a framework for automatically enforcing privacy...
TRANSCRIPT
A Framework for
Automatically
Enforcing Privacy
Policies
Jean Yang MSRC / October 15, 2013
Privacy matters.
People get it wrong.
Many possible points of failure.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends
can see GPS
location.
Desired Policy
Policy
Implementation
Policy
Policy
Increasingly complex policies.
Only friends
can see GPS
location.
Desired Policy
who are
local
within next five
hours
Jean Yang / Jeeves 5
Easier if we separate policies
from other functionality.
getLocation(user)
findAllUsers(location)
findTopLocations()
Only friends
can see GPS
location.
Involves integrating with the
language semantics.
Policy Implementation Other Implementation
Jean Yang / Jeeves 7
| findAllUsers(MSRC)
The Jeeves Language
k
You have no friends in
this location.
Jean Yang / Jeeves 8
Associated with
policies.
val loc = < gpsCoords | country(gpsCoords) >a
label a
Core Functionality
val msg: String = “Jean’s location is ” + asStr(loc)
Contextual Enforcement
print {andrey} msg “Jean’s location is N 52.19, W 0.13.”
print {rishabh} msg “Jean’s location is in the United Kingdom.”
Policies
restrict a: loc.(isNear(oc, jean))
{ low, high }
9
Sensitive Values
Jean Yang / Jeeves
Label.
Label.
Output channel.
Policies are evaluated in the
environment at time of output.
Jean Yang / Jeeves 10
restrict a: loc.isNear(oc,me)
Policies may refer to
sensitive values.
Default values yield
guarantees of maximal
functionality.
Jeeves Policies
loc.addConstraint( isNear(oc, me) a == low)
Constraints
imply low.
Always a
consistent
assignment.
Jeeves Execution
=
3
Faceted execution
11 Jean Yang / Jeeves
3 | 0 a
true | false a
Policy manipulation
Policies
label a
restrict a: loc.true
Constraints print {…} …
true a = low
a loc.true
false
Jean Yang / Jeeves 12
Jean Yang / Jeeves 13
Classical Security
Level 3:
top secret.
Level 2:
highly classified.
Level 1:
privileged information.
Lattice of
access levels.
Jean Yang / Jeeves 14
Classical Security
Viewers must have access for
the highest level.
+ Level 3
Level 3
Level 0
|
Jean Yang / Jeeves 15
Jeeves Security
p +
Jeeves Non-Interference
Guarantee
L | H a
Given a sensitive value
all executions where a must be low
produce equivalent outputs no matter the
value of H.
16 Jean Yang / Jeeves
Takes into account when
label depends on
sensitive values!
Non-Interference
in Jeeves
17 Jean Yang / Jeeves
val location = < default | actual >a
restrict a: loc.(distance(oc, location) < 25)
protected
location
viewer
Viewer within radius:
a is allowed to be high.
Non-Interference
in Jeeves
18 Jean Yang / Jeeves
val location = < default | actual >a
restrict a: loc.(distance(oc, location) < 25)
protected
location
Viewer outside radius:
a must be low.
Viewer should not be
able to distinguish
actual location from any
other of these points.
viewer
Implementation Overload operators for
faceted evaluation.
Policy
environment
Use an SMT
solver as a
model
finder.
mkLabel
restrict
19 Jean Yang / Jeeves
=
3 3 | 42 a
Store policies in
runtime environment
true | false a
false
Jean Yang / Jeeves 20
SQL
(Squeryl) Embedded
DSL
Scalatra
frontend
PostGre
SQL Embedded
DSL
Django
frontend
Jeeves Frameworks
Python-Jeeves
source transform
Case study: JConf
Jean Yang / Jeeves 21
JConf
policies
JConf
functionality
Reviewer Author
User Role
Paper Title
Author
Reviews
Tags
…
Policy
Policy
Policy
Review Reviewer
Content
Policy
Policy
Context User
Stage
Po
licy
Policy
Core Program •Search papers.
•Display papers.
•Add and remove tags.
•Assign and submit reviews.
Fu
ncti
on
ali
ty
22 Jean Yang / Jeeves
Jconf Architecture
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
Backend + Squeryl 800 0
Frontend (Scalatra) 629 0
Frontend (SSP) 798 0
Total 2865 128
23 Jean Yang / Jeeves
< 5%
Current Directions.
Jeeves
runtime Database
Jean Yang / Jeeves 25
What about inputs?
Reviewer A
Reviews
New
review
Reviewer B
New
review
---
Author
Jean Yang / Jeeves 26
Reviewer A
Reviews
New
review
Reviewer B
New
review
Old
review
Author
Storing multiple
versions?
Jean Yang / Jeeves 27
Scores
New
score New
score
Old
score
User User
User
---
User
When viewers specify
trust… Need to
additionally track
who is writing…
Low-level mechanism
Jean Yang / Jeeves 28
Mutable State
42
42
42
p1
p2
p2
Associate
references
with policies
wrestrict lin.lout.
((in == alice) && isFriends (out, alice))
wrestrict lin.lout.(isFriends(in, alice))
Jean Yang / Jeeves 29
Execution with
writer’s inputs
Execution without
writer’s inputs
New
score
Guarantees
Write Policy Case
Studies
Jean Yang / Jeeves 30
Authentication Battleship
game
Conference
management
Notes • Support policies for confidentiality and integrity.
• Policy-agnosticism good for encoding other policies,
for instance game rules.
| Jean Yang / Jeeves 31
select * from papers
where author = “Jean Yang”
authorhigh authorlow policies
p
Interfacing with the dB
32
FINALLY.. I CAN FOCUS ON FUNCTIONALITY!
jeeveslang.org
Jeeves Team
Jean Yang / Jeeves 33
Armando
Solar-
Lezama Thomas
Austin Cormac
Flanagan Travis
Hance
Benjamin
Shaibu
|
Program
The Jeeves Framework
k
Jean Yang / Jeeves 34
Database
Customized
page
Customized
page