Upload
sian
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Framework for Automatically Enforcing Privacy Policies. Jean Yang MSRC / October 15, 2013. Privacy matters. People get it wrong. Many possible points of failure. Desired Policy. Implementation. Policy. Only friends can see GPS location. getLocation (user). Policy. - PowerPoint PPT Presentation
Citation preview
A Framework for Automatically
Enforcing Privacy PoliciesJean Yang
MSRC / October 15, 2013
Privacy matters.People get it wrong.
Many possible points of failure.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends can see GPS
location.
Desired Policy
Policy
Implementation
Policy
Policy
Increasingly complex policies.
Only friends can see GPS
location.
Desired Policy
who are localwithin next five hours
Jean Yang / Jeeves 5
Easier if we separate policies from other functionality.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends can see GPS
location.
Policy Implementation Other Implementation
Jean Yang / Jeeves 7
| findAllUsers(MSRC)
The Jeeves Language
k
You have no friends in this location.
Jean Yang / Jeeves 8
Associated withpolicies.
val loc = gpsCoords | country(gpsCoords)a
label a
Core Functionalityval msg = “Jean’s location is ” + asStr(loc)
Contextual Enforcementprint {andrey} msg “Jean’s location is N 52.19, W 0.13.”print {rishabh} msg “Jean’s location is in the United Kingdom.”
Policiesrestrict a: loc.(isNear(oc, jean))
{ low, high }
9
Sensitive Values
Jean Yang / Jeeves
Label.
Label.
Output channel. Predicate.
High value. Low value.
Jean Yang / Jeeves 10
Jeeves Execution
=
3
Faceted execution
3 | 0 a
true | false a
Storing policies
Policies
label arestrict a: loc.true
Constraintsprint {…} …true a = low
a loc.true
false
Jean Yang / Jeeves 11
restrict a: loc.isNear(oc,me)
Policies may refer to sensitive values.
Jeeves Policies
loc.addConstraint( isNear(oc, me) a == low)
Constraints always take this form.
Notes• There is always a consistent assignment.
• Notion of maximal functionality: if a label is allowed to be high, we try to set it to high.
Jean Yang / Jeeves 12
Jean Yang / Jeeves 13
Classical SecurityLevel 3:
top secret.
Level 2:highly classified.
Level 1:privileged information.
Lattice of access levels.
Jean Yang / Jeeves 14
Classical Security
Viewers must have access for the highest level.
+Level 3
Level 3
Level 0
Jean Yang / Jeeves 15
| Jeeves Security
p+
Jean Yang / Jeeves 16
Jeeves Non-InterferenceGuarantee
H | L a
Given a sensitive value
all executions where a must be low produce equivalent outputs no matter the value of H.
Takes into account when label depends on sensitive values!
Jean Yang / Jeeves 17
Non-Interferencein Jeeves
restrict a: loc.(distance(oc, location) < 25)
protected location
viewer
Viewer within radius:a is allowed to be high.
Jean Yang / Jeeves 18
Non-Interferencein Jeeves
restrict a: loc.(distance(oc, location) < 25)
protected location
Viewer outside radius:a must be low.Viewer should not be able to distinguish actual location from any other of these points.
viewer
Jean Yang / Jeeves 19
Jean Yang / Jeeves 20
ImplementationOverload operators for faceted evaluation.
Policy environment
Use an SMT solver as a model finder.
mkLabelrestrict
=
33 | 42 a
Store policies in runtime environment
true | false a
false
Jean Yang / Jeeves 21
Case study: JConfJConf
policiesJConf
functionality
Reviewer Author
Jean Yang / Jeeves 22
UserRole
PaperTitleAuthorReviewsTags…
Policy
Policy
Policy
ReviewReviewerContent
Policy
Policy
ContextUserStage
Polic
y
Policy
Core Program•Search papers.•Display papers.•Add and remove tags.•Assign and submit reviews.Fu
nctio
nalit
yJconf Architecture
Jean Yang / Jeeves 23
Functionality vs. PolicyFile Total LOC Policy LOCConfUser.scala 212 21PaperRecord.scala 304 75PaperReview.scala 116 32ConfContext.scala 6 0Backend + Squeryl 800 0
Frontend (Scalatra) 629 0
Frontend (SSP) 798 0
Total 2865 128< 5%
Jean Yang / Jeeves 24
SQL(Squeryl)Embedded
DSL
Scalatra frontend
PostGreSQLEmbedded
DSL
Django frontend
Jeeves Frameworks
Python-Jeeves
source transform
Jean Yang / Jeeves 25
What about inputs?
Reviewer A
Reviews
New review
Reviewer B
New review
---
Author
Jean Yang / Jeeves 26
Reviewer A
Reviews
New review
Reviewer B
New review
Old review
Author
Storing multiple versions?
Jean Yang / Jeeves 27
Scores
New score
New score
Old score
UserUser
User
---
User
When viewers specify trust…
Need to additionally track who is writing…
Jean Yang / Jeeves 28
Low-level mechanism
Mutable State
424242
p1
p2
p2
Associate references with policies
wrestrict lin.lout. ((in == alice) && isFriends (out, alice))
wrestrict lin.lout.(isFriends(in, alice))
Jean Yang / Jeeves 29
Execution with writer’s inputs
Execution without writer’s inputs
New score
Guarantees
Jean Yang / Jeeves 30
Write Policy Case Studies
Authentication Battleship game
Conference management
Notes• Support policies for confidentiality and integrity.
• Policy-agnosticism good for encoding other policies, for instance game rules.
Jean Yang / Jeeves 31
|
select * from paperswhere author = “Jean Yang”
authorhigh authorlow policies
p
Interfacing with the DB
32
FINALLY.. I CAN FOCUS ON FUNCTIONALITY!
Jean Yang / Jeeves 33
Jeeves Team
Armando Solar-
LezamaThomas Austin
Cormac Flanagan
TravisHance
BenjaminShaibu
| Program
The Jeeves Framework
k
Jean Yang / Jeeves 34
Customized page
Customized page
jeeveslang.org