Generalized Policy-Based Noninterference for Efficient Confidentiality-Preservation
Authors: 
Shamiek Mangipudi, Pavel Chuprikov, 
Patrick Eugster, Malte Viering, 
Savvas SavvidesAuthors Info & Claims
Shamiek Mangipudi, Pavel Chuprikov, Patrick Eugster, Malte Viering, Savvas SavvidesAuthors Info & ClaimsArticle No.: 117, Pages 267 - 291
Abstract
As more organizations are leveraging third-party cloud and edge data centers to process data efficiently, the issue of preserving data confidentiality becomes increasingly important. In response, numerous security mechanisms have been introduced and promoted in recent years including software-based ones such as homomorphic encryption, as well as hardware-based ones such as Intel SGX and AMD SEV. However these mechanisms vary in their security properties, performance characteristics, availability, and application modalities, making it hard for programmers to judiciously choose and correctly employ the right one for a given data query.
This paper presents a mechanism-independent approach to distributed confidentiality-preserving data analytics. Our approach hinges on a core programming language which abstracts the intricacies of individual security mechanisms. Data is labeled using custom confidentiality levels arranged along a lattice in order to capture its exact confidentiality constraints. High-level mappings between available mechanisms and these labels are captured through a novel expressive form of security policy. Confidentiality is guaranteed through a type system based on a novel formulation of noninterference, generalized to support our security policy definition. Queries written in a largely security-agnostic subset of our language are transformed to the full language to automatically use mechanisms in an efficient, possibly combined manner, while provably preserving confidentiality in data queries end-to-end. We prototype our approach as an extension to the popular Apache Spark analytics engine, demonstrating the significant versatility and performance benefits of our approach over single hardwired mechanisms --- including in existing systems --- without compromising on confidentiality.
References
[1]
Cosku Acay, Rolph Recto, Joshua Gancher, Andrew C. Myers, and Elaine Shi. 2021. Viaduct: an Extensible, Optimizing Compiler for Secure Distributed Programs. In ACM International Conference on Programming Language Design and Implementation (PLDI ’21). https://doi.org/10.1145/3453483.3454074
[2]
Arvind Arasu, Spyros Blanas, Ken Eguro, Raghav Kaushik, Donald Kossmann, Ravishankar Ramamurthy, and Ramarathnam Venkatesan. 2013. Orthogonal Security with Cipherbase. In Conference on Innovative DataSystems Research (CIDR ’13).
[3]
Michael Armbrust, Reynold S. Xin, Cheng Lian, Yin Huai, Davies Liu, Joseph K. Bradley, Xiangrui Meng, Tomer Kaftan, Michael J. Franklin, Ali Ghodsi, and Matei Zaharia. 2015. Spark SQL: Relational Data Processing in Spark. In ACM International Conference on Management of Data (SIGMOD ’15). https://doi.org/10.1145/2723372.2742797
[4]
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O’Keeffe, Mark L. Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter R. Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’16).
[5]
Musard Balliu, Benjamin Liebe, Daniel Schoepe, and Andrei Sabelfeld. 2016. JSLINQ: Building Secure Applications across Tiers. In ACM Conference on Data and Application Security and Privacy, (CODASPY ’16).
[6]
Andrew Baumann, Marcus Peinado, and Galen C. Hunt. 2014. Shielding Applications from an Untrusted Cloud with Haven. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’14).
[7]
Ethan Cecchetti, Andrew C. Myers, and Owen Arden. 2017. Nonmalleable Information Flow Control. In ACM Conference on Computer and Communications Security (CCS ’17). https://doi.org/10.1145/3133956.3134054
[8]
Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM, https://doi.org/10.1145/360051.360056
[9]
Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM, https://doi.org/10.1145/359636.359712
[10]
Yao Dong, Ana Milanova, and Julian Dolby. 2016. JCrypt: Towards Computation over Encrypted Data. Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools (PPPJ ’16), https://doi.org/10.1145/2972206.2972209
[11]
Yao Dong, Ana Milanova, and Julian Dolby. 2018. SecureMR: secure mapreduce computation using homomorphic encryption and program partitioning. In Symposium and Bootcamp on Hot Topics in the Science of Security, HoTSoS 2018. https://doi.org/10.1145/3190619.3190638
[12]
Nir Drucker and Shay Gueron. 2017. Combining Homomorphic Encryption with Trusted Execution Environment: A Demonstration with Paillier Encryption and SGX. In Workshop on Managing Insider Security Threats (MIST ’17). https://doi.org/10.1145/3139923.3139933
[13]
Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Found. Trends Theor. Comput. Sci., https://doi.org/10.1561/0400000042
[14]
T. ElGamal. 1985. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Trans. on Information Theory, https://doi.org/10.1109/TIT.1985.1057074
[15]
Ariel J. Feldman, William P. Zeller, Michael J. Freedman, and Edward W. Felten. 2010. SPORC: Group Collaboration using Untrusted Cloud Resources. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’10).
