skip to main content
10.1145/1542476.1542484acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Laminar: practical fine-grained decentralized information flow control

Published: 15 June 2009 Publication History

Abstract

Decentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language level solutions provide no guarantees against security violations on system resources, like files and sockets. Operating system solutions can mediate accesses to system resources, but are inefficient at monitoring the flow of information through fine-grained program data structures.
This paper describes Laminar, the first system to implement decentralized information flow control using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar enforces the security policies specified by the labels at runtime. Laminar is implemented using a modified Java virtual machine and a new Linux security module. This paper shows that security regions ease incremental deployment and limit dynamic security checks, allowing us to retrofit DIFC policies on four application case studies. Replacing the applications' ad-hoc security policies changes less than 10% of the code, and incurs performance overheads from 1% to 56%. Whereas prior DIFC systems only support limited types of multithreaded programs, Laminar supports a more general class of multithreaded DIFC programs that can access heterogeneously labeled data.

References

[1]
DaCapo Benchmark Regression Tests. \URLhttp://jikesrvm.anu.edu.au/~dacapo/.
[2]
B. Alpern, C. R. Attanasio, J. J. Barton, M. G. Burke, P. Cheng, J.-D. Choi, A. Cocchi, S. J. Fink, D. Grove, M. Hind, Susan~Flynn Hummel, D. Lieber, V. Litvinov, M. Mergen, T. Ngo, J. R. Russell, V. Sarkar, M. J. Serrano, J. Shepherd, S. Smith, V. C. Sreedhar, H. Srinivasan, and J. Whaley. The Jalapeño virtual machine. IBM Systems Journal, 39(1):211--238, 2000.
[3]
D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA, 1973.bibitembibaK. J. Biba. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, April 1977.
[4]
A. Birgisson, M. Dhawan, Úlfar Erlingsson, V. Ganapathy, and L. Iftode. Enforcing authorization policies using transactional memory introspection. In CCS, 2008.
[5]
S. M. Blackburn, R. Garner, C. Hoffman, A. M. Khan, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann. The DaCapo benchmarks: Java benchmarking development and analysis. In OOPSLA, pages 169--190, 2006.
[6]
Stephen M. Blackburn and Antony L. Hosking. Barriers: Friend or foe? In ACM International Symposium on Memory Management, pages 143--151, 2004.
[7]
D. E. Denning. A lattice model of secure information flow. CACM, 19(5):236--243, May 1976.
[8]
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. CACM, 20(7):504--513, July 1977.
[9]
Department of Defense. Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book) edition, December 1985.
[10]
Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. From trusted to secure: Building and executing applications that enforce system security. pages 205--218, 2007.
[11]
Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, and Clifford E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Trans. Softw. Eng., 17(11), 1991.
[12]
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In SOSP, 2007.
[13]
B. W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613--615, 1973.
[14]
Henry M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.
[15]
P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In USENIX, 2001.
[16]
Larry McVoy and Carl Staelin. lmbench: Portable tools for performance analysis. In Usenix, 1996.
[17]
A. C. Myers. JFlow: Practical mostly-static information flow control. In POPL, pages 228--241, New York, NY, USA, 1999. ACM Press.
[18]
A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP, pages 129--142, October 1997.
[19]
A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2001.
[20]
Yang Ni, Adam Welc, Ali-Reza Adl-Tabatabai, Moshe Bach, Sion Berkowits, James Cownie, Robert Geva, Sergey Kozhukow, Ravi Narayanaswamy, Jeffrey Olivier, Serguei Preis, Bratin Saha, Ady Tal, and Xinmin Tian. Design and implementation of transactional constructs for C/C. In OOPSLA, pages 195--212, 2008.
[21]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21, 2003.
[22]
Jonathan S. Shapiro, Jonathan~M. Smith, and David J. Farber. EROS: A fast capability system. In SOSP, 1999.
[23]
V. Simonet and I. Rocquencourt. Flow Caml in a nutshell. In Proceedings of the first APPSEM--II workshop, pages 152--165, 2003.
[24]
Standard Performance Evaluation Corporation. SPECjbb2000 Documentation, release 1.01 edition, 2001.
[25]
N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. In MICRO, 2004.
[26]
S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst., 25(4):11, 2007.
[27]
C. Wright, C. Cowan, S. Smalley, J. Morris, and G. K. Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security Symposium, 2002.
[28]
N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In OSDI, 2006.
[29]
N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In OSDI, 2008.

Cited By

View all
  • (2024)Sesame: Practical End-to-End Privacy Compliance with Policy Containers and Privacy RegionsProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695984(709-725)Online publication date: 4-Nov-2024
  • (2024)Static-Dynamic Information Flow Control in RustCompanion Proceedings of the 2024 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3689491.3691820(16-18)Online publication date: 20-Oct-2024
  • (2024)Cocoon: Static Information Flow Control in RustProceedings of the ACM on Programming Languages10.1145/36498178:OOPSLA1(166-193)Online publication date: 29-Apr-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2009
492 pages
ISBN:9781605583921
DOI:10.1145/1542476
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 44, Issue 6
    PLDI '09
    June 2009
    478 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/1543135
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. information flow control
  2. java virtual machine
  3. operating systems
  4. security region

Qualifiers

  • Research-article

Conference

PLDI '09
Sponsor:

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)33
  • Downloads (Last 6 weeks)6
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Sesame: Practical End-to-End Privacy Compliance with Policy Containers and Privacy RegionsProceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles10.1145/3694715.3695984(709-725)Online publication date: 4-Nov-2024
  • (2024)Static-Dynamic Information Flow Control in RustCompanion Proceedings of the 2024 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3689491.3691820(16-18)Online publication date: 20-Oct-2024
  • (2024)Cocoon: Static Information Flow Control in RustProceedings of the ACM on Programming Languages10.1145/36498178:OOPSLA1(166-193)Online publication date: 29-Apr-2024
  • (2024)Formalization and Analysis of Aeolus-based File System from Process Algebra PerspectiveMobile Networks and Applications10.1007/s11036-024-02332-w29:1(273-285)Online publication date: 13-Sep-2024
  • (2023)Information Flow Tracking for Heterogeneous Compartmentalized SoftwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607235(564-579)Online publication date: 16-Oct-2023
  • (2023)General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616604(3343-3357)Online publication date: 15-Nov-2023
  • (2023)DeMAndApp: Detecting Malicious Android AppApplied Computing for Software and Smart Systems10.1007/978-981-99-7783-3_13(199-219)Online publication date: 27-Dec-2023
  • (2023)Enabling Lightweight Privilege Separation in Applications with MicroGuardsApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_31(571-598)Online publication date: 4-Oct-2023
  • (2022)Immutability and Encapsulation for Sound OO Information Flow ControlACM Transactions on Programming Languages and Systems10.1145/357327045:1(1-35)Online publication date: 2-Dec-2022
  • (2022)Analysis of the Expressive Power of DIFC Model Based on Temporal Logic2022 7th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP55141.2022.9886686(792-798)Online publication date: 20-Jul-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media