Tracking Dependencies for Security and Privacy

Doctoral thesis, 2013

Information Flow Control is a well established field of research, providing a suite of theoretical and practical results. However, adoption to real world systems has yet to catch up. This thesis seeks to expand the boundaries of this field, in particular with the aim of making Information Flow Control more applicable to real world scenarios. To this end, it studies several areas for improvement. These range from fundamental notions of policies for specifying limitations on data dependencies induced by programs, to mechanisms for enforcing such policies both statically and dynamically. We aim to push the current state of the art by identifying and addressing areas where current policy definitions and enforcement mechanisms fall short in terms of providing information confidentiality and integrity. On the policy side, we examine existing, incomparable notions of integrity. We present a generalized integrity framework that features a range of integrity facets including correctness to data dependency. We demonstrate how all the facets at once can be enforced by a single execution monitor. We also consider information leaked in multiple runs, which traditional non-interference policies address poorly. Employing a knowledge-based policy, we show that only minor adjustments are needed to standard type systems to cover the multi-run case. We apply data-dependency policies and tracking to provide a flexible programming model on top of differentially private databases. On the enforcement side, we demonstrate how a language endowed with capabilities can directly enforce information flow control policies using such primitives, through a program transformation. The thesis then considers the permissiveness of dynamic monitors, and shows that it can be improved mechanically through the use of random testing and program rewriting. Following that, we explore the challenges, and their solutions, of implementing a dynamic monitor for the full language of JavaScript, including its built-in libraries and APIs. Finally, we develop a framework of integrity-protected capabilities that support attenuated delegation and contextual bindings. In particular, contextual bindings allow the capability to encode dependencies between the invokers context, the resource it refers to and the hosts context, that must be satisfied for proper authorization. We show that our construction applies well to cheap but powerful authentication protocols for distributed systems and cloud services.