jeeves talk spring 2012
Post on 28-May-2015
449 Views
Preview:
DESCRIPTION
TRANSCRIPT
Jeeves A Language for
Enforcing Privacy
Jean Yang with Kuat Yessenov
and Armando Solar-Lezama
My Biggest Fear
Jean Yang / Jeeves 2
Spotify “Private
Session” tells
everyone what I
really listen to.
Jean Yang / Jeeves 3
More May Be at Stake…
I’m not home!
Jean Yang / Jeeves 4
Want
applications to
adhere to
privacy settings.
Verify the
applications.
Choose Your Adventure
Maintain
control;
spend
time and $.
Make it easier
to write the
applications.
Introduce
abstraction;
spend less
time and $.
Want
applications to
adhere to
privacy settings. Make it easier
to write the
applications.
Introduce
abstraction;
spend less
time and $.
What’s hard?
getLocation ?
Displaying User Locations
to Other Users
5 Jean Yang / Jeeves
getLocation
No Privacy Concerns
Alice
A
Secret
club
Whatever!
A
Secret
club
6
def getLocation (user: User): Location = user.location
Jean Yang / Jeeves
getLocation
getLocation
Alice
Owner Viewer
Simple policy Only my
friends can
see my
location. A
Secret
club A
Secret
club
7 Jean Yang / Jeeves
getLocation
Owner Viewer
Which policies
apply where?
Policy
interaction?
Finer-Grained Policies
Alice
Only my
friends can
see my
location. A
Only
members
know this
exists.
Secret
club
A
Diner
Not a
member!
Locations
8 Jean Yang / Jeeves
Jeeves Mission
Make it easier for the
programmer to preserve
confidentiality of user data.
9 Jean Yang / Jeeves
What’s Hard?
Function
Function
Scrubbed data
Data
Programmer check/filter
Programmer check/filter
Scrubbed data
Functionality
and policy are
intertwined.
10 Jean Yang / Jeeves
Scrubbed data
Our Solution
Function
Function
Scrubbed data
Data
Automatic
enforcement
Policy Separation of policies
from functionality
11
Programmer check/filter
Programmer check/filter
Tagged data
Jean Yang / Jeeves
Policy-Agnostic Programs def getLocation (user: User) (viewer: User)
: Location = {
if (isFriends user viewer) {
if (canSee user.location viewer) {
user.location;
} else { scrub(user.location, “Work”); }
} else { undisclosedLocation; }
}
12
def getLocation (user: User): Location =
user.location
Sta
te o
f th
e A
rt
Jeeves
Jean Yang / Jeeves
Talk Outline
Jeeves
language
How it
works
Coding in
Jeeves
13 Jean Yang / Jeeves
Jeeves Language
Function
Function
Tagged data
Scrubbed data
Data Sensitive values 1
Policy Policies 2
Automatic
contextual
enforcement
3
14 Jean Yang / Jeeves
| Secret
club
A
Low confidentiality High confidentiality
Diner
A
Diner Secret
club
Jeeves for Locations
15 Jean Yang / Jeeves
val location: String = <“school” | “MIT”>a
level a in
Core Functionality
val msg: String = “Alice is at ” + location
Contextual Enforcement
print {alice} msg /* “Alice is at MIT” */
print {bob} msg /* “Alice is at school” */
Low component High component Policies
policy a: context != alice low
Using Jeeves
Level variable
{ low, high }
16
Sensitive Values
Jean Yang / Jeeves
Like a Butler…
“[Jeeves] lets a programmer delegate
privacy responsibilities and concentrate on
the actual function of their code,
Jean Yang / Jeeves 17
much like a party host might entrust their
butler with ensuring the needs of each
guest are met so they can spend more
time socialising.”
Jean Yang / Jeeves 18
Policy
Programmer is free to
focus on core functionality.
Jeeves
language
How it
works
Coding in
Jeeves
Talk Outline
19 Jean Yang / Jeeves
How Jeeves Works
Function
Function
Symbolic
expressions
Concrete value
Symbolic values Constraints
Symbolic
evaluation
Implicit
parameter
Solver
20 Jean Yang / Jeeves
Name Location
Alice MIT
Bob Facebook
Claire Google
Representing Sensitive
Values in Jeeves
Name Location
Alice ?|MITa
Bob Facebook
Claire ?|Googleb
Policy
Policy
Without Jeeves Jeeves
21 Jean Yang / Jeeves
Runtime Environment
context != alice a = low … b = low
1 + ((x1 = Facebook) ? 1 : 0)
+ ((x2 = Facebook) ? 1 : 0)
Symbolic Evaluation for
Information Flow Name Location
Alice |a
Bob Facebook
Claire |b
How many people
are at Facebook? Outputs computed from
sensitive values are symbolic
& concretized under the policy
environment.
22 Jean Yang / Jeeves
Jeeves Non-Interference
Guarantee
L | H a
Consider the sensitive value
Low component High component Level variable
Given a fixed L, all executions where a must be
low produce equivalent outputs no matter the
value of H.
23 Jean Yang / Jeeves
Jean Yang / Jeeves 24
More subtle design
decisions help with
writing real-world
programs.
Jean Yang / Jeeves 25
Static Checks
Function
Function
Symbolic
expressions
Concrete value
Symbolic values Constraints
Symbolic
evaluation
SMT solving
Symbolic values flow
only where expected.
Evaluation does not
introduce
nontermination.
Contexts are
well-formed.
Outputs are concrete.
Symbolic
expressions
Function
Function
Concrete value
26 Jean Yang / Jeeves
A
Stateful Policies
Alice
Only people
near me can
see my
location.
policy a: ((distance context.loc alice.loc) > radius ) low
But Alice’s location is
changing…
Design Decision: Delay policy evaluation until output.
