Protecting Sensitive Information from Untrusted Code

Indrajit Roy University of Texas at Austin Department of Computer Science University Station, Austin United S
Monday, 21 Dec 2009 (all day)
A-212 (STCS Seminar Room)
As computer systems support more aspects of modern life, from finance to health care, security becomes increasingly important. Computer systems have to safeguard data from unauthorized users, malicious code, code with programmer bugs and other threats.

Recently, decentralized information flow control (DIFC) has emerged as a promising model to write programs with powerful, end-to-end security guarantees. The DIFC model provides security by allowing users to associate secrecy and integrity labels with data and restricting the flow of information according to these labels.

Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language level solutions provide no guarantees against security violations on system resources, like files and sockets. Operating system solutions can mediate accesses to system resources, but are inefficient at monitoring the flow of information through fine-grained program data structures.

In the talk I will primarily describe Laminar , the first system to implement decentralized information flow control using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar is implemented using a modified Java virtual machine and a new Linux security module.

I will also give a brief overview of another system that I am developing, called Airavat .
Airavat is a MapReduce-based system that provides strong security and privacy guarantees for distributed computations on sensitive data.