Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

A Language for Automatically Enforcing Privacy Jean Yang

advertisement 
A Language for
Automatically
Enforcing Privacy
Jean Yang
with Kuat Yessenov
and Armando Solar-Lezama
Displaying User Locations
to Other Users
getLocation
Jean Yang @ POPL
?
2
No Privacy Concerns
Whatever!
A
Secret
club
A
getLocation
Secret
club
Alice
def getLocation (user: User): Location = user.location
Jean Yang @ POPL
3
Simple policy
Only my
friends can
see my
location.
getLocation
A
Owner
Secret
club
Alice
Viewer
A
getLocation
Jean Yang @ POPL
Secret
club
4
Finer-Grained Policies
Only my
friends can
see my
location.
A
Secret
club
Alice
Only
members
know this
exists.
Policy
interaction?
A
getLocation
Diner
Owner
Locations
Viewer
Which policies
apply where?
Jean Yang @ POPL
Not a
member!
5
Programmer Burden
def getLocation (user: User) (viewer: User) Output
: Location = {
Context
if (isFriends user viewer) { Policies
if (canSee user.location viewer) {
user.location;
} else { scrub(user.location, “Diner”); }
} else { undisclosedLocation; }
}
Views of sensitive values
Jean Yang @ POPL
6
Our Mission
Make it easier for the
programmer to preserve
confidentiality of user data.
Jean Yang @ POPL
7
What’s Hard?
Data
Function
Programmer check/filter
Functionality
and policy are
intertwined.
Scrubbed data
Function
Programmer check/filter
Scrubbed data
Jean Yang @ POPL
8
Our Solution
Policy
Automatic
enforcement
Separation of policies
from functionality
Data
Function
Programmer check/filter
Tagged data
Scrubbed
data
Function
Programmer check/filter
Scrubbed data
Jean Yang @ POPL
9
Jeeves
State of the Art
Jeeves Goal
def getLocation (user: User) (viewer: User)
: Location = {
if (isFriends user viewer) {
if (canSee user.location viewer) {
user.location;
} else { scrub(user.location, “Work”); }
} else { undisclosedLocation; }
}
def getLocation (user: User): Location =
user.location
Jean Yang @ POPL
10
Talk Outline
Jeeves
language
How it
works
Jean Yang @ POPL
Coding in
Jeeves
11
Jeeves Language
Policy
3 Automatic
contextual
enforcement
Data
1 Sensitive values
2 Policies
Function
Tagged data
Function
Scrubbed data
Jean Yang @ POPL
12
Jeeves for Locations
 | 
Diner
Low confidentiality
Secret
club
High confidentiality
A
A
Secret
club
Diner
Jean Yang @ POPL
13
Using Jeeves
Sensitive Values
level a in { low, high }
val location: String = <“school” | “MIT”>a Level variable
Low component High component
Policies
policy a: context != alice  low
Core Functionality
val msg: String = “Alice is at ” + location
Contextual Enforcement
print {alice} msg /* “Alice is at MIT” */
print {bob} msg /* “Alice is at school” */
Jean Yang @ POPL
14
Talk Outline
Jeeves
language
How it
works
Jean Yang @ POPL
Coding in
Jeeves
15
How Jeeves Works
Constraints
Symbolic
evaluation
Symbolic values
Function
Symbolic
expressions
Function
Implicit
parameter
SMT solving
Concrete value
Jean Yang @ POPL
16
Representing Sensitive
Values in Jeeves
Without Jeeves
Name
Alice
Bob
Claire
Location
MIT
POPL
POPL
Jeeves
Name
Alice
Bob
Claire
Jean Yang @ POPL
Location
 ?|MITa
POPL
 ?|POPLb
Policy
Policy
17
Symbolic Evaluation for
Information Flow
Name
Alice
Bob
Claire
Location
 |a
POPL
 |b
Runtime Environment
context != alice  a = low
…
 b = low
How many people
are at POPL?
Outputs computed from
sensitive values are symbolic
1 + ((x1 = POPL) ? 1 : 0) & concretized under the policy
environment.
