Protecting Sensitive Information from Untrusted Code

As computer systems support more aspects of modern life, from finance to health care, security becomes increasingly important. Computer systems have to safeguard data from unauthorized users, malicious code, code with programmer bugs and other threats.

Recently, decentralized information flow control (DIFC) has emerged as a promising model to write programs with powerful, end-to-end security guarantees. The DIFC model provides security by allowing users to associate secrecy and integrity labels with data and restricting the flow of information according to these labels.

Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language level solutions provide no guarantees against security violations on system resources, like files and sockets. Operating system solutions can mediate accesses to system resources, but are inefficient at monitoring the flow of information through fine-grained program data structures. 

In the talk I will primarily describe "Laminar", the first system to implement decentralized information flow control using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar is implemented using a modified Java virtual machine and a new Linux security module.

I will also give a brief overview of another system that I am developing, called "Airavat". Airavat is a MapReduce-based system that provides strong security and privacy guarantees for distributed computations on sensitive data.