swMATH ID: 23077
Software Authors: Roy I, Porter DE, Bond MD, McKinley KS, Witchel E
Description: Laminar: practical fine-grained decentralized information flow control. Decentralized information flow control (DIFC) is a promising model for writing programs with powerful, end-to-end security guarantees. Current DIFC systems that run on commodity hardware can be broadly categorized into two types: language-level and operating system-level DIFC. Language level solutions provide no guarantees against security violations on system resources, like files and sockets. Operating system solutions can mediate accesses to system resources, but are inefficient at monitoring the flow of information through fine-grained program data structures. This paper describes Laminar, the first system to implement decentralized information flow control using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar enforces the security policies specified by the labels at runtime. Laminar is implemented using a modified Java virtual machine and a new Linux security module. This paper shows that security regions ease incremental deployment and limit dynamic security checks, allowing us to retrofit DIFC policies on four application case studies. Replacing the applications’ ad-hoc security policies changes less than 10
Homepage: https://dl.acm.org/citation.cfm?id=1542484
Related Software: JFlow; JRIF; Jif; Paragon; Merlin; SGX; Privtrans; F*; Fable; Moat; EROS; VC3; LLVM; Aglet; Haskell
Cited in: 4 Documents

Citations by Year