A Framework for Automatically

Enforcing Privacy PoliciesJean Yang

MSRC / October 15, 2013

Privacy matters.People get it wrong.

Many possible points of failure.

getLocation(user)

findAllUsers(location)

findTopLocations()

Only friends can see GPS

location.

Desired Policy

Policy

Implementation

Policy

Policy

Increasingly complex policies.

Only friends can see GPS

location.

Desired Policy

who are localwithin next five hours

Jean Yang / Jeeves 5

Easier if we separate policies from other functionality.

getLocation(user)

findAllUsers(location)

findTopLocations()

Only friends can see GPS

location.

Policy Implementation Other Implementation

Jean Yang / Jeeves 7

| findAllUsers(MSRC)

The Jeeves Language

k

You have no friends in this location.

Jean Yang / Jeeves 8

Associated withpolicies.

val loc = gpsCoords | country(gpsCoords)a

label a

Core Functionalityval msg = “Jean’s location is ” + asStr(loc)

Contextual Enforcementprint {andrey} msg “Jean’s location is N 52.19, W 0.13.”print {rishabh} msg “Jean’s location is in the United Kingdom.”

Policiesrestrict a: loc.(isNear(oc, jean))

{ low, high }

9

Sensitive Values

Jean Yang / Jeeves

Label.

Label.

Output channel. Predicate.

High value. Low value.

Jean Yang / Jeeves 10

Jeeves Execution

=

3

Faceted execution

3 | 0 a

true | false a

Storing policies

Policies

label arestrict a: loc.true

Constraintsprint {…} …true a = low

a loc.true

false

Jean Yang / Jeeves 11

restrict a: loc.isNear(oc,me)

Policies may refer to sensitive values.

Jeeves Policies

loc.addConstraint( isNear(oc, me) a == low)

Constraints always take this form.

Notes• There is always a consistent assignment.

• Notion of maximal functionality: if a label is allowed to be high, we try to set it to high.

Jean Yang / Jeeves 12

Jean Yang / Jeeves 13

Classical SecurityLevel 3:

top secret.

Level 2:highly classified.

Level 1:privileged information.

Lattice of access levels.

Jean Yang / Jeeves 14

Classical Security

Viewers must have access for the highest level.

+Level 3

Level 3

Level 0

Jean Yang / Jeeves 15

| Jeeves Security

p+

Jean Yang / Jeeves 16

Jeeves Non-InterferenceGuarantee

H | L a

Given a sensitive value

all executions where a must be low produce equivalent outputs no matter the value of H.

Takes into account when label depends on sensitive values!

Jean Yang / Jeeves 17

Non-Interferencein Jeeves

restrict a: loc.(distance(oc, location) < 25)

protected location

viewer

Viewer within radius:a is allowed to be high.

Jean Yang / Jeeves 18

Non-Interferencein Jeeves

restrict a: loc.(distance(oc, location) < 25)

protected location

Viewer outside radius:a must be low.Viewer should not be able to distinguish actual location from any other of these points.

viewer

Jean Yang / Jeeves 19

Jean Yang / Jeeves 20

ImplementationOverload operators for faceted evaluation.

Policy environment

Use an SMT solver as a model finder.

print

mkLabelrestrict

=

33 | 42 a

Store policies in runtime environment

true | false a

false

Jean Yang / Jeeves 21

Case study: JConfJConf

policiesJConf

functionality

Reviewer Author

Jean Yang / Jeeves 22

UserRole

PaperTitleAuthorReviewsTags…

Policy

Policy

Policy

ReviewReviewerContent

Policy

Policy

ContextUserStage

Polic

y

Policy

Core Program•Search papers.•Display papers.•Add and remove tags.•Assign and submit reviews.Fu

nctio

nalit

yJconf Architecture

Jean Yang / Jeeves 23

Functionality vs. PolicyFile Total LOC Policy LOCConfUser.scala 212 21PaperRecord.scala 304 75PaperReview.scala 116 32ConfContext.scala 6 0Backend + Squeryl 800 0

Frontend (Scalatra) 629 0

Frontend (SSP) 798 0

Total 2865 128< 5%

Jean Yang / Jeeves 24

SQL(Squeryl)Embedded

DSL

Scalatra frontend

PostGreSQLEmbedded

DSL

Django frontend

Jeeves Frameworks

Python-Jeeves

source transform

Jean Yang / Jeeves 25

What about inputs?

Reviewer A

Reviews

New review

Reviewer B

New review

---

Author

Jean Yang / Jeeves 26

Reviewer A

Reviews

New review

Reviewer B

New review

Old review

Author

Storing multiple versions?

Jean Yang / Jeeves 27

Scores

New score

New score

Old score

UserUser

User

---

User

When viewers specify trust…

Need to additionally track who is writing…

Jean Yang / Jeeves 28

Low-level mechanism

Mutable State

424242

p1

p2

p2

Associate references with policies

wrestrict lin.lout. ((in == alice) && isFriends (out, alice))

wrestrict lin.lout.(isFriends(in, alice))

Jean Yang / Jeeves 29

Execution with writer’s inputs

Execution without writer’s inputs

New score

Guarantees

Jean Yang / Jeeves 30

Write Policy Case Studies

Authentication Battleship game

Conference management

Notes• Support policies for confidentiality and integrity.

• Policy-agnosticism good for encoding other policies, for instance game rules.

Jean Yang / Jeeves 31

|

select * from paperswhere author = “Jean Yang”

authorhigh authorlow policies

p

Interfacing with the DB

32

FINALLY.. I CAN FOCUS ON FUNCTIONALITY!

Jean Yang / Jeeves 33

Jeeves Team

Armando Solar-

LezamaThomas Austin

Cormac Flanagan

TravisHance

BenjaminShaibu

| Program

The Jeeves Framework

k

Jean Yang / Jeeves 34

Customized page

Customized page

jeeveslang.org