a language for automatically enforcing privacy
DESCRIPTION
A Language for Automatically Enforcing Privacy. Jean Yang with Kuat Yessenov and Armando Solar- Lezama. Displaying User Locations to Other Users. ?. getLocation. No Privacy C oncerns. Whatever!. A. A. getLocation. Secret club. Alice. Secret club. - PowerPoint PPT PresentationTRANSCRIPT
A Language for
Automatically Enforcing PrivacyJean Yangwith Kuat Yessenov
and Armando Solar-Lezama
Jean Yang @ POPL 2
getLocation ?Displaying User
Locations to Other Users
Jean Yang @ POPL 3
getLocation
No Privacy Concerns
Alice
A
Secret club
Whatever!
A
Secret club
def getLocation (user: User): Location = user.location
Jean Yang @ POPL 4
getLocation
getLocation
Alice
Owner Viewer
Simple policyOnly my friends can see
my location. A
Secret club A
Secret club
Jean Yang @ POPL 5
getLocation
Owner Viewer
Which policies apply where?
Policy interaction?
Finer-Grained Policies
Alice
Only my friends can see
my location. A
Only members know
this exists.
Secret club
A
Diner
Not a membe
r!
Locations
Jean Yang @ POPL 6
Programmer Burdendef getLocation (user: User) (viewer: User) : Location = { if (isFriends user viewer) {
if (canSee user.location viewer) { user.location;} else { scrub(user.location, “Diner”); }
} else { undisclosedLocation; }}
Policies
Views of sensitive values
Output Context
Jean Yang @ POPL 7
Our Mission
Make it easier for theprogrammer to preserve confidentiality of user
data.
Jean Yang @ POPL 8
What’s Hard?
Function
Function
Scrubbed data
Data
Programmer check/filter
Programmer check/filter
Scrubbed data
Functionality and policy
are intertwined.
Jean Yang @ POPL 9
Scrubbed data
Our Solution
Function
Function
Scrubbed data
DataAutomatic enforcement
Policy Separation of policies from functionality
Programmer check/filter
Programmer check/filter
Tagged data
Jean Yang @ POPL 10
Jeeves Goaldef getLocation (user: User) (viewer: User) : Location = { if (isFriends user viewer) {
if (canSee user.location viewer) { user.location;} else { scrub(user.location, “Work”); }
} else { undisclosedLocation; }}
def getLocation (user: User): Location = user.location
Stat
e of
the
Ar
tJe
eve
s
Policy +
Functionality
Jean Yang @ POPL 11
Talk Outline
Jeeves languag
e
How it works
Coding in Jeeves
Jean Yang @ POPL 12
Jeeves Language
Function
Function
Tagged data
Scrubbed data
DataSensitive values
1Policy Policies2Automatic contextual enforcement
3
Jean Yang @ POPL 13
| Secret club
A
Low confidentiality High confidentiality
Diner
A
Diner Secret club
Jeeves for Locations
Jean Yang @ POPL 14
val location: String = <“school” | “MIT”>a
level a in
Core Functionalityval msg: String = “Alice is at ” + locationContextual Enforcementprint {alice} msg /* “Alice is at MIT” */print {bob} msg /* “Alice is at school” */
Low componentHigh componentPolicies
policy a: context != alice low
Using Jeeves
Level variable
{ low, high }
Sensitive Values
Jean Yang @ POPL 15
Jeeves languag
e
How it works
Coding in Jeeves
Talk Outline
Jean Yang @ POPL 16
How Jeeves Works
Function
Function
Symbolic expressions
Concrete value
Symbolic valuesConstraints
Symbolic evaluation
Implicitparameter
SMT solving
Jean Yang @ POPL 17
Name LocationAlice MITBob POPLClaire POPL
Representing Sensitive Values in
JeevesName LocationAlice ?|MITaBob POPLClaire ?|POPLb
Policy
Policy
Without Jeeves
Jeeves
Jean Yang @ POPL 18
Runtime Environmentcontext != alice a = low
… b = low
1 + ((x1 = POPL) ? 1 : 0)
+ ((x2 = POPL) ? 1 : 0)
Symbolic Evaluation for Information Flow
Name LocationAlice |aBob POPLClaire |b
How many people are at
POPL?Outputs computed from
sensitive values are symbolic & concretized
under the policy environment.
