[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/502034.502036acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Untrusted hosts and confidentiality: secure program partitioning

Published: 21 October 2001 Publication History

Abstract

This paper presents secure program partitioning, a language-based technique for protecting confidential data during computation in distributed systems containing mutually untrusted hosts. Confidentiality and integrity policies can be expressed by annotating programs with security types that constrain information flow; these programs can then be partitioned automatically to run securely on heterogeneously trusted hosts. The resulting communicating subprograms collectively implement the original program, yet the system as a whole satisfies the security requirements of participating principals without requiring a universally trusted host machine. The experience in applying this methodology and the performance of the resulting distributed code suggest that this is a promising way to obtain secure distributed computation.

References

[1]
Martfn Abadi, Anindya Banerjee, Nevin Heintze, and Jon Riecke. A core calculus of dependency. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 147-160, San Antonio, TX, January 1999.]]
[2]
Johan Agat. Transforming out timing leaks. In Proc. 27th ACM Symp. on Principles of Programming Languages (POPL), pages 40-53, Boston, MA, January 2000.]]
[3]
D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and Muitics interpretation. Technical Report ESD-TR-75-306, MITRE Corp. MTR-2997, Bedford, MA, 1975. Available as NTIS AD-A023 588.]]
[4]
K. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, April 1977.]]
[5]
Cryptix. http ://www. cryptix, org/products/cryptix31/.]]
[6]
Ivan Damgard, Joe Kilian, and Louis Salvail. On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In Jacques Stern, editor, Advances in Cryptology - Proceedings of EUROCRYPT 99, LNCS 1592, pages 56-73. Springer, 1999.]]
[7]
Dorothy E. Denning. A lattice model of secure information flow. Comm. oftheACM, 19(5):236-243, 1976.]]
[8]
Dorothy E. Denning and Peter J. Denning. Certification of Programs for Secure Information Flow. Comm. of the ACM, 20(7):504-513, July 1977.]]
[9]
Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book) edition, December 1985.]]
[10]
Fred Douglis, John K. Ousterhout, M. Frans Kaashoek, and Andrew S. Tanenbaum. A comparison of two distributed systems: Amoeba and Sprite. ACM Transactions on Computer Systems, 4(4), Fall 1991.]]
[11]
S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing contracts. In R.L. Rivest, A. Sherman, and D. Chaum, editors, Advances in Cryptology: Proc. of CRYPTO 82, pages 205-210. Plenum Press, 1983.]]
[12]
Richard J. Feiertag. A technique for proving specifications a r e multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.]]
[13]
J. S. Fenton. Memoryless subsystems. Computing J., 17(2): 143-147, May 1974.]]
[14]
George Fink and Karl Levitt. Property-based testing of privileged programs. In Proceedings of the lOth Annual Computer Security Applications Conference, pages 154-163, 1994.]]
[15]
J. A. Goguen and J. Meseguer. Unwinding and inference control. In Proc. IEEE Symposium on Security and Privacy, pages 75-86, April 1984.]]
[16]
J. W. Gray III and P. F. Syverson. A logical approach to multilevel security of probabilistic systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 164-176, 1992.]]
[17]
Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Proc. 25th ACM Symp. on Principles of Programming Languages (POPL), pages 365-377, San Diego, California, January 1998.]]
[18]
Java secure socket extension (JSSE). http ://j ava. sun. com/product s/j sse/.]]
[19]
E. Jul et al. Fine-grained mobility in the Emerald system. ACM Transactions on Computer Systems, 6(1): 109-133, February 1988.]]
[20]
T. Lindholm and F. Yellin. The Java Virtual Machine. Addison-Wesley, Englewood Cliffs, NJ, May 1996.]]
[21]
J. R. Lyle, D. R. Wallace, J. R. Graham, K. B. Gallagher, J. P. Poole, and D. W. Binkley. Unravel: A CASE tool to assist evaluation of high integrity software. IR 5691, NIST, 1995.]]
[22]
Heiko Mantel and Andrei Sabelfeld. A generic approach to the security of multi-threaded programs. In Proc. of the 14th IEEE Computer Security Foundations Workshop, pages 200-214. IEEE Computer Society Press, June 2001.]]
[23]
M. D. Mcllroy and J. A. Reeds. Multilevel security in the UNIX tradition. Software--Practice and Experience, 22(8):673-694, August 1992.]]
[24]
Jonathan K. Millen. Security kernel validation in practice. Comm. of the ACM, 19(5):243-250, May 1976.]]
[25]
Jonathan K. Millen. Information flow analysis of formal specifications. In Proc. IEEE Symposium on Security and Privacy, pages 3-8, April 1981.]]
[26]
Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems, 21(3):528-569, May 1999.]]
[27]
Andrew C. Myers. JFlow" Practical mostly-static information flow control. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 228-241, San Antonio, TX, January 1999.]]
[28]
Andrew C. Myers and Barbara Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4):410--442, 2000.]]
[29]
Andrew C. Myers, Nathaniel Nystrom, Lantian Zheng, and Steve Zdancewic. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.]]
[30]
George C. Necula. Proof-carrying code. In Proc. 24th ACM Syrup. on Principles of Programming Languages (POPL), pages 106-119, January 1997.]]
[31]
OMG. The Common Object Request Broker: Architecture and Specification, December 1991. OMG TC Document Number 91.12.1, Revision 1.1.]]
[32]
Platform for privacy preferences (P3P). http://www, w3. org/p3p.]]
[33]
Jens Palsberg and Peter Orbaek. Trust in the,l-calculus. In Proc. 2nd International Symposium on Static Analysis, number 983 in Lecture Notes in Computer Science, pages 314-329. Springer, September 1995.]]
[34]
Sylvan Pinsky. Absorbing covers and intransitive non-interference. In Proc. IEEE Symposium on Security and Privacy, 1995.]]
[35]
Francois Pottier and Sylvain Conchon. Information flow inference for free. In Proc. 5th ACM SIGPLAN International Conference on Functional Programming (ICFP), pages 46-57, 2000.]]
[36]
M. Rabin. How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard Aiken Computation Laboratory, 1981.]]
[37]
Java remote method interface (RMI). http ://j ava. sun. com/products/jdk/rmi/.]]
[38]
John Rushby. Noninterference, transitivity and channel-control security policies. Technical report, SRI, I992.]]
[39]
Andrei Sabelfeld and David Sands. Probabilistic noninterference for multi-threaded programs. In Proc. of the 13th IEEE Computer Security Foundations Workshop, pages 200-214. IEEE Computer Society Press, July 2000.]]
[40]
Fred B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 2001. Also available as TR 99-1759, Computer Science Department, Comell University, Ithaca, New York.]]
[41]
Geoffrey Smith. A new type system for secure information flow. In CSFWI4, pages 115-125. IEEE Computer Society Press, jun 2001.]]
[42]
Geoffrey Smith and Dennis Volpanu. Secure information flow in a multi-threaded imperative language. In Proc. 25th ACM Syrup. on Principles of Progratmning Languages (POPL), pages 355-364, San Diego, California, January 1998.]]
[43]
J.G. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. Technical report, Project Athena, MIT, Cambridge, MA, March 1988.]]
[44]
Frank Tip. A survey of program slicing techniques. Journal of Programming Languages, 3:121-189, I995.]]
[45]
Dennis Volpano. Verifying secrets and relative secrecy. In Proc. 27th ACM Syrup. on Principles of Programming Languages (POPL), Boston, MA, January 2000.]]
[46]
Dennis Volpano, Geoffrey Smith, and Cynthia Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3): 167-187, 1996.]]
[47]
J. Todd Wittbold and Dale M, Johnson. Information flow in nondeterministic systems. In Proc. IEEE Symposium on Security and Privacy, pages 144-161, May 1990.]]
[48]
Tam Ylonen. SSH - secure login connections over the Interact. In The Sixth USENIX Security Symposium Proceedings, pages 37-42, San Jose, California, 1996.]]
[49]
Steve Zdancewie and Andrew C. Myers. Robust declassification. In Proc. of the 14rh IEEE Computer Security Foundations Workshop, pages 15-23, Cape Breton, Nova Scotia, Canada, June 2001.]]
[50]
Steve Zdancewic and Andrew C. Myers. Secure information flow and CPS. In Proc. of the lOth European Symposium on Programming, volume 2028 of Lecture Notes in Computer Science, pages 46-61, 2001.]]
[51]
Steve Zdancewic, Lantian Zheng, Nathaniet Nystrom, and Andrew C. Myers. Secure program partitioning. Technical Report 2001-1846, Computer Science Dept., Cornell University, 2001.]]

