Containment and Integrity for Mobile Code

Principal Investigators:

Fred B. Schneider
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-9221
FAX (607) 255-4428
fbs@cs.cornell.edu

Andrew Myers
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-8597
FAX (607) 255-4428
andru@cs.cornell.edu

Project Overview:

Increasingly, networked information systems are built that use extensible components and span hosts having different levels of trust in each other. Enforcing security policies in this setting is crucial, as our nation's critical infrastructures come to depend on such systems. Key elements of any solution will include flexible support and efficient implementations of fine-grained access control, application-level security policies that take into account the source as well as the contents of information being used in authorization decisions, and combinations of fault-tolerance and security properties. Addressing these new needs is the objective of this research project.

Language Based Security. A new family of security policy-enforcement techniques is emerging. These new techniques are made possible by advances in the general area of programming languages:

Inlined Reference Monitors allow enforcement of rich and flexible access control policies at any interface of a system by merging policy enforcement code into each application prior to execution. The approach promises an efficient technology for enforcing the Principle of Least Privilege, which is essential for implementing security in extensible systems and in systems involving mobile code.
Static program analysis allows trust assumptions and privacy policies, attached as annotations to system components, to be validated. Flows of private information can thus be controlled, even in systems that contain mutually distrustful principals and that span hosts in large-scale networks. The annotations permit programs to be rewritten automatically so that they can remain secure, even as the distributed system on which they run evolves.

Composing Fault-Tolerance and Security. Replication enhances fault-tolerance but, unless done carefully, can lead to systems with greater vulnerability to attack. In particular, once servers are replicated, it must not be possible for an attacker compromise the secrecy or integrity of the service.

The NAP approach for mobile code fault-tolerance instantiates the primary-backup approach for a setting where the identity of neither primary nor backup remains static. Orchestrating fail-overs and configuration management is particularly challenging in this setting.
Proactive secret sharing allows a service to employ a secret key — for secrecy or signatures to certify integrity — even if some fraction of the servers comprising the service have been compromised by attackers. Previous work requires strong assumptions about network synchrony; new protocols for asynchronous systems, coupled with Byzantine Quorum systems, promise to support services that employ replication and offer both fault-tolerance and security.

Inlined Reference Monitors for Enforcing Security Policies:

Schneider, F.B. Enforceable security policies. ACM Transactions on Information and System Security 3, 1 (February 2000), 30–50. [TR 99-1759]
Erlingsson, U., and F.B. Schneider. SASI enforcement of security policies: A retrospective. Proceedings of the New Security Paradigms Workshop (Caledon Hills, Ontario, Canada, September 1999), Association for Computing Machinery, 87–95.
Erlingsson, U., and F.B. Schneider. IRM enforcement of Java stack inspection. Proceedings 2000 IEEE Symposium on Security and Privacy (Oakland, California, May 2000), IEEE Computer Society, Los Alamitos, California, 246–255. With Ulfar Erlingsson. [TR 2000-1786]
Schneider, F.B., Greg Morrisett, and Robert Harper.A language-based approach to security. Informatics: 10 Years Back, 10 Years Ahead (Saarbrucken, Germany, August 2000), Lecture Notes in Computer Science, Volume 2000 (Reihnard Wilhelm, ed.), Springer-Verlag, Heidelberg, 2000, 86-101.
Schneider, F.B. Least Privilege and More. Computer Systems: Papers for Roger Needham. Andrew Herbert and Karen Sparck Jones, eds., 209--213. Revised version invited for IEEE Security and Privacy.

