SlideShare a Scribd company logo

Precise Dynamic Information Flow Database Apps

Download as PPTX, PDF
J
jxyz

This document summarizes a research paper on a programming model and runtime called Jacqueline that makes it easier to write secure web applications that prevent information leaks. Jacqueline allows programmers to specify information flow policies separately from application logic. An enhanced runtime then enforces these policies across the application and database to prevent sensitive data from being leaked. The runtime supports common database operations like queries while tracking information flow. Case studies show Jacqueline reduces policy code and has reasonable performance overhead.

Software
1 of 38
Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong PLDI 2016 JeanYang/PLDI2016
An oil skimming operation works in a heavy oil slick after the spill on April 1, 1989. (Photo from Huffington Post) JeanYang/PLDI2016
JeanYang/PLDI2016 Oil-covered otter. (Photo from the Human Impact Project)
The Relationship Between Design and Accidents JeanYang/PLDI2016 Crude oil Single hull Crude oil Double hull Required by the Oil Pollution Act of 1990.
JeanYang/PLDI2016 But what about information leaks?
Wanted: Double Hull for Information Security JeanYang/PLDI2016 Sensitive data Single hull Sensitive data Double hull Research in language-based security looks at designs for double hulls [Sabelfeld and Myers, JSAC 2003]. Our goal: make double hulls that are as easy to construct as possible!
This Talk: Making It Easier to Secure Web Programs 1. Why it’s hard to prevent information leaks. 2. A programming model that makes writing secure web programs easier. 3. How we support that programming model in database-backed applications. JeanYang/PLDI2016
Social Calendar Example JeanYang/Jeeves Let’s say Arjun and I want to throw a surprise paper discussion party for Emery.
Challenge: Different Viewers Should See Different Events JeanYang/PLDI2016 Guests Emery Strangers Surprise discussion for Emery at Chuck E. Cheese. Pizza with Arjun/Jean. Private event at Chuck E. Cheese.
Policies May Depend on Sensitive Values JeanYang/PLDI2016 Guest List Finalized list Must be on guest list. Must be member of list and the list must be finalized. Leaky enforcement: when the programmer neglects dependencies of policies on sensitive values. Policy for event depends on policy for guest list!
A Story of Leaky Enforcement JeanYang/PLDI2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2
A Story of Leaky Enforcement JeanYang/PLDI2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2 Problem: implementation for event policy neglected to take into account guest list policy. This arises whenever we trust programmers to get policy checks right!
Need to Track Policies and Viewers Across the Code JeanYang/PLDI2016 “What is the most popular location among friends 7pm Tuesday?” Update to all calendar users Need to track how information flows through derived values and where derived values flow!
“Policy Spaghetti” in HotCRP JeanYang/PLDI2016 Conditional permissions checks everywhere!
Jacqueline Web Framework to the Rescue! JeanYang/PLDI2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3
Contributions • Policy-agnostic programming model for database-backed web applications. • Semantics and proofs for policy- agnostic programming that encompasses SQL databases. • Demonstration of practical feasibility with Python implementation and application case studies. JeanYang/PLDI2016
Enhanced runtime Jacqueline Web Framework JeanYang/PLDI2016 Policies Framework attaches policies based on annotations. Framework shows appropriate values based on viewer and policies. Object-relational mapping propagates policies and sensitive values through computations.
@jacqueline def has_host(self, host): return EventHost.objects.get( event=self, host=host) != None @jacqueline def has_guest(self, guest): return EventGuest.objects.get( event=self, host=host) != None JeanYang/PLDI2016 Base schema Policy helper functions class Event(JacquelineModel): name = CharField(max_length=256) location = CharField(max_length=512) time = DateTimeField() description = CharField(max_length)=1024) @staticmethod @label_for(‘location’) def restrict_event(event, ctxt): return event.has_host(ctxt) or event.has_guest(ctxt) @staticmethod def jacqueline_get_private_location(event): return “Undisclosed location” Public value for location field Information flow policy for location field Coding in Jacqueline
Centralized Policies in Jacqueline JeanYang/PLDI2016 Model View Controller Centralized policies! No checks or declassifications needed anywhere else!
20 JeanYang/Jeeves if == : userCount += 1 return userCount userCount = 0 print { } print { } 1 0 Closer Look at the Policy- Agnostic Runtime Runtime propagates values and policies. Runtime solves for values to show based on policies and viewer. 21 Jeeves [Yang et al 2012, Austin et al 2013] uses facets [Austin et al 2012] to simulate simultaneous multiple executions.
Labels Track Sensitive Values to Prevent Leaks JeanYang/Jeeves 21 if == : c += 1 true falseif : c += 1 c = cold+1 cold Labels follow values through all computations, including conditionals and assignments. Emery can’t see secret party information or results of computations on those values! guest guest guest
JeanYang/PLDI2016
JeanYang/PLDI2016
The Dangers of Interacting with Vanilla Databases Database queries can leak information! JeanYang/PLDI2016 Application Queries select * from Users where location = Database Application All data Database select * from Users Impractical and potentially slow! Challenge: Support faceted execution when interacting with an unmodified SQL database. Need faceted queries!
save( ) Semantics of a Faceted Database JeanYang/PLDI2016 SQL Database select * from Users where location = Too expensive! Too difficult to extend the formal semantics! Primary key Location 1 Conceptual row Store facets as strings? New database for each label?
Solution: Use ORM to Map Facets onto Database Rows Jeeves key Location Labels 1 {𝑎} 1 {¬𝑎} JeanYang/PLDI2016 select * from Users where location = ORM refacets Jeeves key Location Labels 1 {𝑎} Jeeves key Location 1 NULL Primary key Location 1 a Conceptual row a
Supporting Queries in Jacqueline Jacqueline Supports SQL Implements ORM Implements get select refaceting all select refaceting filter select refaceting sort order by refaceting foreign keys join - save delete, insert turning a faceted value into multiple rows delete delete keeping track of which facets to delete JeanYang/PLDI2016 Can use SQL implementations for many queries!
JeanYang/PLDI2016
Early Pruning Optimization JeanYang/PLDI2016 Observation: Framework can often (but not always) track viewer. Enhanced runtime Policies Optimization: Can often explore fewer possible paths!
JeanYang/PLDI2016
Review: Traditional Non- Interference JeanYang/Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Challenge: Compute labels from program—may have dependencies on secret values! Secret values should not affect public output. guest guest guest
JeanYang/Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Theorem: All executions where guest must be public produce equivalent outputs. Can’t tell apart secret values that require guest to be public. Policy-Agnostic Non- Interference guest guest guest
JeanYang/PLDI2016
Application Case Studies JeanYang/PLDI2016 Course manager Health record manager Conference management system (deployed!) Jacqueline reduces the number of lines of policy code and has reasonable overheads!
Demo JeanYang/PLDI2016
Conference Management System Running Times JeanYang/PLDI2016 Tests from Amazon AWS machine via HTTP requests from another machine. 0 0.05 0.1 0.15 0.2 0 500 1000 Timetoshowpage(s) Papers in database Single paper Jacqueline Django 0 2 4 6 8 10 12 14 16 0 500 1000 Timetoshowallpapers(s) Papers in database All Papers* Jacqueline Django *Different from numbers in paper.
Summary: Policy-Agnostic Web Programming with Jacqueline JeanYang/PLDI2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3 We have strong formal guarantees and evidence that this can be practical!
JeanYang/PLDI2016 http://jeeveslang.org http://github.com/jeanqasaur/jeeves You can factor out information flow policies from other code to avoid policy spaghetti! You can enforce policies across the application and database by using a carefully-crafted ORM! You can build realistic systems using this approach!

