systems.Comment: A short version of this paper has been published in the proceedings of the 1st IEEE European Symposium on Security and Privacy (EuroS&P 2016

Flexible Information-Flow Control

As more and more sensitive data is handled by software, its trustworthinessbecomes an increasingly important concern. This thesis presents work on ensuringthat information processed by computing systems is not disclosed to thirdparties without the user\u27s permission; i.e. to prevent unwanted flows ofinformation. While this problem is widely studied, proposed rigorousinformation-flow control approaches that enforce strong securityproperties like noninterference have yet to see widespread practical use.Conversely, lightweight techniques such as taint tracking are more prevalent inpractice, but lack formal underpinnings, making it unclear what guarantees theyprovide.This thesis aims to shrink the gap between heavyweight information-flow controlapproaches that have been proven sound and lightweight practical techniqueswithout formal guarantees such as taint tracking. This thesis attempts toreconcile these areas by (a) providing formal foundations to taint trackingapproaches, (b) extending information-flow control techniques to more realisticlanguages and settings, and (c) exploring security policies and mechanisms thatfall in between information-flow control and taint tracking and investigating whattrade-offs they incur

Ensuring compliance with data privacy and usage policies in online services

Online services collect and process a variety of sensitive personal data that is subject to complex privacy and usage policies. Complying with the policies is critical, often legally binding for service providers, but it is challenging as applications are prone to many disclosure threats. We present two compliance systems, Qapla and Pacer, that ensure efficient policy compliance in the face of direct and side-channel disclosures, respectively. Qapla prevents direct disclosures in database-backed applications (e.g., personnel management systems), which are subject to complex access control, data linking, and aggregation policies. Conventional methods inline policy checks with application code. Qapla instead specifies policies directly on the database and enforces them in a database adapter, thus separating compliance from the application code. Pacer prevents network side-channel leaks in cloud applications. A tenant’s secrets may leak via its network traffic shape, which can be observed at shared network links (e.g., network cards, switches). Pacer implements a cloaked tunnel abstraction, which hides secret-dependent variation in tenant’s traffic shape, but allows variations based on non-secret information, enabling secure and efficient use of network resources in the cloud. Both systems require modest development efforts, and incur moderate performance overheads, thus demonstrating their usability.Onlinedienste sammeln und verarbeiten eine Vielzahl sensibler persönlicher Daten, die komplexen Datenschutzrichtlinien unterliegen. Die Einhaltung dieser Richtlinien ist häufig rechtlich bindend für Dienstanbieter und gleichzeitig eine Herausforderung, da Fehler in Anwendungsprogrammen zu einer unabsichtlichen Offenlegung führen können. Wir präsentieren zwei Compliance-Systeme, Qapla und Pacer, die Richtlinien effizient einhalten und gegen direkte und indirekte Offenlegungen durch Seitenkanäle schützen. Qapla verhindert direkte Offenlegungen in datenbankgestützten Anwendungen. Herkömmliche Methoden binden Richtlinienprüfungen in Anwendungscode ein. Stattdessen gibt Qapla Richtlinien direkt in der Datenbank an und setzt sie in einem Datenbankadapter durch. Die Konformität ist somit vom Anwendungscode getrennt. Pacer verhindert Netzwerkseitenkanaloffenlegungen in Cloud-Anwendungen. Geheimnisse eines Nutzers können über die Form des Netzwerkverkehr offengelegt werden, die bei gemeinsam genutzten Netzwerkelementen (z. B. Netzwerkkarten, Switches) beobachtet werden kann. Pacer implementiert eine Tunnelabstraktion, die Geheimnisse im Netzwerkverkehr des Nutzers verbirgt, jedoch Variationen basier- end auf nicht geheimen Informationen zulässt und eine sichere und effiziente Nutzung der Netzwerkressourcen in der Cloud ermöglicht. Beide Systeme erfordern geringen Entwicklungsaufwand und verursachen einen moderaten Leistungsaufwand, wodurch ihre Nützlichkeit demonstriert wird

Static code analysis of data-driven applications through common lingua and the Semantic Web technologies

Web applications have become increasingly popular due to their potential for businesses' high revenue gain through global reach. Along with these opportunities, also come challenges in terms of Web application security. The increased rise in the number of datadriven applications has also seen an increased rise in their systematic attacks. Cyberattacks exploit Web application vulnerabilities. Attack trends show a major increase in Web application vulnerabilities caused by improper implementation of information-flow control methods and they account for more than 50% of all Web application vulnerabilities found in the year 2013. Static code analysis using methods of information-flow control is a widely acknowledged technique to secure Web applications. Whilst this technique has been found to be both very effective and efficient in finding Web application vulnerabilities, specific tools are highly dependent on the programming language. This thesis leverages Semantic Web technologies in order to offer a common language through source code represented using the Resource Description Framework format, whereby reasoning can be applied to securely test Web applications. In this thesis, we present a framework that extracts source code facts from various programming languages at a variable-level of granularity using Abstract Syntax Trees (ASTs) generated using language grammars and the ANTLR parser generator. The methodology for detecting Web application vulnerabilities implements three phases: entry points identification, tracing information-flow and vulnerability detection using the Jena framework inference mechanism and rules describing patterns of source code. The approach discussed in this thesis is found to be effective and practical in finding Web application vulnerabilities with the limitation that it can only detect patterns that are used as training data or very similar patterns. False positives are caused by limitations of the language grammar, but they do not affect the accuracy of the security vulnerability detection method in identifying the correct Web application vulnerability.Doctor of Philosoph

