Secure information flow control in systems

MPI-SWS/Saarland University


Summer 2016

Instructor: Deepak Garg
Click to reveal email

Teaching assistant: Aastha Mehta

Language: English

Overview

Information flow control (IFC) is a cornerstone of computer security. Existing literature on IFC has examined both theoretical techniques to enforce IFC and systems that implement IFC. This course will focus on the latter. We will study papers that describe implementations of IFC in operating systems, relational databases and programming languages. The course is intended to be self-contained. At the beginning of the course, we will cover the basics of IFC.

Logistics

Location: E1.5 Room 029
Time: Thursdays, 16:00-17:30

Reading list and schedule (Tentative)

Date Paper Discussion Lead
12 May 2016 Protecting Privacy using the Decentralized Label Model
A. Myers, B. Liskov (TOSEM, Oct 2000)
Aastha/Deepak
19 May 2016 Information Flow Control for Standard OS abstractions
M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. Kaashoek, E. Kohler, R. Morris (SOSP'07)
Gebrehiwet
26 May 2016 No class (Corpus Christi)
2 June 2016 Hardware Enforcement of Application Security Policies Using Tagged Memory
N. Zeldovich, H. Kannan, M. Dalton, C. Kozyrakis (OSDI'08)
Darshit
9 June 2016 An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications
D. Jang, R. Jhala, S. Lerner, H. Shacham (CCS'10)
Samer
16 June 2016 TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, A. Sheth (OSDI'10)
Nataniel
23 June 2016 JFlow: practical mostly-static information flow control
A. Myers (POPL'99)
Arpan
30 June 2016 SIF: Enforcing Confidentiality and Integrity in Web Applications
S. Chong, K. Vikram, A. Myers (Security'07)
Ezekiel
7 July 2016 Improving Application Security with Data Flow Assertions
A. Yip, X. Wang, N. Zeldovich, M. Kaashoek (SOSP'09)
Juan
14 July 2016 Hails: Protecting Data Privacy in Untrusted Web Applications
D. Griffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. Mitchell, A. Russo (OSDI'12)
Subhashini
21 July 2016 IFDB: Decentralized Information Flow Control for Databases
D. Schultz, B. Liskov (EuroSys'13)
Nicolas
28 July 2016 Protecting Users by Confining JavaScript with COWL
Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, David Mazieres (OSDI'14)
Gebrehiwet
4 Aug 2016 Bootstrapping Privacy Compliance in big data systems
S. Sen, S. Guha, A. Datta, S. Rajamani, J. Tsai, J. Wing (Oakland'14)

Capsicum: practical capabilities for UNIX
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway (Usenix Sec' 10)
Jonas


Dhiman

Course structure and grading

The course is structured as a standard seminar. Every week, one or two students will present one or more papers on a single topic, which we will then discuss. Prior to this, all students are expected to read the papers carefully, prepare a list of discussion questions and write a short critical review of the papers. Grading will be based on presentations, reviews, criticality of discussions questions and general in-class participation.

You can also attend the seminar without taking university credits.

Registration and pre-requisites

The course is intended for Masters and Ph.D. students in Computer Science but there are no formal pre-requisites beyond a basic knowledge of how computer systems (operating systems, databases, language compilers and interpreters) work internally. So, enterprising Bachelors students are welcome to participate. You must send an email to the instructor to register, explaining why you wish to take the seminar and what your background in computer security and systems is. Places in the seminar are limited. If you wish to take the seminar without credit, just say so in your email. Non-credit participation is not subject to any cap.