Recommended

【モブセキュリティ#5】EdDSAってなんだ?
【モブセキュリティ#5】EdDSAってなんだ?【モブセキュリティ#5】EdDSAってなんだ?
【モブセキュリティ#5】EdDSAってなんだ?竹田 大将
 
Programming Languages for Biological Modeling
Programming Languages for Biological ModelingProgramming Languages for Biological Modeling
Programming Languages for Biological Modelingjxyz
 
ISMM certificate
ISMM certificateISMM certificate
ISMM certificateIan Moyse ☁
 
2.1 Bryan Tookey – Ask Jeeves
2.1 Bryan Tookey – Ask Jeeves2.1 Bryan Tookey – Ask Jeeves
2.1 Bryan Tookey – Ask Jeeves118Tracker Ltd
 
8. Lauri Kangaslahti Fonecta
8. Lauri Kangaslahti Fonecta8. Lauri Kangaslahti Fonecta
8. Lauri Kangaslahti Fonecta118Tracker Ltd
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy WorkshopPreventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshopjxyz
 
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)Shinya Takamaeda-Y
 
GigaOM Structure 10 for 2013 Short Talk
GigaOM Structure 10 for 2013 Short TalkGigaOM Structure 10 for 2013 Short Talk
GigaOM Structure 10 for 2013 Short Talkjxyz
 

Recommended

【モブセキュリティ#5】EdDSAってなんだ?
【モブセキュリティ#5】EdDSAってなんだ?【モブセキュリティ#5】EdDSAってなんだ?
【モブセキュリティ#5】EdDSAってなんだ?竹田 大将
 
Programming Languages for Biological Modeling
Programming Languages for Biological ModelingProgramming Languages for Biological Modeling
Programming Languages for Biological Modelingjxyz
 
ISMM certificate
ISMM certificateISMM certificate
ISMM certificateIan Moyse ☁
 
2.1 Bryan Tookey – Ask Jeeves
2.1 Bryan Tookey – Ask Jeeves2.1 Bryan Tookey – Ask Jeeves
2.1 Bryan Tookey – Ask Jeeves118Tracker Ltd
 
8. Lauri Kangaslahti Fonecta
8. Lauri Kangaslahti Fonecta8. Lauri Kangaslahti Fonecta
8. Lauri Kangaslahti Fonecta118Tracker Ltd
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy WorkshopPreventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshopjxyz
 
