A Framework for

Automatically

Enforcing Privacy

Policies

Jean Yang MSRC / October 15, 2013

Privacy matters.

People get it wrong.

Many possible points of failure.

getLocation(user)

findAllUsers(location)

findTopLocations()

Only friends

can see GPS

location.

Desired Policy

Policy

Implementation

Policy

Policy

Increasingly complex policies.

Only friends

can see GPS

location.

Desired Policy

who are

local

within next five

hours

Jean Yang / Jeeves 5

Easier if we separate policies

from other functionality.

getLocation(user)

findAllUsers(location)

findTopLocations()

Only friends

can see GPS

location.

Involves integrating with the

language semantics.

Policy Implementation Other Implementation

Jean Yang / Jeeves 7

| findAllUsers(MSRC)

The Jeeves Language

k

You have no friends in

this location.

Jean Yang / Jeeves 8

Associated with

policies.

val loc = < gpsCoords | country(gpsCoords) >a

label a

Core Functionality

val msg: String = “Jean’s location is ” + asStr(loc)

Contextual Enforcement

print {andrey} msg “Jean’s location is N 52.19, W 0.13.”

print {rishabh} msg “Jean’s location is in the United Kingdom.”

Policies

restrict a: loc.(isNear(oc, jean))

{ low, high }

9

Sensitive Values

Jean Yang / Jeeves

Label.

Label.

Output channel.

Policies are evaluated in the

environment at time of output.

Jean Yang / Jeeves 10

restrict a: loc.isNear(oc,me)

Policies may refer to

sensitive values.

Default values yield

guarantees of maximal

functionality.

Jeeves Policies

loc.addConstraint( isNear(oc, me) a == low)

Constraints

imply low.

Always a

consistent

assignment.

Jeeves Execution

=

3

Faceted execution

11 Jean Yang / Jeeves

3 | 0 a

true | false a

Policy manipulation

Policies

label a

restrict a: loc.true

Constraints print {…} …

true a = low

a loc.true

false

Jean Yang / Jeeves 12

Jean Yang / Jeeves 13

Classical Security

Level 3:

top secret.

Level 2:

highly classified.

Level 1:

privileged information.

Lattice of

access levels.

Jean Yang / Jeeves 14

Classical Security

Viewers must have access for

the highest level.

+ Level 3

Level 3

Level 0

|

Jean Yang / Jeeves 15

Jeeves Security

p +

Jeeves Non-Interference

Guarantee

L | H a

Given a sensitive value

all executions where a must be low

produce equivalent outputs no matter the

value of H.

16 Jean Yang / Jeeves

Takes into account when

label depends on

sensitive values!

Non-Interference

in Jeeves

17 Jean Yang / Jeeves

val location = < default | actual >a

restrict a: loc.(distance(oc, location) < 25)

protected

location

viewer

Viewer within radius:

a is allowed to be high.

Non-Interference

in Jeeves

18 Jean Yang / Jeeves

val location = < default | actual >a

restrict a: loc.(distance(oc, location) < 25)

protected

location

Viewer outside radius:

a must be low.

Viewer should not be

able to distinguish

actual location from any

other of these points.

viewer

Implementation Overload operators for

faceted evaluation.

Policy

environment

Use an SMT

solver as a

model

finder.

print

mkLabel

restrict

19 Jean Yang / Jeeves

=

3 3 | 42 a

Store policies in

runtime environment

true | false a

false

Jean Yang / Jeeves 20

SQL

(Squeryl) Embedded

DSL

Scalatra

frontend

PostGre

SQL Embedded

DSL

Django

frontend

Jeeves Frameworks

Python-Jeeves

source transform

Case study: JConf

Jean Yang / Jeeves 21

JConf

policies

JConf

functionality

Reviewer Author

User Role

Paper Title

Author

Reviews

Tags

…

Policy

Policy

Policy

Review Reviewer

Content

Policy

Policy

Context User

Stage

Po

licy

Policy

Core Program •Search papers.

•Display papers.

•Add and remove tags.

•Assign and submit reviews.

Fu

ncti

on

ali

ty

22 Jean Yang / Jeeves

Jconf Architecture

Functionality vs. Policy File Total LOC Policy LOC

ConfUser.scala 212 21

PaperRecord.scala 304 75

PaperReview.scala 116 32

ConfContext.scala 6 0

Backend + Squeryl 800 0

Frontend (Scalatra) 629 0

Frontend (SSP) 798 0

Total 2865 128

23 Jean Yang / Jeeves

< 5%

Current Directions.

Jeeves

runtime Database

Jean Yang / Jeeves 25

What about inputs?

Reviewer A

Reviews

New

review

Reviewer B

New

review

---

Author

Jean Yang / Jeeves 26

Reviewer A

Reviews

New

review

Reviewer B

New

review

Old

review

Author

Storing multiple

versions?

Jean Yang / Jeeves 27

Scores

New

score New

score

Old

score

User User

User

---

User

When viewers specify

trust… Need to

additionally track

who is writing…

Low-level mechanism

Jean Yang / Jeeves 28

Mutable State

42

42

42

p1

p2

p2

Associate

references

with policies

wrestrict lin.lout.

((in == alice) && isFriends (out, alice))

wrestrict lin.lout.(isFriends(in, alice))

Jean Yang / Jeeves 29

Execution with

writer’s inputs

Execution without

writer’s inputs

New

score

Guarantees

Write Policy Case

Studies

Jean Yang / Jeeves 30

Authentication Battleship

game

Conference

management

Notes • Support policies for confidentiality and integrity.

• Policy-agnosticism good for encoding other policies,

for instance game rules.

| Jean Yang / Jeeves 31

select * from papers

where author = “Jean Yang”

authorhigh authorlow policies

p

Interfacing with the dB

32

FINALLY.. I CAN FOCUS ON FUNCTIONALITY!

jeeveslang.org

Jeeves Team

Jean Yang / Jeeves 33

Armando

Solar-

Lezama Thomas

Austin Cormac

Flanagan Travis

Hance

Benjamin

Shaibu

|

Program

The Jeeves Framework

k

Jean Yang / Jeeves 34

Database

Customized

page

Customized

page