[16]
Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software. In Symposium on Operating Systems Principles (SOSP ’17). https://doi.org/10.1145/3132747.3132782
[17]
Craig Gentry. 2009. Fully Homomorphic Encryption Using Ideal Lattices. In ACM Symposium on Theory of Computing (STOC ’09). https://doi.org/10.1145/1536414.1536440
[18]
Joseph A. Goguen and José Meseguer. 1982. Security Policies and Security Models. In IEEE Symposium on Security and Privacy (S&P ’82). https://doi.org/10.1109/SP.1982.10014
[19]
Oded Goldreich. 1987. Towards a Theory of Software Protection and Simulation by Oblivious RAMs. In ACM Symposium on Theory of Computing (STOC ’87). https://doi.org/10.1145/28395.28416
[20]
Anitha Gollamudi and Stephen Chong. 2016. Automatic Enforcement of Expressive Security Policies Using Enclaves. In International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA ’16). https://doi.org/10.1145/2983990.2984002
[21]
Anitha Gollamudi, Stephen Chong, and Owen Arden. 2019. Information Flow Control for Distributed Trusted Execution Environments. In IEEE Computer Security Foundations Symposium (CSF ’19). https://doi.org/10.1109/CSF.2019.00028
[22]
Roberto Gorrieri and Matteo Vernali. 2011. On Intransitive Non-interference in Some Models of Concurrency. In Foundations of Security Analysis and Design VI - FOSAD Tutorial Lectures, Alessandro Aldini and Roberto Gorrieri (Eds.). https://doi.org/10.1007/978-3-642-23082-0_5
[23]
Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill. 2014. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’14).
[24]
Andrew K. Hirsch and Ethan Cecchetti. 2021. Giving semantics to program-counter labels via secure effects. Proc. ACM Program. Lang., https://doi.org/10.1145/3434316
[25]
INTEL. 2016. INTEL SGX SDK. https://01.org/intel-software-guard-extensions
[26]
Noah M. Johnson, Joseph P. Near, and Dawn Song. 2018. Towards Practical Differential Privacy for SQL Queries. Int. Conf. on Very Large Data Bases (VLDB), https://doi.org/10.1145/3187009.3177733
[27]
Shuvendu K. Lahiri, Chris Hawblitzel, Ming Kawaguchi, and Henrique Rebêlo. 2012. SYMDIFF: A Language-Agnostic Semantic Diff Tool for Imperative Programs. In International Conference on Computer Aided Verification (CAV ’12). https://doi.org/10.1007/978-3-642-31424-7_54
[28]
L. Lamport, R. Shostak, and M. Pease. 1982. The Byzantine Generals Problem. ACM Transactions on Programming Languages and Systems, https://doi.org/10.1145/357172.357176
[29]
Do Le Quoc, Franz Gregor, Jatinder Singh, and Christof Fetzer. 2019. SGX-PySpark: Secure Distributed Data Analytics. In 26th International Conference on World Wide Web (WWW ’19). https://doi.org/10.1145/3308558.3314129
[30]
Jinyuan Li, Maxwell Krohn, David Mazières, and Dennis Shasha. 2004. Secure Untrusted Data Repository (SUNDR). In Operating Systems Design & Implementation (OSDI’04).
[31]
Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O’Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David M. Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter R. Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In USENIX Annual Technical Conference (ATC ’17).
[32]
Jed Liu, Michael D. George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers. 2009. Fabric: a platform for secure distributed computation and storage. In ACM Symposium on Operating Systems Principles, SOSP 2009.
[33]
Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2013. On Ideal Lattices and Learning with Errors over Rings. J. ACM, https://doi.org/10.1145/2535925
[34]
Prince Mahajan, Srinath T. V. Setty, Sangmin Lee, Allen Clement, Lorenzo Alvisi, Michael Dahlin, and Michael Walfish. 2011. Depot: Cloud Storage with Minimal Trust. ACM Transactions on Computer Systems, https://doi.org/10.1145/2063509.2063512
[35]
Shamiek Mangipudi, Pavel Chuprikov, Patrick Eugster, Malte Viering, and Savvas Savvides. 2023. Generalized policy-based noninterference for efficient confidentiality-preservation (Supplementary Material). https://swystems.usi.ch/files/hydra_supplementary.pdf
[36]
Andrew C. Myers, Andrei Sabelfeld, and Steve Zdancewic. 2004. Enforcing Robust Declassification. In IEEE Computer Security Foundations Workshop (CSFW ’04). https://doi.org/10.1109/CSFW.2004.9
[37]
Aditya Oak, Amir M. Ahmadian, Musard Balliu, and Guido Salvaneschi. 2021. Language Support for Secure Software Development with Enclaves. In IEEE Computer Security Foundations Symposium (CSF ’21). https://doi.org/10.1109/CSF51468.2021.00037
[38]
Pascal Paillier. 1999. Public-key Cryptosystems Based on Composite Degree Residuosity Classes. In Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’99). https://doi.org/10.1007/3-540-48910-X_16
[39]
Antonis Papadimitriou, Ranjita Bhagwan, Nishanth Chandran, Ramachandran Ramjee, Andreas Haeberlen, Harmeet Singh, Abhishek Modi, and Saikrishna Badrinarayanan. 2016. Big Data Analytics over Encrypted Datasets with Seabed. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’16).