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)
コンピュータアーキテクチャ研究の最新動向〜ISCA2015参加報告〜 @FPGAエクストリーム・コンピューティング 第7回 (#fpgax #7)Shinya Takamaeda-Y
 
GigaOM Structure 10 for 2013 Short Talk
GigaOM Structure 10 for 2013 Short TalkGigaOM Structure 10 for 2013 Short Talk
GigaOM Structure 10 for 2013 Short Talkjxyz
 
Business analysis presentation final
Business analysis presentation finalBusiness analysis presentation final
Business analysis presentation finalmdchristenson
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Knowjxyz
 
Plc ppt
Plc pptPlc ppt
Plc pptShehda Seifan
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business AnalysisAMJAD SHAIKH
 
Business analyst interview questions and answers
Business analyst interview questions and answersBusiness analyst interview questions and answers
Business analyst interview questions and answersRobin G
 
Business analyst ppt
Business analyst pptBusiness analyst ppt
Business analyst pptYaswanth Babu Gummadivelli
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersMaria FutureThoughts
 
Business Analyst Training
Business Analyst TrainingBusiness Analyst Training
Business Analyst TrainingCraig Brown
 
85 business analyst interview questions and answers
85 business analyst interview questions and answers85 business analyst interview questions and answers
85 business analyst interview questions and answersBusinessAnalyst247
 
Business Analysis Techniques
Business Analysis TechniquesBusiness Analysis Techniques
Business Analysis TechniquesIIBA UK Chapter
 
Business Analysis Fundamentals
Business Analysis FundamentalsBusiness Analysis Fundamentals
Business Analysis Fundamentalswaelsaid75
 
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...InfluxData
 
FIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and SparkFIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and SparkFIWARE
 
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.govDrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.govClinton Herget
 
Data Engineering for Data Scientists
Data Engineering for Data Scientists Data Engineering for Data Scientists
Data Engineering for Data Scientists jlacefie
 
Javaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learnedJavaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learnedpgt technology scouting GmbH
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup Suman Karumuri
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16AppDynamics
 
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...All Things Open
 
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)dtz001
 
Introduction to Greenplum
Introduction to GreenplumIntroduction to Greenplum
Introduction to GreenplumDave Cramer
 

More Related Content

Viewers also liked

Business analysis presentation final
Business analysis presentation finalBusiness analysis presentation final
Business analysis presentation finalmdchristenson
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Knowjxyz
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business AnalysisAMJAD SHAIKH
 
Business analyst interview questions and answers
Business analyst interview questions and answersBusiness analyst interview questions and answers
Business analyst interview questions and answersRobin G
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersMaria FutureThoughts
 
Business Analyst Training
Business Analyst TrainingBusiness Analyst Training
Business Analyst TrainingCraig Brown
 
85 business analyst interview questions and answers
85 business analyst interview questions and answers85 business analyst interview questions and answers
85 business analyst interview questions and answersBusinessAnalyst247
 
Business Analysis Techniques
Business Analysis TechniquesBusiness Analysis Techniques
Business Analysis TechniquesIIBA UK Chapter
 
Business Analysis Fundamentals
Business Analysis FundamentalsBusiness Analysis Fundamentals
Business Analysis Fundamentalswaelsaid75
 

Viewers also liked (11)

Business analysis presentation final
Business analysis presentation finalBusiness analysis presentation final
Business analysis presentation final
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
 
Plc ppt
Plc pptPlc ppt
Plc ppt
 
Introduction to Business Analysis
Introduction to Business AnalysisIntroduction to Business Analysis
Introduction to Business Analysis
 
Business analyst interview questions and answers
Business analyst interview questions and answersBusiness analyst interview questions and answers
Business analyst interview questions and answers
 
Business analyst ppt
Business analyst pptBusiness analyst ppt
Business analyst ppt
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with Answers
 
Business Analyst Training
Business Analyst TrainingBusiness Analyst Training
Business Analyst Training
 
85 business analyst interview questions and answers
85 business analyst interview questions and answers85 business analyst interview questions and answers
85 business analyst interview questions and answers
 
Business Analysis Techniques
Business Analysis TechniquesBusiness Analysis Techniques
Business Analysis Techniques
 
Business Analysis Fundamentals
Business Analysis FundamentalsBusiness Analysis Fundamentals
Business Analysis Fundamentals
 

Similar to Precise Dynamic Information Flow Database Apps

How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...InfluxData
 
FIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and SparkFIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and SparkFIWARE
 
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.govDrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.govClinton Herget
 
Data Engineering for Data Scientists
Data Engineering for Data Scientists Data Engineering for Data Scientists
Data Engineering for Data Scientists jlacefie
 
Javaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learnedJavaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learnedpgt technology scouting GmbH
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup Suman Karumuri
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16AppDynamics
 
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...All Things Open
 
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)dtz001
 
Introduction to Greenplum
Introduction to GreenplumIntroduction to Greenplum
Introduction to GreenplumDave Cramer
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson
 
Metadata Matters! What it is and How to Manage it
Metadata Matters! What it is and How to Manage itMetadata Matters! What it is and How to Manage it
Metadata Matters! What it is and How to Manage itSafe Software
 
