article

Secure program partitioning

Authors:

Steve Zdancewic,

Nathaniel Nystrom, and

Andrew C. MyersAuthors Info & Claims

ACM Transactions on Computer Systems (TOCS), Volume 20, Issue 3

Pages 283 - 328

https://doi.org/10.1145/566340.566343

Published: 01 August 2002 Publication History

Abstract

This paper presents secure program partitioning, a language-based technique for protecting confidential data during computation in distributed systems containing mutually untrusted hosts. Confidentiality and integrity policies can be expressed by annotating programs with security types that constrain information flow; these programs can then be partitioned automatically to run securely on heterogeneously trusted hosts. The resulting communicating subprograms collectively implement the original program, yet the system as a whole satisfies the security requirements of participating principals without requiring a universally trusted host machine. The experience in applying this methodology and the performance of the resulting distributed code suggest that this is a promising way to obtain secure distributed computation.

References

[1]

Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. 1999. A core calculus of dependency. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL, San Antonio, TX, Jan. 1999). ACM Press, New York, NY, 147--160.]]

[2]

Agat, J. 2000. Transforming out timing leaks. In Proceedings of the 27th ACM Symposium on Principles of Programming Languages (POPL, Boston, MA, Jan. 2000). ACM Press, New York, NY, 40--53.]]

[3]

Bell, D. E. and LaPadula, L. J. 1975. Secure computer system: Unified exposition and Multics interpretation. Technical report ESD-TR-75-306, MITRE Corp. MTR-2997, Bedford, MA. Defense Technical Information Center document NTIS AD-A023 588, available on the Web at http://csrc.nist.gov/publications/history.]]

[4]

Biba, K. J. 1977. Integrity considerations for secure computer systems. Technical report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA.]]

[5]

Cryptix. n.d. http://www.cryptix.org/products/cryptix31/.]]

[6]

Damgård, I., Kilian, J., and Salvail, L. 1999. On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In Jacques Stern, Ed., Advances in Cryptology---Proceedings of EUROCRYPT 99 (Lecture Notes in Computer Science 1592). Springer, Berlin, Germany, 56--73.]]

[7]

Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM, 19, 5, 236--243.]]

[8]

Denning, D. E. and Denning, P. J. 1977. Certification of programs for secure information flow. Comm. ACM, 20, 7 (July), 504--513.]]

[9]

Department of Defense. 1985. Department of Defense Trusted Computer System Evaluation Criteria. Technical report DOD 5200.28-STD (The Orange Book). Department of Defence, Washington, DC.]]

[10]

Douglis, F., Ousterhout, J. K., Kaashoek, M. F., and Tanenbaum, A. S. 1991. A comparison of two distributed systems: Amoeba and Sprite. ACM Trans. Comput. Syst. 4, 4 (Fall), 353--384.]]

[11]

Even, S., Goldreich, O., and Lempel, A. 1983. A randomized protocol for signing contracts. In R. L. Rivest, A. Sherman, and D. Chaum, Eds., Advances in Cryptology: Proceedings of CRYPTO 82. Plenum Press, New York, NY, 205--210.]]

[12]

Feiertag, R. J. 1980. A technique for proving specifications are multilevel secure. Technical report CSL-109, SRI International Computer Science Lab, Menlo Park, CA.]]

[13]

Fenton, J. S. 1974. Memoryless subsystems. Computing J. 17, 2 (May), 143--147.]]

[14]

Fink, G. and Levitt, K. 1994. Property-based testing of privileged programs. In Proceedings of the 10th Annual Computer Security Applications Conference. IEEE Computer Society Press, Orlando, FL, 154--163.]]

[15]

Goguen, J. A. and Meseguer, J. 1984. Unwinding and inference control. In Proceedings of the IEEE Symposium on Security and Privacy. April 1984. IEEE Computer Society Press, Los Alamitos, CA, 75--86.]]

[16]

Gray, J. W., III and Syverson, P. F. 1992. A logical approach to multilevel security of probabilistic systems. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 164--176.]]

[17]

Heintze, N., and Riecke, J. G. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages0 (POPL, San Diego, CA. Jan. 1998). ACM Press, New York, NY, 365--377.]]

[18]

jsse. n.d. Java secure socket extension. http://java.sun.com/products/jsse/.]]

[19]

Jul, E., Levy, H., Hutchinson, N. and Black, A. 1988. Fine-grained mobility in the Emerald system. ACM Trans. Comput. Syst. 6, 1 (Feb.), 109--133.]]

[20]

Lindholm, T. and Yellin, F. 1996. The Java Virtual Machine. Addison-Wesley, Englewood Cliffs, NJ.]]

[21]

Lyle, J. R., Wallace, D. R., Graham, J. R., Gallagher, K. B., Poole, J. P., and Binkley, D. W. 1995. Unravel: A CASE tool to assist evaluation of high integrity software. Technical report IR 5691. NIST, Washington, DC.]]