+ ((x2 = POPL) ? 1 : 0)
Jean Yang @ POPL
18
Jeeves Non-Interference
Guarantee
Consider the sensitive value
 L | H a
Level variable
Low component High component
Given a fixed L, all executions where a must be
low produce equivalent outputs no matter the
value of H.
Jean Yang @ POPL
19
Standard
Non-Interference
L
H1
H2
Hn-1
a = low
Program
Output
Hn
Does not depend
on the H-value
Does not
depend on the
H-value
Jean Yang @ POPL
20
Jeeves
Non-Interference
L
H1
H2
Hn-1
a = low
Program
Output
Hn
Depends on the
H-value
Cannot distinguish
between H-values that
imply a = low
Jean Yang @ POPL
21
Jeeves
Non-Interference
L
H
a = low
Program
Programs
to outputs?
Output
Program does not leak
information about H.
Jean Yang @ POPL
22
Language Restrictions
Constraints
Symbolic
Arithmetic and
Boolean
evaluation
constraints
with conditionals &
implications.
No functions,
quantifiers, or
theory of lists.
Symbolic values
Primitives and objects.
No functions.
Function
Symbolic
expressions
Function
SMT solving
Concrete value
Jean Yang @ POPL
23
Static Checks
Constraints
Symbolic
evaluation
Symbolic values flow
only where expected.
Evaluation does not
introduce
nontermination.
Symbolic values
Function
Symbolic
expressions
Function
Contexts are
well-formed.
SMT solving
Concrete value
Jean Yang @ POPL
Outputs are concrete.
24
Stateful Policies
Only people
near me can
see my
location.
A
policy a:
(distance context alice
> radius )  low
Secret
club
But Alice’s location is
changing…
Alice
Jeeves: Delay policy evaluation until output.
Jean Yang @ POPL
25
Jeeves System
Policies
Jeeves
runtime
Data
Function
Well-formed values.
Evaluation
produces wellformed values.
Symbolic
expressions
Function
Policies evaluated.
Output
Concrete value
Jean Yang @ POPL
Guarantee: outputs shown
according to policies.
26
Scala Implementation
Overload operators to
create symbolic expressions.
+
v
3
=
v
SMT Solver
print
policy
2
Use an SMT
solver as a
model finder.
Runtime
Environment
Delay
evaluation of
policies until
output.
Propagate policies.
Jean Yang @ POPL
27
Talk Outline
Jeeves
language
How it
works
Jean Yang @ POPL
Coding in
Jeeves
28
JConf Architecture
Functionality
Policy
Paper
Title
Author
Reviews
Tags
…
Review
Policy
Policy
Reviewer
Content
Policy
Policy
Policy
Policy
User
Context
Viewer: User
CStage: Stage
Role
Core Program
Does not
•Search papers.
need to
•Display papers.
know about
•Add and remove tags.
•Assign and submit reviews. policies.
Jean Yang @ POPL
Submission,
review, rebuttal,
decision, public
29
Functionality vs. Policy
File
ConfUser.scala
PaperRecord.scala
PaperReview.scala
ConfContext.scala
Total LOC
59
103
21
6
Policy LOC
17
48
11
0
Backend
123
0
Frontend (Scalatra) 161
0
Total
76
473
Jean Yang @ POPL
30
Conclusions
The Jeeves language:
pushing responsibility
of privacy to the
runtime.
How we designed a
language with constraints
using symbolic evaluation
to provide execution
guarantees.
Evaluation of Jeeves
in practice:
conference
management
example.
Website:
sites.google.com/site/jeevesprogramming
Google Code: code.google.com/p/scalasmt
Contact:
jeanyang@mit.edu
Jean Yang @ POPL
31
Related documents
New Employee Announcement Template
New Employee Announcement Template
Pertemuan 4 Types of Questions Matakuliah : G0942/Listening 1
Pertemuan 4 Types of Questions Matakuliah : G0942/Listening 1
Getting Started in PL Design Research Stephanie Weirich University of Pennsylvania
Getting Started in PL Design Research Stephanie Weirich University of Pennsylvania
Download
advertisement