SC1 - Hangout 2: The Open PHACTS pilot
SC1 - Hangout 2: The Open PHACTS pilotSC1 - Hangout 2: The Open PHACTS pilot
SC1 - Hangout 2: The Open PHACTS pilotBigData_Europe
 
Crossing the Analytics Chasm and Getting the Models You Developed Deployed
Crossing the Analytics Chasm and Getting the Models You Developed DeployedCrossing the Analytics Chasm and Getting the Models You Developed Deployed
Crossing the Analytics Chasm and Getting the Models You Developed DeployedRobert Grossman
 
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE
 
Brand Niemann11242010
Brand Niemann11242010Brand Niemann11242010
Brand Niemann11242010Brand Niemann
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit
 

Similar to Precise Dynamic Information Flow Database Apps (20)

How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
How to Improve Data Labels and Feedback Loops Through High-Frequency Sensor A...
 
FIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and SparkFIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
FIWARE Wednesday Webinars - Machine Learning with Cosmos and Spark
 
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.govDrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
DrupalGovCon 2016: Consuming Third-party APIs in Drupal - Lessons from USGS.gov
 
Data Engineering for Data Scientists
Data Engineering for Data Scientists Data Engineering for Data Scientists
Data Engineering for Data Scientists
 
Javaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learnedJavaland 2014 / GWT architectures and lessons learned
Javaland 2014 / GWT architectures and lessons learned
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
 
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
Deployment Design Patterns - Deploying Machine Learning and Deep Learning Mod...
 
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
AllThingsOpen 2018 - Deployment Design Patterns (Dan Zaratsian)
 
Introduction to Greenplum
Introduction to GreenplumIntroduction to Greenplum
Introduction to Greenplum
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
 
Metadata Matters! What it is and How to Manage it
Metadata Matters! What it is and How to Manage itMetadata Matters! What it is and How to Manage it
Metadata Matters! What it is and How to Manage it
 
SC1 - Hangout 2: The Open PHACTS pilot
SC1 - Hangout 2: The Open PHACTS pilotSC1 - Hangout 2: The Open PHACTS pilot
SC1 - Hangout 2: The Open PHACTS pilot
 
Crossing the Analytics Chasm and Getting the Models You Developed Deployed
Crossing the Analytics Chasm and Getting the Models You Developed DeployedCrossing the Analytics Chasm and Getting the Models You Developed Deployed
Crossing the Analytics Chasm and Getting the Models You Developed Deployed
 
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
 
Brand Niemann11242010
Brand Niemann11242010Brand Niemann11242010
Brand Niemann11242010
 
Big Data and OSS at IBM
Big Data and OSS at IBMBig Data and OSS at IBM
Big Data and OSS at IBM
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
 

Recently uploaded

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Precise Dynamic Information Flow Database Apps