[22]

Mantel, H. and Sabelfeld, A. 2001. A generic approach to the security of multi-threaded programs. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (June). IEEE Computer Society Press, Los Alamitos, CA, 200--214.]]

[23]

McIlroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Software---Practice and Experience 22, 8 (Aug.), 673--694.]]

[24]

Millen, J. K. 1976. Security kernel validation in practice. Comm. ACM 19, 5 (May), 243--250.]]

[25]

Millen, J. K. 1981. Information flow analysis of formal specifications. In Proceedings of the IEEE Symposium on Security and Privacy (April). IEEE Computer Society Press, Los Alamitos, CA, 3--8.]]

[26]

Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From System F to typed assembly language. ACM Trans. Program. Lang. Syst., 21, 3 (May), 528--569.]]

[27]

Myers, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL, San Antonio, TX, Jan. 1999). ACM Press, New York, NY, 228--241.]]

[28]

Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Soft. Eng. Method. 9, 4 (Oct.), 410--442.]]

[29]

Myers, A. C., Nystrom, N., Zheng, L., and Zdancewic, S. 2001. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif.]]

[30]

Necula, G. C. 1997. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages (POPL, Jan. 1997). ACM Press, New York, NY, 106--119.]]

[31]

omg. 1991. The Common Object Request Broker: Architecture and Specification. Object Management Group TC Document Number 91.12.1, Revision 1.1. Available on the Web at http://www.omg.org.]]

[32]

p3p n.d. Platform for privacy preferences. http://www.w3.org/p3p.]]

[33]

Palsberg, J., and Ørbaek, P. 1995. Trust in the λ-calculus. In Proceedings of the 2nd International Symposium on Static Analysis (Lecture Notes in Computer Science 983). Springer, Berlin, Germany, 314--329.]]

[34]

Pinsky, S. 1995. Absorbing covers and intransitive non-interference. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA, 102--113.]]

[35]

Pottier, F. and Conchon, S. 2000. Information flow inference for free. In Proceedigns of the 5th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM Press, New York, NY, 46--57.]]

[36]

Rabin, M. 1981. How to exchange secrets by oblivious transfer. Technical report TR-81, Harvard Aiken Computation Laboratory, Cambridge, MA.]]

[37]

rmi. n.d. Java remote method interface. http://java.sun.com/products/jdk/rmi/.]]

[38]

Rushby, J. 1992. Noninterference, transitivity and channel-control security policies. Technical report, SRI, Menlo Park, CA.]]

[39]

Sabelfeld, A. and Sands, D. 2000. Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Computer Security Foundations Workshop July 2000. IEEE Computer Society Press, Los Alamitos, CA, 200--214.]]

[40]

Schneider, F. B. 2001. Enforceable security policies. ACM Trans. Inform. and Syst. Sec. 3, 1, 30--50. Also available as Technical report TR 99-1759, Computer Science Department, Cornell University, Ithaca, N.Y.]]

[41]

Sirer, E., Barr, R., Kim, T. W. D., and Fung, I. Y. Y. 2001. Automatic code placement alternatives for ad hoc and sensor networks. Technical report 2001-1853, Cornell University, Ithaca, NY.]]

[42]

Sirer, E., Gregory, A. J., and Bershad, B. N. 1999. A practical approach for improving startup latency in Java applications. In Workshop on Compiler Support for Systems Software (WCSSS-99, Atlanta, GA, May 1999). 47--55.]]

[43]

Smith, G. 2001. A new type system for secure information flow. In CSFW14. IEEE Computer Society Press, Los Alamitos, CA, 115--125.]]

[44]

Smith, G. and Volpano, D. 1998. Secure information flow in a multi-threaded imperative language. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages (POPL, San Diego, CA, Jan. 1998). ACM Press, New York, NY, 355--364.]]

[45]

Steiner, J. G., Neuman, C., and Schiller, J. I. 1988. Kerberos: An authentication service for open network systems. Technical report, Project Athena, Massachusetts Institute of Technology, Cambridge, MA.]]

[46]

Tip, F. 1995. A survey of program slicing techniques. J. Program. Lang. 3, 121--189.]]

[47]

Volpano, D. 2000. Verifying secrets and relative secrecy. In Proceedings of the 27th ACM Symposium on Principles of Programming Languages (POPL, Boston, MA, Jan. 2000). ACM Press, New York, NY, 268--276.]]

[48]

Volpano, D., Smith, G., and Irvine, C. 1996. A sound type system for secure flow analysis. J. Comput. Sec. 4, 3, 167--187.]]

[49]

Wallach, D. S. and Felten, E. W. 1998. Understanding Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May 1998). IEEE Computer Society Press, Los Alamitos, CA, 52--63.]]

[50]

Wittbold, J. T. and Johnson, D. M. 1990. Information flow in nondeterministic systems. In Proceedings of the IEEE Symposium on Security and Privacy (May 1990). IEEE Computer Society Press, Los Alamitos, CA, 144--161.]]

