Person:

Waye, Lucas Reed

Disjunction Category Labels (DC-labels) are an expressive label format used to classify the sensitivity of data in information-flow control systems. DC-labels use capability-like privileges to downgrade information. Inappropriate use of privileges can compromise security, but DC-labels provide no mechanism to ensure appropriate use. We extend DC-labels with the novel notions of bounded privileges and robust privileges. Bounded privileges specify and enforce upper and lower bounds on the labels of data that may be downgraded. Bounded privileges are simple and intuitive, yet can express a rich set of desirable security policies. Robust privileges can be used only in downgrading operations that are robust, i.e., the code exercising privileges cannot be abused to release or certify more information than intended. Surprisingly, robust downgrades can be expressed in DC-labels as downgrading operations using a weakened privilege. We provide sound and complete run-time security checks to ensure downgrading operations are robust. We illustrate the applicability of bounded and robust privileges in a case study as well as by identifying a vulnerability in an existing DC-label-based application.

We present Pidgin, a program analysis and understanding tool that allows developers to explore the information flows that exist in programs and specify and enforce security policies that restrict these information flows. Pidgin uses program-dependence graphs (PDGs) to precisely capture the information flows within a program. PDGs can be queried using a custom query language to explore and describe information flows in programs. A developer can specify strong information security policies by asserting that specific queries return no results (i.e., asserting the absence of certain information flows in the program). To check whether a program satisfies a security policy, a developer can simply evaluate the query against a program’s dependence graph. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Pidgin can be used to explore information security guarantees in legacy programs, or to support the specification, enforcement, and modification of information security requirements during program development. We describe the design and implementation of Pidgin and report on using Pidgin both to explore security guarantees in existing open-source applications, and to specify and enforce security guarantees during application development.

We present Pidgin, a program analysis and understanding tool that allows developers to explore the information flows that exist in programs and specify and enforce security policies that restrict these information flows. Pidgin uses program-dependence graphs (PDGs) to precisely capture the information flows within a program. PDGs can be queried using a custom query language to explore and describe information flows in programs. A developer can specify strong information security policies by asserting that specific queries return no results (i.e., asserting the absence of certain information flows in the program). To check whether a program satisfies a security policy, a developer can simply evaluate the query against a program’s dependence graph. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Pidgin can be used to explore information security guarantees in legacy programs, or to support the specification, enforcement, and modification of information security requirements during program development. We describe the design and implementation of Pidgin and report on using Pidgin both to explore security guarantees in existing open-source applications, and to specify and enforce security guarantees during application development.

Inspired by the Design by Contract paradigm, we introduce CONSUL, a contract system for distributed components. CONSUL monitors distributed components at run time with higher-order behavioral contracts. Contract monitoring is local to a component, and the component is treated as a black box. Thus it does not disturb the highly decoupled nature of distributed components and allows heterogeneous implementation languages and platforms without modifications to a component’s code. We describe the design, semantics and properties of CONSUL (adapter transparency and correct blame), and show that its contracts can capture and enforce precise and useful properties of a variety of off-the-shelf components.