  • 1. Precise, Dynamic Information Flow for Database- Backed Applications Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong PLDI 2016 JeanYang/PLDI2016
  • 2. An oil skimming operation works in a heavy oil slick after the spill on April 1, 1989. (Photo from Huffington Post) JeanYang/PLDI2016
  • 3. JeanYang/PLDI2016 Oil-covered otter. (Photo from the Human Impact Project)
  • 4. The Relationship Between Design and Accidents JeanYang/PLDI2016 Crude oil Single hull Crude oil Double hull Required by the Oil Pollution Act of 1990.
  • 6. Wanted: Double Hull for Information Security JeanYang/PLDI2016 Sensitive data Single hull Sensitive data Double hull Research in language-based security looks at designs for double hulls [Sabelfeld and Myers, JSAC 2003]. Our goal: make double hulls that are as easy to construct as possible!
  • 7. This Talk: Making It Easier to Secure Web Programs 1. Why it’s hard to prevent information leaks. 2. A programming model that makes writing secure web programs easier. 3. How we support that programming model in database-backed applications. JeanYang/PLDI2016
  • 8. Social Calendar Example JeanYang/Jeeves Let’s say Arjun and I want to throw a surprise paper discussion party for Emery.
  • 9. Challenge: Different Viewers Should See Different Events JeanYang/PLDI2016 Guests Emery Strangers Surprise discussion for Emery at Chuck E. Cheese. Pizza with Arjun/Jean. Private event at Chuck E. Cheese.
  • 10. Policies May Depend on Sensitive Values JeanYang/PLDI2016 Guest List Finalized list Must be on guest list. Must be member of list and the list must be finalized. Leaky enforcement: when the programmer neglects dependencies of policies on sensitive values. Policy for event depends on policy for guest list!
  • 11. A Story of Leaky Enforcement JeanYang/PLDI2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2
  • 12. A Story of Leaky Enforcement JeanYang/PLDI2016 Guest List Finalized list We add Armando to non-final guest list. 1 We run out of space and remove Armando. 3 Armando figures out he was uninvited. 4 There was a party on my calendar… Guest List Finalized list Armando sees the event on his calendar. 2 Problem: implementation for event policy neglected to take into account guest list policy. This arises whenever we trust programmers to get policy checks right!
  • 13. Need to Track Policies and Viewers Across the Code JeanYang/PLDI2016 “What is the most popular location among friends 7pm Tuesday?” Update to all calendar users Need to track how information flows through derived values and where derived values flow!
  • 14. “Policy Spaghetti” in HotCRP JeanYang/PLDI2016 Conditional permissions checks everywhere!
  • 15. Jacqueline Web Framework to the Rescue! JeanYang/PLDI2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3
  • 16. Contributions • Policy-agnostic programming model for database-backed web applications. • Semantics and proofs for policy- agnostic programming that encompasses SQL databases. • Demonstration of practical feasibility with Python implementation and application case studies. JeanYang/PLDI2016
  • 17. Enhanced runtime Jacqueline Web Framework JeanYang/PLDI2016 Policies Framework attaches policies based on annotations. Framework shows appropriate values based on viewer and policies. Object-relational mapping propagates policies and sensitive values through computations.
  • 18. @jacqueline def has_host(self, host): return EventHost.objects.get( event=self, host=host) != None @jacqueline def has_guest(self, guest): return EventGuest.objects.get( event=self, host=host) != None JeanYang/PLDI2016 Base schema Policy helper functions class Event(JacquelineModel): name = CharField(max_length=256) location = CharField(max_length=512) time = DateTimeField() description = CharField(max_length)=1024) @staticmethod @label_for(‘location’) def restrict_event(event, ctxt): return event.has_host(ctxt) or event.has_guest(ctxt) @staticmethod def jacqueline_get_private_location(event): return “Undisclosed location” Public value for location field Information flow policy for location field Coding in Jacqueline
  • 19. Centralized Policies in Jacqueline JeanYang/PLDI2016 Model View Controller Centralized policies! No checks or declassifications needed anywhere else!
  • 20. 20 JeanYang/Jeeves if == : userCount += 1 return userCount userCount = 0 print { } print { } 1 0 Closer Look at the Policy- Agnostic Runtime Runtime propagates values and policies. Runtime solves for values to show based on policies and viewer. 21 Jeeves [Yang et al 2012, Austin et al 2013] uses facets [Austin et al 2012] to simulate simultaneous multiple executions.
  • 21. Labels Track Sensitive Values to Prevent Leaks JeanYang/Jeeves 21 if == : c += 1 true falseif : c += 1 c = cold+1 cold Labels follow values through all computations, including conditionals and assignments. Emery can’t see secret party information or results of computations on those values! guest guest guest
  • 24. The Dangers of Interacting with Vanilla Databases Database queries can leak information! JeanYang/PLDI2016 Application Queries select * from Users where location = Database Application All data Database select * from Users Impractical and potentially slow! Challenge: Support faceted execution when interacting with an unmodified SQL database. Need faceted queries!
  • 25. save( ) Semantics of a Faceted Database JeanYang/PLDI2016 SQL Database select * from Users where location = Too expensive! Too difficult to extend the formal semantics! Primary key Location 1 Conceptual row Store facets as strings? New database for each label?
  • 26. Solution: Use ORM to Map Facets onto Database Rows Jeeves key Location Labels 1 {𝑎} 1 {¬𝑎} JeanYang/PLDI2016 select * from Users where location = ORM refacets Jeeves key Location Labels 1 {𝑎} Jeeves key Location 1 NULL Primary key Location 1 a Conceptual row a
  • 27. Supporting Queries in Jacqueline Jacqueline Supports SQL Implements ORM Implements get select refaceting all select refaceting filter select refaceting sort order by refaceting foreign keys join - save delete, insert turning a faceted value into multiple rows delete delete keeping track of which facets to delete JeanYang/PLDI2016 Can use SQL implementations for many queries!
  • 29. Early Pruning Optimization JeanYang/PLDI2016 Observation: Framework can often (but not always) track viewer. Enhanced runtime Policies Optimization: Can often explore fewer possible paths!
  • 31. Review: Traditional Non- Interference JeanYang/Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Challenge: Compute labels from program—may have dependencies on secret values! Secret values should not affect public output. guest guest guest
  • 32. JeanYang/Jeeves if == : userCount += 1 print { } 0 0 1 if == : userCount += 1 Theorem: All executions where guest must be public produce equivalent outputs. Can’t tell apart secret values that require guest to be public. Policy-Agnostic Non- Interference guest guest guest
  • 36. Conference Management System Running Times JeanYang/PLDI2016 Tests from Amazon AWS machine via HTTP requests from another machine. 0 0.05 0.1 0.15 0.2 0 500 1000 Timetoshowpage(s) Papers in database Single paper Jacqueline Django 0 2 4 6 8 10 12 14 16 0 500 1000 Timetoshowallpapers(s) Papers in database All Papers* Jacqueline Django *Different from numbers in paper.
  • 37. Summary: Policy-Agnostic Web Programming with Jacqueline JeanYang/PLDI2016 Enhanced runtime encompasses applications and databases, preventing leaks between the two. Runtime prevents information leaks according to policy annotations. Sensitive data Policy annotations Database Programmer specifies information flow policies separately from other functionality. 1 2 3 We have strong formal guarantees and evidence that this can be practical!
  • 38. JeanYang/PLDI2016 http://jeeveslang.org http://github.com/jeanqasaur/jeeves You can factor out information flow policies from other code to avoid policy spaghetti! You can enforce policies across the application and database by using a carefully-crafted ORM! You can build realistic systems using this approach!

