Information flow control for standard OS abstractions

Krohn, Maxwell; Yip, Alexander; Brodsky, Micah; Cliffer, Natan; Kaashoek, M. Frans; Kohler, Eddie; Morris, Robert

doi:10.1145/1323293.1294293

Cited by 154 publications

(182 citation statements)

References 23 publications

Supporting

Mentioning

177

Contrasting

Unclassified

Order By: Relevance

“…A foundation for distinguishing important exposure of information from acceptable use in aggregates is "differential privacy" [48]. c) Particular platforms: Adding tags to data items can track how information flows through a program, a database, a web application or an operating system [49], [50], [51], [52]. Tracking and visualising large volumes of provenance as information flows among cloud-hosted applications has been studied [53], [54], [55].…”

Section: The Challenge: Users Control Of Data Flowmentioning

confidence: 99%

Managing information for personal goals (vision)

Fekete

Kay

Franklin

et al. 2015

2015 31st IEEE International Conference on Data Engineering Workshops

View full text Add to dashboard Cite

show abstract

Section: The Challenge: Users Control Of Data Flowmentioning

confidence: 99%

Managing information for personal goals (vision)

Fekete

Kay

Franklin

et al. 2015

2015 31st IEEE International Conference on Data Engineering Workshops

View full text Add to dashboard Cite

show abstract

“…DIFC follows traditional IFC and add decentralized privilege. Some [6] are finegrained language-level DIFC systems while the others [7] are OS-level DIFC systems to protect the the system resources. To meet the security requirements of SaaS users, we choose to provide the controlling granularity of process.…”

Section: A Main Ideamentioning

confidence: 99%

A Decentralized Information Flow Model for SaaS Applications Security

Liu¹,

Zhao²

2013

2013 Third International Conference on Intelligent System Design and Engineering Applications

View full text Add to dashboard Cite

Software as a Service(SaaS) is a popular cloud service, but the SaaS providers have no security garantee for users. The SaaS providers may insert some malicious code in their applications with the primary goal of lifting user data. In order to address this problem, we introduce the security approach of Decentralized Information Flow Control (DIFC) and present a DIFC model that applies at the granularity of operating system processes for SaaS application security. The model allows untrusted software to compute with private data while trusted code controls the dissemination of that data. The trusted code is small which can be monitored easily. In addition, the model can be used in existing applications and allows safe interaction between conventional and DIFC-aware processes. Finally, we prove that the new model can enforce the security requirements of SaaS users.

show abstract

“…Implementations of MLS models try to precisely observe data manipulations in order to prevent illegal information flows. Flume [8], and Histar [15] are modern implementations of information flow control. Flume is an implementation of distributed information flow control (DIFC) for Linux, acting at the OS level, and using standard OS abstractions (processes, pipes, .…”

Section: Background and Related Workmentioning

confidence: 99%

Information Flow Control for Intrusion Detection Derived from MAC Policy

Geller

Hauser

Tronel

et al. 2011

2011 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

Most of today's MAC implementations can be turned into permissive mode, where no enforcement is performed but alerts are raised instead. This behavior is very close to an anomaly IDS except that the system is configured through a MAC policy. MAC implementations such as SELinux and AppArmor come with a default policy including real life and practical rules ready to be used as is or as a basis for a custom policy. In this paper, we first propose an extension of an IDS based on information flow control. We address issues concerning programs execution and improve its expressiveness in terms of security policy. This extended model can be configured to reach a wide variety of different security goals. Particularly, it allows for information flow checking based on users and/or programs dependent policy rules. Furthermore, suspicious modification of binary programs can be detected to avoid malware execution. We also propose an algorithm for deriving an AppArmor MAC policy into an information flow policy, and thus get the advantage of having a ready to use policy offering good security. We finally show a practical example of deriving such a policy in order to configure our IDS.

show abstract

Information flow control for standard OS abstractions

Cited by 154 publications

References 23 publications

Managing information for personal goals (vision)

Managing information for personal goals (vision)

A Decentralized Information Flow Model for SaaS Applications Security

Information Flow Control for Intrusion Detection Derived from MAC Policy

Contact Info

Product

Resources

About