Decentralized information flow control for databases

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2012.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Cataloged from student-submitted PDF version of thesis.Includes bibliographical references (p. 177-194).Privacy and integrity concerns have been mounting in recent years as sensitive data such as medical records, social network records, and corporate and government secrets are increasingly being stored in online systems. The rate of high-profile breaches has illustrated that current techniques are inadequate for protecting sensitive information. Many of these breaches involve databases that handle information for a multitude of individuals, but databases don't provide practical tools to protect those individuals from each other, so that task is relegated to the application. This dissertation describes a system that improves security in a principled way by extending the database system and the application platform to support information flow control. Information flow control has been gaining traction as a practical way to protect information in the contexts of programming languages and operating systems. Recent research advocates the decentralized model for information flow control (DIFC), since it provides the necessary expressiveness to protect data for many individuals with varied security concerns.However, despite the fact that most applications implicated in breaches rely on relational databases, there have been no prior comprehensive attempts to extend DIFC to a database system. This dissertation introduces IFDB, which is a database management system that supports DIFC with minimal overhead. IFDB pioneers the Query by Label model, which provides applications with a simple way to delineate constraints on the confidentiality and integrity of the data they obtain from the database. This dissertation also defines new abstractions for managing information flows in a database and proposes new ways to address covert channels. Finally, the IFDB implementation and case studies with real applications demonstrate that database support for DIFC improves security, is easy for developers to use, and has good performance.by David Andrew Schultz.Ph.D

Modélisation en UML/OCL des langages de programmation et de leurs propriétés et processus IDM

Cette étude est axée sur l'activité de génération de composants logiciels se situant en phase terminale des processus de développement de logiciels dirigés par les modèles. Dans une première partie, nous présentons les travaux de recherche déjà existants sur les modèles et les transformations de modèles, ainsi que sur la modélisation en UML/OCL des langages de programmation limitée, la plupart du temps, aux aspects syntaxiques. Dans une deuxième partie, nous montrons comment nous modélisons en UML/OCL, les propriétés comportementales et axiomatiques des langages de programmation de style impératif. La modélisation des propriétés comportementales et axiomatiques d'un langage, en UML/OCL enrichi d'un langage d'actions, nous amène à montrer comment on peut, à l'aide de triplets de Hoare, vérifier que des segments de modèles de programmes sont corrects. Les assertions déduites des triplets de Hoare par application des propriétés axiomatiques du langage sont transmises à un Atelier B en vue d'étudier leurs éventuelles validités. Dans une troisième partie, nous montrons comment on peut injecter au niveau du Méta-Modèle UML des propriétés comportementales et axiomatiques spécifiques à un domaine d'applications particulier. Nous nous sommes limités au fragment du Méta-Modèle UML définissant les diagrammes d'activité se situant donc en amont des modèles de codes, avant la génération proprement dite des codes. La cohérence entre les modèles et les codes peut se vérifier à l'aide de propriétés comportementales et axiomatiques en comparant les modèles issues des exigences et les modèles des codes. Ces travaux de recherche ont été financés dans le cadre de l'ANR.Our work focuses on the software component generation phase that takes place at the last phase of a model driven development process. Our work is related to either the modelware or the grammarware because the model driven process can be considered as a successive of model transformations whereas the code generation is a specific transformation from the model to a language grammar. In the first part, we resume some relative works in the domain of the models and of the models transformation; we also present the language modeling in UML which is generally restricted by the syntax modeling. In the second part, we show how we model in UML/OCL the behavioral and axiomatic properties of imperative programming languages. The modeling of the behavioral properties helps to execute the code models if we dispose a right execution environment. In the other hand, the modeling of the axiomatic properties helps to demonstrate the correctness of the code model. In fact, the assertions obtained from the modeling of the axiomatic properties of the language will be transferred to a B atelier in order to have further validation. In the third part, we show how we inject into the UML metamodel the considered domain behavioral and axiomatic properties. We focus on the activity diagram metamodel of the UML which defines the behavior part of a UML model. The coherence between the models and the codes can be then verified in comparing the behavioral and axiomatic properties of the models issued from the requirements and that of the codes. Our work is financed by the ANR research projects

Users’ perception of Facebook data use and data privacy concerns: the Nigerian case

The study investgated Nigerian Facebook users’ perception of Facebook’s data use and data privacy concerns from the perspective of the sense making theory, the theory of planned behaviour and the privacy calculus theory. It evaluated the users’ information sharing and seeking behaviour when using the platform, factors that promoted and impeded information seeking behaviour, differences in Facebook use across different population groups, level of awareness of Facebook’s data mining business model, level of trust in Facebook and the magnitude, causes and impact of data privacy concerns. A mixed methods research approach was adopted as the study involved collection of both qualitative and quantitative data. Qualitative data was collected through 30 semi-structured interviews involving Facebook users in Nigeria. The quantitative data was collected through an online survey that involved 389 respondents that were Facebook users in Nigeria. The qualitative data collected was evaluated through the thematic content analysis approach while the quantitative data collected was analysed through statistical analysis using SPSS. The study’s findings make an innovative contribution to existing knowledge on Nigerian Facebook users’ information sharing and seeking behaviour, data privacy concerns and trust in the platform from the perspective of the sense making theory, the theory of planned behaviour and the privacy calculus model. At the time of this study, there was limited literature coverage of the above issues from the perspective of the sense making theory, the theory of planned behaviour and the privacy calculus model. From a sense making perspective, the findings of the study indicated that regardless of Nigerian Facebook users’ level of education attainment, ethnicity, and occupation, they were likely to primarily use Facebook for purposes of content sharing and entertainment. The study’s findings indicated that data privacy concerns among Facebook users in Nigeria negatively impacted their intention to share information on the platform