Editor's Notes

  1. Hi everyone. Now we’re going to talk about how to prevent information leaks in database-backed applications. TRANSITION: To give some context, let’s talk about another kind of leak.
  2. Some of you might remember this photo from 1989. The Exxon Valdez tanker struck ground and spilled 30 million gallons of crude oil. TRANSITION: This was one of the biggest ecological disasters of the century.
  3. The otters became covered in oil. TRANSITION: A major factor was the fact that there was only one layer of steel between the sea and the crude oil the Valdez was carrying. 
  4. Afterward, new standards were released as part of the Oil Pollution Act of 1990 that required all tankers to have double hulls, a set of compartments to hold air or ballast water between the outer hull of a ship and the cargo-carrying tanks. Double hulls not only make it much harder for a ship to sink if the outer hull is breached, but they have prevented countless oil spills. The main takeaway is that accidents happen and we should account for them at the design stage. TRANSITION: Now you might be wondering: what does all this have to do with information leaks?
  5. TRANSITION: Information leaks are also becoming quite catastrophic, to the point where even the otters are sad.
  6. What we want is the double hull equivalent for information security. But information leaks are more complicated: what it means to “strike ground” depends on the viewer and computation. TRANSITION: The good news is that it means we’re not out of a job.
  7. TRANSITION: Let’s start by going through an example.
  8. Suppose we have a social calendar like Google Calendar, but with more sharing and searching features. Let’s say Arjun and I want to throw a surprise paper discussion party for Emery to thank him for being program chair. As members of the PC, we learned that he likes discussing papers quite a bit. TRANSITION: Now I’ll explain how even seemingly simple policies have subtle interactions that the programmer can easily get wrong.
  9. Different users of the social calendar should see different versions of the event information. Guests should see that there is a surprise paper discussion for Emery and that it happens to be at Chuck E. Cheese’s. For those of you who are unfamiliar, Chuck E. Cheese’s is a popular party location for children that has games and also serves pizza for birthday parties. Clearly Arjun and I don’t know the Santa Barbara area very well. Emery should see simply that he has pizza plans with Arjun and me. Everybody else, including the otters who are celebrating not being covered in oil, should see that there is a private event at Chuck E. Cheese. The venue is, after all, public—and the otters should be informed they shouldn’t try going there are the time. Let’s suppose the social calendar supports an additional policy on guest lists, that they may be visible only to hosts until they are finalized. Since the policy for who can see party details depends on the guest list, that policy now depends on another policy! TRANSITION: Let’s take a closer look at how these policies interact.
  10. If you’ve shared a calendar with friends or colleagues or an organization, you’ve probably had the experience of events showing up on your calendar. What we’d like is for the surprise paper discussion party to show up only on the calendars of people who are allowed to see. But now I’ll describe why this isn’t as easy as one might first think. The event has a policy that you be on the guest list to see the event information. The guest list has its own policy that you must be a member of the list and the list must be finalized. Potential guests shouldn’t be able to see event information until the event is finalized. An easy mistake, however, is to neglect the connection between the two policies. I call this “leaky enforcement,” because it allows the system to show event information to potential guests who don’t end up being invited. TRANSITION: To better illustrate the point, here is a story of what happens when the programmer doesn’t take this dependency into account.
  11. First, we add my PhD advisor Armando to the guest list. Armando sees the event on his calendar. Since he does a lot of meeting scheduling by allowing people to sign up on his calendar, he plans to go to the event. We then somehow run out of space and we have to remove Armando from the finalized list. Armando looks on his calendar and figures out that he might have been uninvited, as the party no longer shows up on his calendar. Something even more awkward that could happen is that Armando shows up to the party anyway, and we have to tell him he was uninvited. TRANSITION: What happened here?
  12. First, we add my PhD advisor Armando to the guest list. Armando sees the event on his calendar. Since he does a lot of meeting scheduling by allowing people to sign up on his calendar, he plans to go to the event. We then somehow run out of space and we have to remove Armando from the finalized list. Armando looks on his calendar and figures out that he might have been uninvited, as the party no longer shows up on his calendar. Something even more awkward that could happen is that Armando shows up to the party anyway, and we have to tell him he was uninvited. TRANSITION: What happened here?
  13. Sensitive values aren’t just being shown directly, but also through various searching and aggregation features. The social calendar might, for instance, support a search like “What is the most popular location among my friends 7pm Tuesday?” Only those with the appropriate permissions should be able to see that the real answer is Chuck E. Cheese. Things get even more complicated as data is being broadcast to lots of different users, each with their own permissions, rather than being shown to one user at a time. Now the programmer needs to track not just how information needs to flow through derived values, but also where these derived values are flowing. TRANSITION: Bugs often occur because of the policy spaghetti that arises.
  14. Here are a couple of screen shots of code from the HotCRP conference management system, a system people often cite not only because it’s one of the few open source software projects many academics are familiar with, but also because it’s full of complex policy interactions. I don’t expect you to read the code, but what I do want to show are the highlighted conditional permissions checks all over the code. What I’ve highlighted are if and else statements that affect what is displayed, what functions are called, and even what SQL queries are issued based on properties of the viewer and the current situation. TRANSITION: Before this talk, you might have thought leaks were a developer education problem.