Cited By

View all
  • (2021) Enclave-Based Secure Programming with J E 2021 IEEE Secure Development Conference (SecDev)10.1109/SecDev51306.2021.00026(71-78)Online publication date: Oct-2021
  • (2021)Language Support for Secure Software Development with Enclaves2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00037(1-16)Online publication date: Jun-2021
  • (2020)CivetProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489241(505-522)Online publication date: 12-Aug-2020
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
SOSP '01: Proceedings of the eighteenth ACM symposium on Operating systems principles
October 2001
254 pages
ISBN:1581133898
DOI:10.1145/502034
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2001

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Article

Conference

SOSP01
Sponsor:
SOSP01: 18th Symposium on Operating System Principles
October 21 - 24, 2001
Alberta, Banff, Canada

Acceptance Rates

SOSP '01 Paper Acceptance Rate 17 of 85 submissions, 20%;
Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25
ACM SIGOPS 31st Symposium on Operating Systems Principles
October 13 - 16, 2025
Seoul , Republic of Korea

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)19
  • Downloads (Last 6 weeks)1
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2021) Enclave-Based Secure Programming with J E 2021 IEEE Secure Development Conference (SecDev)10.1109/SecDev51306.2021.00026(71-78)Online publication date: Oct-2021
  • (2021)Language Support for Secure Software Development with Enclaves2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00037(1-16)Online publication date: Jun-2021
  • (2020)CivetProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489241(505-522)Online publication date: 12-Aug-2020
  • (2019)Secured routinesProceedings of the 2019 USENIX Conference on Usenix Annual Technical Conference10.5555/3358807.3358855(571-585)Online publication date: 10-Jul-2019
  • (2019)RiverbedProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323285(615-629)Online publication date: 26-Feb-2019
  • (2019)Language-integrated privacy-aware distributed queriesProceedings of the ACM on Programming Languages10.1145/33605933:OOPSLA(1-30)Online publication date: 10-Oct-2019
  • (2019)ShortCutProceedings of the 27th ACM Symposium on Operating Systems Principles10.1145/3341301.3359659(570-585)Online publication date: 27-Oct-2019
  • (2017)Hails: Protecting data privacy in untrusted web applicationsJournal of Computer Security10.3233/JCS-1580125:4-5(427-461)Online publication date: 10-Jul-2017
  • (2016)Strong Non-Interference and Type-Directed Higher-Order MaskingProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978427(116-129)Online publication date: 24-Oct-2016
  • (2016)JCryptProceedings of the 13th International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools10.1145/2972206.2972209(1-12)Online publication date: 29-Aug-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media