Citation Context

...(i.e., the version of the server without the calls to create_tag(), expand_label(), and clear_label()). Swim represents programs internally using a dialect of Communicating Sequential Processes (CSP) =-=[2]-=-: it translates the C program into a CSP program that models properties relevant to DIFC instrumentation, and then analyzes the CSP program. We use CSP as an intermediate representation because CSP is...

Citation Context

...the set of tags that represent principals, along with inferring the code that manipulates these tags. Aspect-oriented programming (AOP) breaks program logic down into distinct parts (called concerns) =-=[13]-=-. AOP deals with concerns (called crosscutting concerns) that span multiple abstractions in a program. Logging exemplifies a crosscutting concern because a logging strategy necessarily affects every s...

Citation Context

...-flow policy from the literature [15, 26], expressed the policy in terms of the flow assertions described in §3.2.2, and then fed the program and policy to the tool. We implemented Swim using the CIL =-=[19]-=- program-analysis infrastructure for C, and the Yices SMT solver [7]. The only program annotations required by Swim are C labels (not Flume labels) that map program points to variables used in flow as...

Citation Context

...t of processes. Several programming languages, such as Jif, provide type systems based on security labels that allow the programmer to validate security properties of their code through type-checking =-=[18, 23]-=-. Jif has been used to implement several real-world applications with strong security guarantees (e.g. [3, 5, 12]), but these programs are written from scratch in Jif. Automatic techniques can partiti...

Citation Context

...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord...

Citation Context

...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord...

Citation Context

...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o...

Citation Context

...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o...

Citation Context

...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s...

Citation Context

...ically, given only an uninstrumented program and a policy. Such code is correct by construction. Krohn and Tromer [14] use CSP to reason about the Flume OS, not applications running atop Flume. Resin =-=[25]-=- is a language runtime that allows a programmer to specify dataflow assertions, which are checked over the state of the associated data before the data is allowed to be sent from one system object to ...

Citation Context

...t of processes. Several programming languages, such as Jif, provide type systems based on security labels that allow the programmer to validate security properties of their code through type-checking =-=[18, 23]-=-. Jif has been used to implement several real-world applications with strong security guarantees (e.g. [3, 5, 12]), but these programs are written from scratch in Jif. Automatic techniques can partiti...

Citation Context

...TRODUCTION Decentralized information flow control (DIFC) operating systems are a recent innovation aimed at providing applications with mechanisms for ensuring the secrecy and integrity of their data =-=[15, 24, 26]-=-. To achieve this goal, a DIFC OS associates with each process a label drawn from a partiallyordered set. A process may send data to another process only if the processes’ labels satisfy a certain ord...

Citation Context

...cally by Swim on on top of a DIFC operating system, a user obtains greater assurance of the end-toend information-flow security of their application. Our goals are shared by Efstathopoulos and Kohler =-=[8]-=-, who have also explored the idea of describing a policy as declarations of allowed and prohibited information flows, for the Asbestos DIFC system. However, their work appears to have some significant...

Citation Context

...allow the programmer to validate security properties of their code through type-checking [18, 23]. Jif has been used to implement several real-world applications with strong security guarantees (e.g. =-=[3, 5, 12]-=-), but these programs are written from scratch in Jif. Automatic techniques can partition a Jif web application between its client and server [3]. Jif requires the programmer to define a bounded set o...

Citation Context

...onstraint system has a solution if and only if the bit-vector system has a solution. Bit-vector constraints can be solved efficiently in practice by an off-the-shelf SMT solver, such as Yices [6], Z3 =-=[16]-=-, or STP [8]. Such solvers implement decision procedures for decidable first-order theories, including the theory of bit vectors. If the SMT solver determines that no solution exists for the bit-vecto...

Citation Context

...perating systems. Furthermore, some systems have formal proofs that if an application running on the system correctly manipulates labels to implement a policy, then the system will enforce the policy =-=[14]-=-. However, for a user to have end-to-end assurance that their application implements a high-level information-flow policy, they must have assurance that the application indeed correctly manipulates la...

Citation Context

...em of correctly instrumenting the program to a problem of solving a system of set constraints. It feeds the resulting constraint system to an off-the-shelf Satisfiability Modulo Theories (SMT) solver =-=[7]-=-, which in our experiments found solutions to the systems in seconds (see Tab. 4). From a solution, Swim instruments the program. Thus the programmer reasons at the policy level about information flow...

Citation Context

...a system with such a semantics enables high-throughput leaks, while a system such as Flume, in which labels are explicitly manipulated by each process, is provably free of such leaks. Harris et. al. =-=[11]-=- apply a model checker for safety properties of concurrent programs to determine if a fully instrumented DIFC application satisfies a high-level information flow policy. The present paper describes ho...

Citation Context

...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s...

Citation Context

...tem has a solution if and only if the bit-vector system has a solution. Bit-vector constraints can be solved efficiently in practice by an off-the-shelf SMT solver, such as Yices [7], Z3 [17], or STP =-=[9]-=-. Such solvers implement decision procedures for decidable first-order theories, including the theory of bit vectors.If the solver determines that no solution exists for the bitvector constraints, th...

Citation Context

...sion of FlumeWiki in which each process that services a request acts with exactly the DIFC permissions of the user who makes the request. FlumeWiki [15] is based on the software package MoinMoin Wiki =-=[16]-=-, but has been extended to run on the Flume operating system with enhanced security guarantees. Similar to Apache, in FlumeWiki a launcher process receives requests from users for generating CGI forms...

Citation Context

...ionally, DIFC systems provide certain guarantees that Resin does not match [25]. Previous work describes techniques to automatically synthesize programs from complete specifications of their behavior =-=[6, 21, 22]-=-. Like Swim, these techniques assume a program skeleton and a specification of correctness, and then use constraint solving to generate language constructs, yielding a concrete implementation of the s...

Citation Context

...ld programs and information-flow policies. §5 places our work in the context of other work on DIFC systems and program synthesis. §6 concludes. Some technical details are covered in the appendices of =-=[9]-=-. 2. OVERVIEW We now informally describe each step of the workflow of Swim, using the example from Fig. 1. We first give a brief overview of the Flume operating system. For a more complete description...