  15. In this talk, I describe the Jacqueline web framework, the double hull for database-backed web applications. In Jacqueline, programmers provide policy annotations separately from the rest of the program. This is what we call a policy-agnostic programming model because the policies are factored out. The runtime prevents information leaks according to policy annotations. And the enhanced runtime encompasses both the application and the database, preventing leaks between the two. I’ll describe later in the talk why it’s especially important to enforce policies across these multiple runtimes. TRANSITION: With this paper, we make the following contributions.
  16. TRANSITION: Let’s start by looking a the programming model for the Jacqueline web framework.
  17. The design of Jacqueline is based on a standard model-view-controller web framework where the model describes the data layout, the view describes the frontend, and the controller describes everything in between. In these frameworks, there is an object-relational mapping that provides a uniform representation of the data, allowing the controller to manipulate database items as runtime objects. In Jacqueline, the programmer additionally provide annotations alongside the model about information flow policies. The controller runs in an enhanced runtime. The framework is responsible for attaching policies based on annotations, propagating policies across application code and database queries, and defaceting based on the viewer. The framework relies on the object-relational mapping and the enhanced runtime to ensure policy enforcement across the application and database. TRANSITION: Here is what it looks like to program using Jacqueline.
  18. We’ve implemented Jacqueline as an extension to the Django Python web framework and we’ve made programming in Jacqueline look as much like programming in Django as possible. In both Jacqueline and Django, the programmer describes data schemas corresponding to how to lay out the data. On top I show the data schema for describing Jacqueline fields. We define the name, location, time, and description fields for an event, as well as the “visibility” field where the user can specify whether an event is visible to everyone or only guests. The fields of the event are the secret values by default. The programmer can designate a field as sensitive by providing an alternate, public value. Here we show the public value for any “location” field is “undisclosed location.” Functions to compute the public value take the current row as an arugment. To specify when the actual location is to be shown versus this public value, the programmer can declare a policy. The policy takes as arguments the current row and an output context. Here, our policy says that if the event visibility is “guests only,” then the secret location field can be shown if the viewer is a host or a guest. Whether the viewer is a host or guest is computed using regular database queries. The system enforces the policies throughout these queries so the programmer can be sure that they do not leak information! TRANSITION: These annotations are all the programmer needs to provide in order to implement information flow policies.
  19. Here are some screen shots of the implementation of the calendar example in Jacqueline. Again, I don’t expect you to read the code, but what I want to show you is that there are centralized policies, the rest of the program may be agnostic to the policies, and the runtime is responsible for differentiating program behavior. TRANSITION: To understand how Jacqueline works, let’s look at what is going on in the enhanced runtime.
  20. Jacqueline uses for its application runtime the policy-agnostic Jeeves language. Jeeves has an execution model that simulates simultaneous multiple executions on different facets of sensitive values. In Jeeves, sensitive values are faceted and can take on multiple values depending on the viewer and policies. The runtime propagates values and policies and solves for values to show based on the policies and the viewer. I picked this snippet of code to illustrate implicit flows. Here we are setting a variable x to zero and incrementing it if the sensitive location value is equal to Chuck E Cheese. Even if the location doesn’t leak directly, the programmer can infer its value by examining x. TRANSITION: The runtime tracks values through all computations, preventing implicit flows.
  21. The runtime uses labels to map sensitive values to policies. All values computed from sensitive values are associated with their labels. All assignments occurring under conditional branches are associated with the labels corresponding to assumptions that were made to enter that branch. More subtly, labels also help account for when policies depend on sensitive values, even the values that they themselves are protecting. With labels to do the bookkeeping, all values computed from sensitive values are shown only according to the policies. TRANSITION: This is all great, but in order to be able to use this for practical web applications we need to solve the database problem.
  22. Web applications often leak information by revealing the results of arbitrary database queries, for instance through a search interface. It doesn’t matter how much policies are enforced in the application if a single query can subvert our guarantees. Thus we don’t want to just use a vanilla SQL database directly. One way to take advantage of language-based solutions like Jeeves is to load all the data into the application and use the enforcement there. This is what you’d typically have to do with a language-based approach, as they often assume a single runtime. The issue is that doing all the work in the application is slow and we often can’t load the database into memory. The challenge is to support this faceted execution model when interacting with unmodified SQL databases. What we want is faceted queries! TRANSITION: Here are the semantics we want for faceted queries.
  23. What we want is to be able to save faceted values to the database and then run faceted queries on these values the same way we compute using faceted values in the Jeeves runtime. Some naïve approaches to encoding facets using SQL databases involve storing facets opaquely as strings and storing different databases for each label. But these approaches are expensive for different reasons and also make it difficult to extend the formal guarantees of faceted execution that we worked so hard to develop. TRANSITION: It turns out that we can encode facets in a way that both allows us to leverage SQL implementations and the existing formal machinery.