Secret
club
27 Jean Yang / Jeeves
policy a: ((distance context.loc alice.loc) > radius ) low
Circular Dependencies
Jean Yang / Jeeves 28
| a GPS
coordinates
Unknown
location
alice.loc =
print {alice} alice.loc
alice.loc alice.loc
Circular dependency!
policy a: ((distance context.loc alice.loc) > radius ) low
Circular Dependencies
Jean Yang / Jeeves 29
| a GPS
coordinates
Unknown
location
alice.loc =
print {alice} alice.loc
Location unknown;
distance unknown;
a is low
Location is GPS coords;
distance is 0;
a is high
The policies permit
both solutions!
policy a: ((distance context.loc alice.loc) > radius ) low
Circular Dependencies
Jean Yang / Jeeves 30
| a GPS
coordinates
Unknown
location
alice.loc =
print {alice} alice.loc
Design Decision: Jeeves execution model
chooses outcome that
yields maximal
functionality.
Use default logic to
implement this…
Jeeves System
Function
Function
Symbolic
expressions
Concrete value
Data Policies
Jeeves
runtime
Output
Well-formed values.
Evaluation
produces well-
formed values.
Guarantee: outputs shown
according to policies. 31 Jean Yang / Jeeves
Jean Yang / Jeeves 32
FINALLY.. I CAN FOCUS ON FUNCTIONALITY!
Jeeves
language
How it
works
Talk Outline
33
Coding in
Jeeves
Jean Yang / Jeeves
Implementation
+
v 3
Overload operators to
create symbolic expressions.
=
v 2
Runtime
Environment
SMT Solver
Use an SMT
solver as a
model finder.
Propagate policies.
Delay
evaluation of
policies until
output.
policy
34 Jean Yang / Jeeves
JeevesLib in One Slide val aliceLoc = StringVal (“MIT")
val defaultLoc = StringVal (“school")}
Jean Yang / Jeeves 35
print_concrete (alice, location) // “MIT” print_concrete (bob, location) // “school”
val location: Symbolic =
mkSensitive( a // Level variable
, aliceLoc // High-confidentiality value
, defaultLoc ) // Low-confidentiality value
val a = mkLevel () // Level variable
policy (a, !(CONTEXT === alice), LOW) // Policy
Conference
Management System
Jean Yang / Jeeves 36
Papers Reviews Needs review
Reviewed
Accepted
Labels
The rest is just setting permissions…
Conf. Management
Permissions
Jean Yang / Jeeves 37
Submission Review Rebuttal Public
Authors Reviewers Program
committee
JConf Backend
User Role
Paper Title
Author
Reviews
Tags
…
Policy
Policy
Policy
Review Reviewer
Content
Policy
Policy Context
Viewer: User
CStage: Stage Po
licy
Policy
ex. Submission
Core Program •Search papers.
•Display papers.
•Add and remove tags.
•Assign and submit reviews.
Fu
ncti
on
ality
38 Jean Yang / Jeeves
Does not
need to
know about
policies.
Jean Yang / Jeeves 39
Page as
rendered
for paper
reviewer
Page as
rendered
for paper
author
SQL
(Squeryl)
Jeeves
backend
Scalatra
frontend
Authors not
visible to
reviewer
Reviewer
not visible to
authors
Only author
can edit
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
40 Jean Yang / Jeeves
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
Backend + Squeryl 800 0
41 Jean Yang / Jeeves
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
Backend + Squeryl 800 0
Frontend (Scalatra) 629 0
Frontend (SSP) 798 0
42 Jean Yang / Jeeves
Functionality vs. Policy File Total LOC Policy LOC
ConfUser.scala 212 21
PaperRecord.scala 304 75
PaperReview.scala 116 32
ConfContext.scala 6 0
Backend + Squeryl 800 0
Frontend (Scalatra) 629 0
Frontend (SSP) 798 0
Total 2865 128
43 Jean Yang / Jeeves
< 5%
Future Directions
Jean Yang / Jeeves 44
Integrity/robustness;
policy expression.
Language
Compiler
Push more work to compiler.
Runtime
Scaling: reduce role of solver;
optimize runtime for
anticipated use cases.
l
Jeeves Team
Jean Yang / Jeeves 45
Armando
Solar-Lezama
Jean Yang Kuat Yessenov
Patrick Long,
Jesse Klimov
MIT PRIMES
Program
Conclusions
Website: sites.google.com/site/jeevesprogramming
Google Code: code.google.com/p/scalasmt
Contact: jeanyang@mit.edu
The Jeeves language:
separating
functionality from
privacy policies.
Language and runtime to
automatically enforce
privacy policies.
Implementation as
embedded DSL in Scala.
Early experience
using Jeeves:
conference
management system.
46 Jean Yang / Jeeves
Backup Slides
Jean Yang / Jeeves 47
Language Restrictions
Function
Function
Symbolic
expressions
Concrete value
Symbolic values Constraints
Symbolic
evaluation
SMT solving
Constraints Symbolic values
Arithmetic and
Boolean constraints
with conditionals &
implications.
Primitives and objects.
No functions.
48 Jean Yang / Jeeves
No functions,
quantifiers, or
theory of lists.
Jean Yang / Jeeves 49
Program
L
a
Standard
Non-Interference
H1
H2
Hn-1
Hn
Does not depend
on the H-value
Output
Does not
depend on the
H-value
= low
Jean Yang / Jeeves 50
Program
L
a
Jeeves
Non-Interference
H1
H2
Hn-1
Hn
= low
Output
Cannot distinguish
between H-values that
imply a = low
Depends on the
H-value
Jean Yang / Jeeves 51
Program
L
a
Jeeves
Non-Interference
= low
Output
Program does not leak
information about H.
H
top related