Jean Yang @ POPL 19
Jeeves Non-InterferenceGuarantee
L | H a
Consider the sensitive value
Low component
High component
Level variable
Given a fixed L, all executions where a must be low produce equivalent outputs no matter the value of H.
Jean Yang @ POPL 20
Program
L
a
StandardNon-Interference
H1
H2Hn-1
Hn
Does not depend on the H-value
OutputDoes not depend on the H-value
= low
Jean Yang @ POPL 21
Program
L
a
JeevesNon-Interference
H1
H2
Hn-1
Hn
= low
OutputCannot distinguish between H-values that imply a = low
a = high
a = low
Depends on the H-value
Jean Yang @ POPL 22
Program
L
a
JeevesNon-Interference
= low
OutputProgram does not leak information about H.
Programs to outputs?
H
Jean Yang @ POPL 23
Language Restrictions
Function
Function
Symbolic expressions
Concrete value
Symbolic valuesConstraints
Symbolic evaluation
SMT solving
Constraints Symbolic values
Arithmetic and Boolean
constraints with conditionals &
implications.
Primitives and objects. No functions.
No functions, quantifiers, or theory of lists.
Jean Yang @ POPL 24
Static Checks
Function
Function
Symbolic expressions
Concrete value
Symbolic valuesConstraints
Symbolic evaluation
SMT solving
Symbolic values flow only where expected.Evaluation does not introduce nontermination.
Contexts are well-formed.
Outputs are concrete.
Symbolic expressions
Function
Function
Concrete value
Jean Yang @ POPL 25
A
Stateful Policies
Alice
Only people
near me can see
my location.
policy a: (distance context alice > radius ) low
But Alice’s location is changing…
Jeeves: Delay policy evaluation until output.
Secret club
Jean Yang @ POPL 26
Jeeves System
Function
Function
Symbolic expressions
Concrete value
DataPolicies
Jeeves runtime
Output
Well-formed values.Evaluation produces well-formed values.
Policies evaluated.
Guarantee: outputs shown according to policies.
Jean Yang @ POPL 27
Scala Implementation+
v 3
Overload operators to create symbolic expressions.
=
v 2Runtime
Environment
SMT Solver
Use an SMT solver as a model finder.
Propagate policies.
Delay evaluation of policies until output.
policy
Jean Yang @ POPL 28
Jeeves languag
e
How it works
Talk Outline
Coding in Jeeves
Jean Yang @ POPL 29
JConf Architecture
UserRole
PaperTitleAuthorReviewsTags…
Policy
Policy
Policy
ReviewReviewerContent
Policy
PolicyContextViewer: UserCStage: Stage
Polic
y
Policy
Submission, review,
rebuttal, decision,
public
Core Program•Search papers.•Display papers.•Add and remove tags.•Assign and submit reviews.Func
tion
alit
y
Does not need to
know about
policies.
Jean Yang @ POPL 30
Functionality vs. PolicyFile Total
LOCPolicy LOC
ConfUser.scala 59 17PaperRecord.scala
103 48
PaperReview.scala
21 11
ConfContext.scala
6 0
Backend 123 0Frontend (Scalatra)
161 0
Total 473 76
Jean Yang @ POPL 31
Conclusions
Website: sites.google.com/site/jeevesprogrammingGoogle Code: code.google.com/p/scalasmtContact: [email protected]
The Jeeves language: pushing
responsibility of privacy to the
runtime.
How we designed a language with
constraints using symbolic evaluation to provide execution
guarantees.
Evaluation of Jeeves in practice:
conference management
example.