  24. TODO: Insert slide about conceptually storing faceted rows What we do is we use the object-relational mapping to map facets onto multiple database rows. Object-relational mappings typically support a uniform data representation between the application and database and mediate a set of queries. We have developed a faceted object-relational mapping that supports a uniform facet representation and mediates policy-agnostic queries. We do this by augmenting SQL tables with metadata to do facet bookkeeping to store multiple rows for a single faceted value. Let’s say we have a faceted location value guarded by a label a. We can store this as two rows in our database, connected to each other by a uniform Jeeves key, with the additional bookkeeping information that one of the rows corresponds to the positive a facet and the other one correspond to the not-a facet. What’s great about this encoding is that it allows us to take advantage of existing SQL implementations for queries such as select. When we select all columns from Users where the location is Chuck E Cheese’s, the database will only return the rows that match, but then the ORM will create facets so that these rows are only visible to permitted viewers. TRANSITION: It turns out that this encoding of facets allows us to use existing SQL implementations for many standard queries.
  25. Jacqueline supports getting records from the database, filtering records, sorting records, foreign key references into other tables, saving, and deleting. The remarkable thing is that we can implement all of this database functionality simply by using the SQL implementations and then using the ORM to perform refaceting afterward. Save and delete require some more bookkeeping to turn faceted rows into multiple rows and to keep track of which facets to delete, respectively. Note that we currently have to perform aggregation in the Jeeves runtime, since using the database implementations alone doesn’t allow us to preserve faceted execution. TRANSITION: You might wondering about why it’s not too expensive to do faceted execution for a web program.
  26. There’s a key insight about web programs that makes this possible. The high level of the insight is this: in web programs, the framework can often keep track of the viewer. This allows us to implement an optimization we call “Early Pruning” that allows us to throw away the irrelevant paths once we know the viewer. Note that we can only do this for read-only parts of the code, but for web applications these are often the computationally intensive ones. TRANSITION: In the paper we also have a formalization of the interaction between faceted execution and the database, as well as this optimization.
  27. TRANSITION: I won’t go into the details here, but I will describe at a high level our security guarantee.
  28. First, let’s do a quick review of traditional non-interference. Non-interference is the property that secret values should not affect public output. Traditional non-interference says that if the viewer can’t see the secret component of the location, then it shouldn’t matter if it’s Pizza Hut or Dominoes—the resulting output should be the same. For policy-agnostic programming, the challenge is characterizing what non-interference means when the labels determining whether something is secret or public may themselves depend on sensitive values. TRANSITION: We have developed non-interference and policy compliance theorems to capture the dependency.
  29. Our policy compliance theorem says that all executions where a must be public produce equivalent outputs. The insight is that the viewer shouldn’t be able to tell apart the secret values that require a label to be public. If the viewer can’t see the guest list because they’re not on it, they shouldn’t be able to tell the secret guest list from any other guest list they’re not on. We’ve proven that this property holds across the application code and database queries. TRANSITION: To make sure that our claims hold for realistic applications, we built the following application case studies.
  30. We’ve implemented the following small applications: a course manager, a health record manager, and a conference management system that we’ve used to run a workshop. Our results suggest that Jacqueline reduces the number of lines of policy code and has reasonable overheads. TRANSITION: Let’s see how it looks to change a policy in the conference management system.
  31. TRANSITION: It turns out that the system runs pretty well when we have more records too.
  32. We compared some running times for our Jacqueline conference management system to a conference management system written in Django, with hand-implemented policies. We ran these tests on an Amazon AWS machine by sending multiple HTTP requests from another machine and averaging over them. Along the x axis we have increasing number of papers in the database and along the y access to have the time it takes to show pages. First we compare the time it takes to show all the information for a single paper. The times for Jacqueline are better because the Django implementation requires multiple passes over some query results to apply policy checks. We then compare the time it takes to show all papers. In this case, both implementations are resolving policy checks with database queries for each data item being shown. There is a 1.5x slowdown with Jacqueline, which is pretty reasonable. TRANSITION: In summary, here’s why you should consider using the policy-agnostic approach.
  33. In this talk, I describe the Jacqueline web framework, the double hull for database-backed web applications. In Jacqueline, programmers provide policy annotations separately from the rest of the program. This is what we call a policy-agnostic programming model because the policies are factored out. The runtime prevents information leaks according to policy annotations. And the enhanced runtime encompasses both the application and the database, preventing leaks between the two. I’ll describe later in the talk why it’s especially important to enforce policies across these multiple runtimes. TRANSITION: With this paper, we make the following contributions.
  34. They want you to know that you can factor out information flow policies from other code to avoid policy spaghetto. Finally, I’d like to say that it’s incredibly exciting that so many people are programming and that the concerns programmers have are far more varied than the ones people had when they first developed the languages we’re using. This, combined with advances in programming tools, means that now is a great time to rethink our programming models. I’m excited to see what we come up with.