[40]
James Parker, Niki Vazou, and Michael Hicks. 2019. LWeb: information flow security for multi-tier web applications. Symp. on Principles of Prog. Lang. (POPL), https://doi.org/10.1145/3290388
[41]
Gordon D. Plotkin. 2004. A Structural Approach to Operational Semantics. Journal of Logic and Algebraic Methods Programming.
[42]
Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2012. CryptDB: Processing Queries on an Encrypted Database. Commun. ACM, https://doi.org/10.1145/2330667.2330691
[43]
François Pottier and Vincent Simonet. 2002. Information Flow Inference for ML. In Symposium on Principles of Programming Languages (POPL ’02). https://doi.org/10.1145/503272.503302
[44]
Kyle Pullicino. 2014. Jif: Language-based Information-flow Security in Java. CoRR, abs/1412.8639 (2014), arXiv:1412.8639. arxiv:1412.8639
[45]
A. W. Roscoe and M. H. Goldsmith. 1999. What Is Intransitive Noninterference? In Proceedings of the 12th IEEE Computer Security Foundations Workshop, CSFW. https://doi.org/10.1109/CSFW.1999.779776
[46]
Edo Roth, Daniel Noble, Brett Hemenway Falk, and Andreas Haeberlen. 2019. Honeycrisp: Large-scale Differentially Private Aggregation Without a Trusted Core. In ACM Symposium on Operating Systems Principles (SOSP ’19). https://doi.org/10.1145/3341301.3359660
[47]
Edo Roth, Hengchu Zhang, Andreas Haeberlen, and Benjamin C. Pierce. 2020. Orchard: Differentially Private Analytics at Scale. In USENIX Symposium on Operating Systems Design and Implementation, (OSDI ’20).
[48]
Subhajit Roy, Justin Hsu, and Aws Albarghouthi. 2021. Learning Differentially Private Mechanisms. In IEEE Symposium on Security and Privacy, SP 2021. https://doi.org/10.1109/SP40001.2021.00060
[49]
Ravi S. Sandhu. 1993. Lattice-based Access Control Models. IEEE Computer, https://doi.org/10.1109/2.241422
[50]
Savvas Savvides, Darshika Khandelwal, and Patrick Eugster. 2020. Efficient Confidentiality-Preserving Data Analytics over Symmetrically Encrypted Datasets. Proc. VLDB Endow., https://doi.org/10.14778/3389133.3389144
[51]
Savvas Savvides, Julian James Stephen, Masoud Saeida Ardekani, Vinaitheerthan Sundaram, and Patrick Eugster. 2017. Secure Data Types: A Simple Abstraction for Confidentiality-preserving Data Analytics. In ACM Symposium on Cloud Computing (SoCC ’17). https://doi.org/10.1145/3127479.3129256
[52]
Daniel Schoepe, Daniel Hedin, and Andrei Sabelfeld. 2014. SeLINQ: Tracking Information across Application-Database Boundaries. In ACM International Conference on Functional Programming (ICFP ’14). https://doi.org/10.1145/2628136.2628151
[53]
Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy Data Analytics in the Cloud using SGX. In IEEE Symposium on Security and Privacy (S&P ’15). https://doi.org/10.1109/SP.2015.10
[54]
Open Enclave SDK. 2016. Open Enclave SDK. https://openenclave.io/sdk/
[55]
Youren Shen, Hongliang Tian, Yu Chen, Kang Chen, Runji Wang, Yi Xu, Yubin Xia, and Shoumeng Yan. 2020. Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX. In Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’20). https://doi.org/10.1145/3373376.3378469
[56]
Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena. 2017. Panoply: Low-TCB Linux Applications With SGX Enclaves. In Network and Distributed System Security Symposium, (NDSS ’17).
[57]
Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: A Framework for Design and Verification of Information Flow Control Systems. In USENIX Symposium on Operating Systems Design and Implementation (OSDI ’18).