[51]

Ylonen, T. 1996. SSH---secure login connections over the Internet. In The Sixth USENIX Security Symposium Proceedings (San Jose, CA). 37--42.]]

[52]

Zdancewic, S. and Myers, A. C. 2001a. Robust declassification. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (Cape Breton, N.S., Canada, June 2001). IEEE Computer Society Press, Los Alamitos, CA, 15--23.]]

[53]

Zdancewic, S. and Myers, A. C. 2001b. Secure information flow and CPS. In Proceedings of the 10th European Symposium on Programming (Lecture Notes in Computer Science 2028). Springer, Berlin, Germany, 46--61.]]

[54]

Zdancewic, S., Zheng, L., Nystrom, N., and Myers, A. C. 2001. Untrusted hosts and confidentiality: Secure program partitioning. In Proceedings of the 18th ACM Symposium on Operating System Principles (SOSP, Banff, Canada, Oct. 2001), 1--14.]]

Cited By

Kafle KJagtap KAhmed-Rengers MJaeger TNadkarni AKim YKim JKoushanfar FRasmussen K(2024)Practical Integrity Validation in the Smart Home with HomeEndorserProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656116(207-218)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656116
Lesani M(2024)Vulnerability Flow Type Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00020(157-168)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00020
Salvaneschi GWeisenburger P(2024)Bridging Between Active Objects: Multitier Programming for Distributed, Concurrent SystemsActive Object Languages: Current Research Trends10.1007/978-3-031-51060-1_4(92-122)Online publication date: 29-Jan-2024
https://doi.org/10.1007/978-3-031-51060-1_4
Show More Cited By

Index Terms

Secure program partitioning
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Compilers
      1. Runtime environments
    2. General programming languages
      1. Language features
  2. Software organization and properties
    1. Software system structures
      1. Distributed systems organizing principles

Recommendations

Security policies for downgrading
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

A long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security ...
Read More
Enforcing robust declassification and qualified robustness
Special issue on CSFW17

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control ...
Read More
A Strategic Approach to IoT Security by Working Towards a Secure IoT Future

The internet of things' (IoT) fast-growing development and adoption are undeniable. Although the IoT development is moving at a fast rate, the security of these technologies is not keeping up. Lack of security infrastructure on the internet of things ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computer Systems

ACM Transactions on Computer Systems Volume 20, Issue 3

August 2002

138 pages

ISSN:0734-2071

EISSN:1557-7333

DOI:10.1145/566340

Issue’s Table of Contents

Copyright © 2002 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 August 2002

Published in TOCS Volume 20, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

116
Total Citations
View Citations
1,565
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Kafle KJagtap KAhmed-Rengers MJaeger TNadkarni AKim YKim JKoushanfar FRasmussen K(2024)Practical Integrity Validation in the Smart Home with HomeEndorserProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656116(207-218)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656116
Lesani M(2024)Vulnerability Flow Type Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00020(157-168)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00020
Salvaneschi GWeisenburger P(2024)Bridging Between Active Objects: Multitier Programming for Distributed, Concurrent SystemsActive Object Languages: Current Research Trends10.1007/978-3-031-51060-1_4(92-122)Online publication date: 29-Jan-2024
https://doi.org/10.1007/978-3-031-51060-1_4
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Zakhour GWeisenburger PSalvaneschi G(2023)Type-Safe Dynamic Placement with First-Class Placed ValuesProceedings of the ACM on Programming Languages10.1145/36228737:OOPSLA2(2142-2170)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622873
Sheff IWang XBabel KNi Hvan Renesse RMyers A(2023)Charlotte: Reformulating Blockchains into a Web of Composable Attested Data Structures for Cross-Domain ApplicationsACM Transactions on Computer Systems10.1145/360753441:1-4(1-52)Online publication date: 22-Jul-2023
https://dl.acm.org/doi/10.1145/3607534
Lubbers MKoopman PRamsingh ASinger JTrinder P(2023)Could Tierless Languages Reduce IoT Development Grief?ACM Transactions on Internet of Things10.1145/35729014:1(1-35)Online publication date: 23-Feb-2023
https://dl.acm.org/doi/10.1145/3572901
Liang KTan JZeng DHuang YHuang XTan G(2023)ABSLearn: a GNN-based framework for aliasing and buffer-size information retrievalPattern Analysis & Applications10.1007/s10044-023-01142-226:3(1171-1189)Online publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1007/s10044-023-01142-2
Qiang WLuo H(2022)AutoSlicer: Automatic Program Partitioning for Securing Sensitive Data Based-on Data Dependency Analysis and Code Refactoring2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00042(239-247)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00042
Li XHoushmand FLesani M(2022)HAMRAZ: Resilient Partitioning and Replication2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833661(2267-2284)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833661
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents