research-article

Automatic enforcement of expressive security policies using enclaves

Authors:

Anitha Gollamudi,

Stephen ChongAuthors Info & Claims

OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications

Pages 494 - 513

https://doi.org/10.1145/2983990.2984002

Published: 19 October 2016 Publication History

Abstract

Hardware-based enclave protection mechanisms, such as Intel's SGX, ARM's TrustZone, and Apple's Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information security policies.

We present IMP_E, a novel calculus that captures the essence of SGX-like enclave mechanisms, and show that a security-type system for IMP_E can enforce expressive confidentiality policies (including erasure policies and delimited release policies) against powerful low-level attackers, including attackers that can arbitrarily corrupt non-enclave code, and, under some circumstances, corrupt enclave code. We present a translation from an expressive security-typed calculus (that is not aware of enclaves) to IMP_E. The translation automatically places code and data into enclaves to enforce the security policies of the source program.

References

[1]

G. Aggarwal, E. Bursztein, C. Jackson, and D. Boneh. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Conference on Security, 2010.

Digital Library

[2]

Apple. iOS security. https://www.apple.com/business/ docs/iOS_Security_Guide.pdf, Sept. 2015.

[3]

O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing mobile code securely with information flow control. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 191–205, 2012.

Digital Library

[4]

ARM. ARM security technology — building a secure system using TrustZone technology. http: //infocenter.arm.com/help/topic/com.arm. doc.prd29-genc-009492c/PRD29-GENC-009492C_ trustzone_security_whitepaper.pdf, 2009.

[5]

A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, pages 43–59, 2009.

Digital Library

[6]

A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Terminationinsensitive noninterference leaks more than just a bit. In Proceedings of the 13th European Symposium on Research in Computer Security, Oct. 2008.

Digital Library

[7]

A. Askarov, S. Moore, C. Dimoulas, and S. Chong. Cryptographic enforcement of language-based erasure. In Proceedings of the 28th IEEE Computer Security Foundations Symposium, July 2015.

Digital Library

[8]

E. Boros and P. L. Hammer. Pseudo-boolean optimization. Discrete Applied Mathematics, 123(1-3):155–225, Nov. 2002.

Digital Library

[9]

S. Chong and A. C. Myers. Language-based information erasure. In Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pages 241–254, 2005.

Digital Library

[10]

S. Chong and A. C. Myers. End-to-end enforcement of erasure and declassification. In Proceedings of the 21st IEEE Computer Security Foundations Symposium, pages 98–111, June 2008.

Digital Library

[11]

J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding your garbage: Reducing data lifetime through secure deallocation. In USENIX Security, 2005.

Digital Library

[12]

E. S. Cohen. Information transmission in computational systems. ACM SIGOPS Operating Systems Review, 11(5):133– 139, 1977.

Digital Library

[13]

R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research, Mar. 2005.

[14]

D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976.

Digital Library

[15]

A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel. Eternal sunshine of the spotless machine: Protecting privacy with ephemeral channels. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pages 61–75, 2012.

Digital Library

[16]

C. Fournet and J. Planul. Compiling information-flow security to minimal trusted computing bases. In Proceedings of the 20th European Conference on Programming Languages and Systems, pages 216–235, 2011.

Digital Library

[17]

GlobalPlatform. Trusted user interface API specification v1.0. http://www.globalplatform.org/ specificationsdevice.asp, 2013.

[18]

J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 11–20, Apr. 1982.

[19]

A. Gollamudi. Impslator. https://github.com/anithag/ impslator, June 2016.

[20]

A. Gollamudi and S. Chong. Automatic enforcement of expressive security policies using enclaves. Technical Report TR-2-2016, Harvard University, Aug. 2016.

[21]

P. Gutmann. Data remanence in semiconductor devices. In The Tenth USENIX Security Symposium Proceedings, pages 39–54, 2001.

Digital Library

[22]

J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the 17th USENIX Security Symposium, July 2008.

Digital Library

[23]

C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In USENIX Symposium on Operating Systems Design and Implementation, Oct. 2014.

Digital Library

[24]

S. Hunt and D. Sands. Just forget it—the semantics and enforcement of information erasure. In Proceedings of the 17th European Symposium on Programming, pages 239–253, 2008.

Digital Library

[25]

Intel. Intel software guard extensions (Intel SGX) programming reference. https://software.intel.com/sites/ default/files/managed/48/88/329298-002.pdf, 2014.

[26]

A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification. In Proceedings of the 17th IEEE Computer Security Foundations Workshop, June 2004.

Digital Library

[27]

M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure compilation to protected module architectures. ACM Transactions on Programming Languages and Systems, 37(2):6, 2015.

Digital Library

[28]

R. Perlman. File System Design with Assured Delete. In Proceedings of the Third IEEE International Security in Storage Workshop, pages 83–88, 2005.

Digital Library

[29]

A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, Jan. 2003.

Digital Library

[30]

A. Sabelfeld and A. C. Myers. A model for delimited release. In Proceedings of the 2003 International Symposium on Software Security, number 3233 in Lecture Notes in Computer Science, pages 174–191, 2004.

[31]

A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255–269, June 2005.

Digital Library

[32]

N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM Trustzone to build a trusted language runtime for mobile applications. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 67–80, 2014.

Digital Library

[33]

K. Satvat, M. Forshaw, F. Hao, and E. Toreini. On the privacy of private browsing - a forensic approach. Journal of Information Security and Applications, 19(1), Feb. 2014.

