Tracking Dependencies for Security and Privacy
Information Flow Control is a well established field of research, providing a
suite of theoretical and practical results. However, adoption to real world
systems has yet to catch up. This thesis seeks to expand the boundaries of
this field, in particular with the aim of making Information Flow Control more
applicable to real world scenarios. To this end, it studies several areas for
improvement. These range from fundamental notions of policies for specifying
limitations on data dependencies induced by programs, to mechanisms for
enforcing such policies both statically and dynamically. We aim to push the
current state of the art by identifying and addressing areas where current
policy definitions and enforcement mechanisms fall short in terms of providing
information confidentiality and integrity.
On the policy side, we examine existing, incomparable notions of integrity. We
present a generalized integrity framework that features a range of integrity
facets including correctness to data dependency. We demonstrate how all the
facets at once can be enforced by a single execution monitor. We also consider
information leaked in multiple runs, which traditional non-interference
policies address poorly. Employing a knowledge-based policy, we show that only
minor adjustments are needed to standard type systems to cover the multi-run
case. We apply data-dependency policies and tracking to provide a flexible
programming model on top of differentially private databases.
On the enforcement side, we demonstrate how a language endowed with
capabilities can directly enforce information flow control policies using such
primitives, through a program transformation. The thesis then considers the
permissiveness of dynamic monitors, and shows that it can be improved
mechanically through the use of random testing and program rewriting.
Following that, we explore the challenges, and their solutions, of implementing
libraries and APIs.
Finally, we develop a framework of integrity-protected capabilities that
support attenuated delegation and contextual bindings. In particular,
contextual bindings allow the capability to encode dependencies between the
invokers context, the resource it refers to and the hosts context, that must be
satisfied for proper authorization. We show that our construction applies well
to cheap but powerful authentication protocols for distributed systems and
VV12, Sven Hultins gata 6, Chalmers.
Opponent: Prof. Michael Hicks, Department of Computer Science, University of Maryland, USA.