preventing information flow with jeeves - singapore data privacy workshop

Preventing Information Leaks

with Jeeves

Jean Yang, MITJuly 21, 2015

Jean Yang / Jeeves 2

Wearable devices

Data, Data Everywhere

Social media

Electronic health records

Online courses


All Kinds of People Are Writing All Kinds of

CodeOpen source lines of code

Journalists

Medical researchers

Social scientists

Children


Even Trained Developers Leak

Information


Why Aren’t Existing Approaches Enough?

Exploit

Patch

But leaves system builders a step

behind.

Defensive protection

But people are still showing the data

wrong.

Encrypting Data


My Approach:Privacy by Construction

Factor out security and privacy to reduce opportunity for leaks.

• Programmer specifies high-level policies about how sensitive data can be used.

• Rest of program is policy-agnostic.• System manages policies automatically.


Social Calendar Example

Alice and Bob throw a surprise party for Carol.


Even Seemingly Simple Policies Have Subtleties

Guests Carol Strangers

Surprise party for Carol at

Chuck E. Cheese.

Pizza with Alice/Bob.

Private event at Chuck E.

Cheese.

Policy: Must be guest. Policies can depend on sensitive values and other policies.Policy: Only visible to

hosts until finalized.

Problem:


Enforcing Policies Can Leak Information!

Guests

Surprise party at

Chuck E. Cheese.

Policy: Only visible to hosts until finalized.

Policy: Must be guest.

Guest list finalized

Guests can’t see event

Guests can see event

• Subtle mistake: check for policy 1 neglects dependency on policy 2.

• Problem arises when programmers trusted to get dependencies right.

1

2


Policies Are Intertwined Across the Code

“What is the most popular location among friends 7pm Tuesday?”

Update to event

subscribers

• Track information flow through derived values.• Track where derived values flow.

Problem:


“Policy Spaghetti”in Real Systems

Code from HotCRP

conference management

system

Highlighted: conditional permissions checks everywhere.


Programming model provides mathematical

guarantees.

Implementation strategy is practically feasible.

Automatic Enforcement with Jeeves

The well-intentioned programmer writes same code no matter what

policies are.


Jeeves Factors Out Policies

• Centralized policies.• Policy-agnostic

program.• Runtime differentiates

behavior.

Model View Controller


Policy-Agnostic Programming in Jeeves

Application CodeSeparate from policies.

policiesSensitive values encapsulate multiple behaviors.

Policies describe rules for how values may flow to output contexts.


.guests [ ]

Jeeves Supports Expressive Policies

def isNotCarol(oc): return oc !=Output context can be of arbitrary type.

def isGuest(oc): return oc in .guests

A policy is an arbitrary function that takes the output context and returns a Boolean value.

Policies can depend on sensitive values.


==

true false

print { } print { }

true false

Jeeves Programming Model

Programmer writes policy-agnostic programs.

Runtime propagates values and policies.

Runtime produces differentiated output based on the viewer.

Programmer specifies policies and facets.

1 2

4

3


The Jeeves Programming Model

• Well-defined runtime semantics for policy-agnostic programming with information flow policies.

• Can be implemented standalone or embedded as a library.

• Has been adapted across runtimes in web frameworks.

19

FINALLY.. I CAN FOCUS ON FUNCTIONALITY!


if == :

x += 1return x

x = 0

print { } print { }

1 0

Jeeves Execution Model

Runtime propagates values and policies.

Runtime solves for values to show based on policies and viewer.

21

Runtime simulates simultaneous multiple executions.


Using Policies to Produce Outputs

print { }

0

( != ) ? 1 : 0policy( )

Jeeves uses policies to defacet appropriately.

1 0

def isNotCarol(oc): return oc !=


print { }

( == ) ? : policy( )

def isMaybeCarol(oc): return oc ==

But What About Dependencies?

Possible solutions:

( == ) ? :

( == ) ? :

Jeeves runtime will pick the secret value if allowed.

Need to find a fixed point!


Using Constraints to Handle Dependencies

Label Policy

a def isGuest(oc): return oc in .guests

in .guestspolicy( )

𝑎∈ {𝑠𝑒𝑐𝑟𝑒𝑡 ,𝑝𝑢𝑏𝑙𝑖𝑐 }print { }

𝑎=𝑠𝑒𝑐𝑟𝑒𝑡⇒ 𝑓𝑎𝑙𝑠𝑒¬(𝑎=𝑠𝑒𝑐𝑟𝑒𝑡 )

⊢⊢

0

1 0

a

• Constraints contain only Boolean variables.

• Always a consistent assignment.

Evaluated with respect to state at time of output.


Tracking Policies Through Execution

if == :a

x += 1

true false

aif :

x += 1

x = xold+1 xold

a

Labels follow values through all computations, including conditionals and assignments.

Policy compliance guaranteed


Web server code

Target Domain: Database-Backed Web

Applications

Application Queries Database


Facets in the Application and Database

ApplicationQueries

select * from Userswhere location =

SQL Database

Application All data SQL Databaseselect * from Users

Database queries can leak information!

Impractical and potentially slow!

Solution: Use object-relational mapping to facet the database. Map facets onto non-faceted relational database.


Jeeves runtime

Jacqueline Web Framework

Application

Frontend Database

@jeevesViewer

Propagate

policies.

Attach policies.

Defac

et

valu

es b

ased

on p

olici

es

and

viewer

.

Programmer is responsible

Framework is responsible


Django-like data schema for describing fields.

Policy for ‘location’ field.

Helper functions for policy include queries.

Public value for ‘location’ field.


Compare to Django

DEPLOYED

FOR PLOOC

2014!Conference

management systemCourse manager Health record

manager(based on

representative HIPAA fragment)

Implemented in Jacqueline


Web Frameworks: Django vs. Jacqueline


Demo


CMS Running Times

Tests from Amazon AWS machine via HTTP requests from another machine.

0 200 400 600 800 10000

0.05

0.1

0.15

0.2

Single paper

Jacqueline Django

Papers in database

Tim

e t

o s

ho

w p

ag

e (

s)

0 200 400 600 800 10000

2

4

6

8

10

12

All Papers

Jacqueline Django

Papers in databaseT

ime

to

sh

ow

pa

ge

(s)


Policy-Agnostic Programming in Jeeves

Design of a policy-agnostic programming

language[POPL ‘12]

Semantics and guarantees[PLAS ’13]

Web framework, and case studies[in submission]

==

Other functionality

PoliciesSensitive

values


Python/DBCore team

Language evaluation and case studies

Semantics

Jeeves Team

Armando Solar-Lezama

Thomas AustinCormac Flanagan

TravisHance

BenjaminShaibu

Pat Long &Jesse Klimov

Lena Abdalla

Amadu Durham

Ariel Jacobs

Scala

Kuat Yessenov

Jean Yang


Applying Policy-Agnostic Ideas at Home1. Associate policies with data.

2. Make rest of program aware of data’s policies.

It pays to think about policy enforcement systematically: can get end-to-end guarantees—often with negligible overheads!Works not just for security and privacy, but also for other customization!


Parting Thoughts

By reducing opportunity for

programmer error, we can

eliminate whole classes of

information leaks.

http://jeeveslang.org

preventing information flow with jeeves - singapore data privacy workshop

Technology