Containment and Integrity for Mobile Code
Principal Investigators:
|
Fred B. Schneider
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-9221
FAX (607) 255-4428
fbs@cs.cornell.edu |
Andrew Myers
Computer Science Department
Upson Hall
Cornell University
Ithaca, New York
Tel. (607) 255-8597
FAX (607) 255-4428
andru@cs.cornell.edu |
Project Overview:
Increasingly, networked information systems are built that use extensible
components and span hosts having different levels of trust in each other.
Enforcing security policies in this setting is crucial, as our nation's
critical infrastructures come to depend on such systems. Key elements of
any solution will include flexible support and efficient implementations
of fine-grained access control, application-level security policies that
take into account the source as well as the contents of information being
used in authorization decisions, and combinations of fault-tolerance and
security properties. Addressing these new needs is the objective of this
research project.
Language Based Security. A new family of security policy-enforcement
techniques is emerging. These new techniques are made possible by advances
in the general area of programming languages:
-
Inlined Reference Monitors allow enforcement of rich and flexible access
control policies at any interface of a system by merging policy enforcement
code into each application prior to execution. The approach promises an
efficient technology for enforcing the Principle of Least Privilege, which
is essential for implementing security in extensible systems and in systems
involving mobile code.
-
Static program analysis allows trust assumptions and privacy policies,
attached as annotations to system components, to be validated. Flows of
private information can thus be controlled, even in systems that contain
mutually distrustful principals and that span hosts in large-scale networks.
The annotations permit programs to be rewritten automatically so that they
can remain secure, even as the distributed system on which they run evolves.
Composing Fault-Tolerance and Security. Replication
enhances fault-tolerance but, unless done carefully, can lead to systems
with greater vulnerability to attack. In particular, once servers are replicated,
it must not be possible for an attacker compromise the secrecy or integrity
of the service.
-
The NAP approach for mobile code fault-tolerance instantiates the primary-backup
approach for a setting where the identity of neither primary nor backup
remains static. Orchestrating fail-overs and configuration management is
particularly challenging in this setting.
-
Proactive secret sharing allows a service to employ a secret key — for
secrecy or signatures to certify integrity — even if some fraction of
the servers comprising the service have been compromised by attackers.
Previous work requires strong assumptions about network synchrony; new
protocols for asynchronous systems, coupled with Byzantine Quorum systems,
promise to support services that employ replication and offer both fault-tolerance
and security.
Inlined Reference Monitors for Enforcing Security Policies:
-
Schneider, F.B. Enforceable
security policies.
ACM Transactions on Information and System Security
3, 1 (February 2000), 30–50. [TR
99-1759]
-
Erlingsson, U., and F.B. Schneider.
SASI
enforcement of security policies: A retrospective. Proceedings of
the New Security Paradigms Workshop (Caledon Hills, Ontario, Canada,
September 1999), Association for Computing Machinery, 87–95.
-
Erlingsson, U., and F.B. Schneider. IRM
enforcement of Java stack inspection. Proceedings 2000 IEEE Symposium
on Security and Privacy (Oakland, California, May 2000), IEEE Computer
Society, Los Alamitos, California, 246–255. With Ulfar Erlingsson. [TR
2000-1786]
-
Schneider, F.B., Greg Morrisett, and Robert Harper.A
language-based approach to security. Informatics: 10 Years Back,
10 Years Ahead (Saarbrucken, Germany, August 2000), Lecture Notes in
Computer Science, Volume 2000 (Reihnard Wilhelm, ed.), Springer-Verlag,
Heidelberg, 2000, 86-101.
-
Schneider, F.B. Least
Privilege and More. Computer Systems: Papers for
Roger Needham. Andrew Herbert and Karen Sparck Jones, eds., 209--213. Revised
version invited for IEEE Security and Privacy.
Static Analysis for Controlling Information Flow:
-
Myers, A.C., and Liskov, B. Complete,
Safe Information Flow with Decentralized Labels.
Proceedings of
the 1998 IEEE Symposium on Security and Privacy (Oakland, California,
May 1998), 186–197.
-
Myers, A.C.
JFlow:
Practical Mostly-Static Information Flow Control.
Proceedings of
the 26th ACM Symposium on Principles of Programming Languages (San
Antonio, Texas, January 1999), 228–241.
- Myers, A.C, and Liskov, B.
Protecting Privacy using
the Decentralized Label Model.
ACM Transactions on Software Engineering and Methodology 9, 4 (October 2000), 410–442.
- Zdancewic, S., and Myers, A.C.
Secure Information Flow and CPS.
Proceedings of the 10th European Symposium on Programming
(Genova, Italy, April 2001), Lecture Notes in Computer Science vol. 2028,
46-61.
- Zdancewic, S., and Myers, A.C.
Robust Declassification.
Proceedings of the 14th IEEE Computer Security
Foundations Workshop (Cape Breton, Nova Scotia, Canada, June 2001),
15-23.
- Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A.C.
Untrusted Hosts and Confidentiality:
Secure Program Partitioning.
Proceedings of the 18thACM Symposium on Operating Systems
Principles (Banff, Canada, October 2001), 1–14.
Award paper.
- Zdancewic, S., and Myers, A.C.
Secure Information Flow and Linear Continuations.
Higher Order and Symbolic Computation 15, 2–3 (September 2002),
209–234.
- Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A.C.
Secure Program Partitioning.
ACM Transactions on Computer Systems 20, 2 (August 2002), 283–328.
- Zheng, L., Chong, S., Myers, A.C., Zdancewic, S. Using
Replication and Partitioning to Build Secure Distributed Systems. Proceedings
of the 2003 IEEE Symposium on Security and Privacy (Oakland, California,
May 2003), 236–250.
- Zdancewic, S., Myers, A.C. Observational
Determinism for Concurrent Program Security. Proceedings
of the 16th IEEE Computer Security Foundations Workshop (Pacific
Grove, California, June 2003), to appear.
Distributed Trust:
-
Zhou, Lidong, F.B. Schneider, and R. van Renesse. COCA:
A secure distributed on-line certification authority. ACM
Transactions on Computer Systems 20, 4 (November 2002),
329--368.Earlier version: Technical
Report TR 2000-1828, December 7,
2000.
-
Zhou, Lidong, F.B. Schneider, and R. van Renesse. APSS:
Proactive
Secret Sharing in Asynchronous Systems. Submitted to ACM
Transactions on Information and System Security.
Fault-tolerant and Secure Mobile Code:
-
Johansen, D., K. Marzullo, F. B. Schneider, K. Jacobsen, and D. Zagorodnov.
NAP:
Practical Fault-tolerance
for Itinerant Computations. Proc. 19th IEEE International Conference
on Distributed Computing Systems (Austin, Texas, June 1999), IEEE,
180–189.
-
Johansen, D., K. Lauvset, R. van Renesse, F.B. Schneider, N. Sudmann, and
K. Jacobsen. A
Tacoma Retrospective. Software–Practice and
Experience 32, 605–619.
Other Publications:
-
Schneider, F.B., S.M. Bellovin, and A. Inouye. Building
trustworthy systems: Lessons from the PTN and Internet.
IEEE Internet Computing 3, 5 (November-December 1999), 64–72.
-
Schneider, F.B., Open
source in security: Visiting the bizarre. Proceedings 2000 IEEE
Symposium on Security and Privacy (Oakland, California, May 2000),
IEEE Computer Society, Los Alamitos, California, 126–127.
-
Minsky, Y., and F. B. Schneider. Tolerating Malicious Gossip. Distributed Computing
16, 1 (February 2003), 49--68.
-
Schneider, F.B. Secure Systems Conundrum.
Invited "Inside Risks'' column. Communications of the ACM
45, 10 (October 2002), 160.
-
Johansen, D., R. van Renesse, F.B. Schneider. WAIF: Web of Asynchronous Filters.
Future Directions in Distributed Computing, Lecture Notes in
Computer Science, Volume 2584, Springer-Verlag, Heidelberg, 2003, 81--86.
-
Nystrom, N., Clarkson, M.R., Myers, A.C. Polyglot:
An Extensible Compiler Framework for Java.
Proceedings of the 12th International Conference on Compiler
Construction (Warsaw, Poland, April 2003), Lecture Notes in Computer Science
2622, pages 138–152.