[58]
Rodolfo Silva, Pedro Barbosa, and Andrey Brito. 2017. DynSGX: A Privacy Preserving Toolset for Dinamically Loading Functions into Intel(R) SGX Enclaves. In IEEE International Conference on Cloud Computing Technology and Science (CloudCom ’17). https://doi.org/10.1109/CloudCom.2017.42
[59]
Rohit Sinha, Sriram Rajamani, Sanjit Seshia, and Kapil Vaswani. 2015. Moat: Verifying Confidentiality of Enclave Programs. In ACM Conference on Computer and Communications Security (CCS ’15). https://doi.org/10.1145/2810103.2813608
[60]
Julian James Stephen, Savvas Savvides, Russell Seidel, and Patrick Eugster. 2014. Practical Confidentiality Preserving Big Data Analysis. In USENIX Workshop on Hot Topics in Cloud Computing (HotCloud ’14).
[61]
Julian James Stephen, Savvas Savvides, Russell Seidel, and Patrick Th. Eugster. 2014. Program Analysis for Secure Big Data Processing. In 2014 International Conference on Automated Software Engineering (ASE ’14). https://doi.org/10.1145/2642937.2643006
[62]
Sai Deep Tetali, Mohsen Lesani, Rupak Majumdar, and Todd D. Millstein. 2013. MrCrypt: Static Analysis for Secure Cloud Computations. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA ’13). https://doi.org/10.1145/2509136.2509554
[63]
Hongliang Tian, Yong Zhang, Chunxiao Xing, and Shoumeng Yan. 2017. SGXKernel: A Library Operating System Optimized for Intel SGX. In Conference on Computing Frontiers (CF’17). https://doi.org/10.1145/3075564.3075572
[64]
Shruti Tople, Shweta Shinde, Zhaofeng Chen, and Prateek Saxena. 2013. AUTOCRYPT: Enabling Homomorphic Computation on Servers to Protect Sensitive Web Content. In ACM Conference on Computer and Communications Security (CCS’13). https://doi.org/10.1145/2508859.2516666
[65]
TPC. 1988. TPC-H benchmark. http://www.tpc.org/tpch/
[66]
Chia-che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In USENIX Annual Technical Conference (ATC ’17).
[67]
Stephen Tu, M. Frans Kaashoek, Samuel Madden, and Nickolai Zeldovich. 2013. Processing Analytical Queries over Encrypted Data. Proc. VLDB Endow., https://doi.org/10.14778/2535573.2488336
[68]
UC Berkley RISE Lab. 2021. MC2. https://mc2-project.github.io/opaque-sql-docs/src/benchmarking/benchmarking.html
[69]
Matei Zaharia, Mosharaf Chowdhury, Tathagata Das, Ankur Dave, Justin Ma, Murphy McCauly, Michael J. Franklin, Scott Shenker, and Ion Stoica. 2012. Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing. In USENIX Symposium on Networked Systems Design and Implementation (NSDI ’12).
[70]
Lantian Zheng, Stephen Chong, Andrew C. Myers, and Steve Zdancewic. 2003. Using Replication and Partitioning to Build Secure Distributed Systems. In IEEE Symposium on Security and Privacy (S&P 2003). https://doi.org/10.1109/SECPRI.2003.1199340
[71]
Wenting Zheng, Ankur Dave, Jethro G. Beekman, Raluca Ada Popa, Joseph E. Gonzalez, and Ion Stoica. 2017. Opaque: An Oblivious and Encrypted Distributed Analytics Platform. In USENIX Symposium on Networked Systems Design and Implementation (NSDI ’17).
Index Terms
- Generalized Policy-Based Noninterference for Efficient Confidentiality-Preservation
Recommendations
The specification and compilation of obligation policies for program monitoring
ASIACCS '12: Proceedings of the 7th ACM Symposium on Information, Computer and Communications SecurityAn extensible software system must protect its resources from being abused by untrusted software extensions. The access control policies of such systems are traditionally enforced by reference monitors. Recent study of access control policies advocates ...
Noninterference via symbolic execution
FMOODS'12/FORTE'12: Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed SystemsNoninterference is a high-level security property that guarantees the absence of illicit information flow at runtime. Noninterference can be enforced statically using information flow type systems; however, these are criticized for being overly ...
Extending the Noninterference Version of MLS for SAT
Special issue on computer security and privacyA noninterference formulation of MLS applicable to the Secure Ada® Target (SAT) Abstract Model is developed. An analogous formulation is developed to handle the SAT type enforcement policy. Unwinding theorems are presented for both MLS and Multidomain ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 June 2023
Published in PACMPL Volume 7, Issue PLDI
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Cisco Research University Funding
- Hasler Foundation
- Meta Security Research
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 479Total Downloads
- Downloads (Last 12 months)301
- Downloads (Last 6 weeks)45
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in