Static Analysis for Controlling Information Flow:

Myers, A.C., and Liskov, B. Complete, Safe Information Flow with Decentralized Labels. Proceedings of the 1998 IEEE Symposium on Security and Privacy (Oakland, California, May 1998), 186–197.
Myers, A.C. JFlow: Practical Mostly-Static Information Flow Control. Proceedings of the 26th ACM Symposium on Principles of Programming Languages (San Antonio, Texas, January 1999), 228–241.
Myers, A.C, and Liskov, B. Protecting Privacy using the Decentralized Label Model. ACM Transactions on Software Engineering and Methodology 9, 4 (October 2000), 410–442.
Zdancewic, S., and Myers, A.C. Secure Information Flow and CPS. Proceedings of the 10^th European Symposium on Programming (Genova, Italy, April 2001), Lecture Notes in Computer Science vol. 2028, 46-61.
Zdancewic, S., and Myers, A.C. Robust Declassification. Proceedings of the 14^th IEEE Computer Security Foundations Workshop (Cape Breton, Nova Scotia, Canada, June 2001), 15-23.
Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A.C. Untrusted Hosts and Confidentiality: Secure Program Partitioning. Proceedings of the 18^thACM Symposium on Operating Systems Principles (Banff, Canada, October 2001), 1–14. Award paper.
Zdancewic, S., and Myers, A.C. Secure Information Flow and Linear Continuations. Higher Order and Symbolic Computation 15, 2–3 (September 2002), 209–234.
Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A.C. Secure Program Partitioning. ACM Transactions on Computer Systems 20, 2 (August 2002), 283–328.
Zheng, L., Chong, S., Myers, A.C., Zdancewic, S. Using Replication and Partitioning to Build Secure Distributed Systems. Proceedings of the 2003 IEEE Symposium on Security and Privacy (Oakland, California, May 2003), 236–250.
Zdancewic, S., Myers, A.C. Observational Determinism for Concurrent Program Security. Proceedings of the 16^th IEEE Computer Security Foundations Workshop (Pacific Grove, California, June 2003), to appear.

Distributed Trust:

Zhou, Lidong, F.B. Schneider, and R. van Renesse. COCA: A secure distributed on-line certification authority. ACM Transactions on Computer Systems 20, 4 (November 2002), 329--368.Earlier version: Technical Report TR 2000-1828, December 7, 2000.
Zhou, Lidong, F.B. Schneider, and R. van Renesse. APSS: Proactive Secret Sharing in Asynchronous Systems. Submitted to ACM Transactions on Information and System Security.

Fault-tolerant and Secure Mobile Code:

Johansen, D., K. Marzullo, F. B. Schneider, K. Jacobsen, and D. Zagorodnov. NAP: Practical Fault-tolerance for Itinerant Computations. Proc. 19th IEEE International Conference on Distributed Computing Systems (Austin, Texas, June 1999), IEEE, 180–189.
Johansen, D., K. Lauvset, R. van Renesse, F.B. Schneider, N. Sudmann, and K. Jacobsen. A Tacoma Retrospective. Software–Practice and Experience 32, 605–619.

Other Publications:

Schneider, F.B., S.M. Bellovin, and A. Inouye. Building trustworthy systems: Lessons from the PTN and Internet. IEEE Internet Computing 3, 5 (November-December 1999), 64–72.
Schneider, F.B., Open source in security: Visiting the bizarre. Proceedings 2000 IEEE Symposium on Security and Privacy (Oakland, California, May 2000), IEEE Computer Society, Los Alamitos, California, 126–127.
Minsky, Y., and F. B. Schneider. Tolerating Malicious Gossip. Distributed Computing 16, 1 (February 2003), 49--68.
Schneider, F.B. Secure Systems Conundrum. Invited "Inside Risks'' column. Communications of the ACM 45, 10 (October 2002), 160.
Johansen, D., R. van Renesse, F.B. Schneider. WAIF: Web of Asynchronous Filters. Future Directions in Distributed Computing, Lecture Notes in Computer Science, Volume 2584, Springer-Verlag, Heidelberg, 2003, 81--86.
Nystrom, N., Clarkson, M.R., Myers, A.C. Polyglot: An Extensible Compiler Framework for Java.
Proceedings of the 12^th International Conference on Compiler Construction (Warsaw, Poland, April 2003), Lecture Notes in Computer Science 2622, pages 138–152.