Digital Library

[34]

F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy data analytics in the cloud using SGX. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, pages 38–54, 2015.

Digital Library

[35]

M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska. S-NFV: Securing NFV states by using SGX. In Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pages 45–48, 2016.

Digital Library

[36]

R. Sinha, S. Rajamani, S. Seshia, and K. Vaswani. Moat: Verifying confidentiality of enclave programs. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1169–1184, 2015.

Digital Library

[37]

R. Sinha, M. Costa, A. Lal, N. P. Lopes, S. Rajamani, S. A. Seshia, and K. Vaswani. A design and verification methodology for secure isolated regions. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 665–681, 2016.

Digital Library

[38]

D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3): 167–187, Jan. 1996.

Digital Library

Cited By

Zha CXu ZXing JYin H(2024)Loft: An Architecture for Lifetime Management of Privacy Data in Service CooperationUbiquitous Security10.1007/978-981-97-1274-8_17(255-273)Online publication date: 13-Mar-2024
https://doi.org/10.1007/978-981-97-1274-8_17
Tarkhani ZMadhavapeddy A(2023)Information Flow Tracking for Heterogeneous Compartmentalized SoftwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607235(564-579)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607235
Mangipudi SChuprikov PEugster PViering MSavvides S(2023)Generalized Policy-Based Noninterference for Efficient Confidentiality-PreservationProceedings of the ACM on Programming Languages10.1145/35912317:PLDI(267-291)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591231
Show More Cited By

Index Terms

Automatic enforcement of expressive security policies using enclaves
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

Automatic enforcement of expressive security policies using enclaves
OOPSLA '16

Hardware-based enclave protection mechanisms, such as Intel's SGX, ARM's TrustZone, and Apple's Secure Enclave, can protect code and data from powerful low-level attackers. In this work, we use enclaves to enforce strong application-specific information ...
Expressive Declassification Policies and Modular Static Enforcement
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a ...
Trusted declassification:: high-level policy for a security-typed language
PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security

Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterferencewhich ensures that high-security data will ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications

October 2016

915 pages

ISBN:9781450344449

DOI:10.1145/2983990

General Chair:
Eelco Visser
Delft University of Technology, Netherlands
,
Program Chair:
Yannis Smaragdakis
University of Athens, Greece

ACM SIGPLAN Notices Volume 51, Issue 10
OOPSLA '16
October 2016
915 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/3022671
Editor:
Matthew Fluet
Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

In-Cooperation

SIGAda: ACM Special Interest Group on Ada Programming Language

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SPLASH '16

Sponsor:

SIGPLAN

SPLASH '16: Conference on Systems, Programming, Languages, and Applications: Software for Humanity

November 2 - 4, 2016

Amsterdam, Netherlands

Acceptance Rates

Overall Acceptance Rate 268 of 1,244 submissions, 22%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
393
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)6

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zha CXu ZXing JYin H(2024)Loft: An Architecture for Lifetime Management of Privacy Data in Service CooperationUbiquitous Security10.1007/978-981-97-1274-8_17(255-273)Online publication date: 13-Mar-2024
https://doi.org/10.1007/978-981-97-1274-8_17
Tarkhani ZMadhavapeddy A(2023)Information Flow Tracking for Heterogeneous Compartmentalized SoftwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607235(564-579)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607235
Mangipudi SChuprikov PEugster PViering MSavvides S(2023)Generalized Policy-Based Noninterference for Efficient Confidentiality-PreservationProceedings of the ACM on Programming Languages10.1145/35912317:PLDI(267-291)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3591231
Li PZhang D(2022)Towards a General-Purpose Dynamic Information Flow Policy2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919639(260-275)Online publication date: Aug-2022
https://doi.org/10.1109/CSF54842.2022.9919639
Singh JCobbe JQuoc DTarkhani Z(2021)Enclaves in the cloudsCommunications of the ACM10.1145/344754364:5(42-51)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3447543
Oak AAhmadian ABalliu MSalvaneschi G(2021) Enclave-Based Secure Programming with J E 2021 IEEE Secure Development Conference (SecDev)10.1109/SecDev51306.2021.00026(71-78)Online publication date: Oct-2021
https://doi.org/10.1109/SecDev51306.2021.00026
Oak AAhmadian ABalliu MSalvaneschi G(2021)Language Support for Secure Software Development with Enclaves2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00037(1-16)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00037
Gollamudi AChong SArden O(2019)Information Flow Control for Distributed Trusted Execution Environments2019 IEEE 32nd Computer Security Foundations Symposium (CSF)10.1109/CSF.2019.00028(304-30414)Online publication date: Jun-2019
https://doi.org/10.1109/CSF.2019.00028
Almohri HEvans DZhao ZAhn GKrishnan RGhinita G(2018)Fidelius CharmProceedings of the Eighth ACM Conference on Data and Application Security and Privacy10.1145/3176258.3176330(248-255)Online publication date: 13-Mar-2018
https://dl.acm.org/doi/10.1145/3176258.3176330
Völp MDecouchant JLambert CFernandes MEsteves-Verissimo P(2017)Enclave-Based Privacy-Preserving Alignment of Raw Genomic InformationProceedings of the 2nd Workshop on System Software for Trusted Execution10.1145/3152701.3152707(1-6)Online publication date: 28-Oct-2017
https://dl.acm.org/doi/10.1145/3152701.3152707
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents