1 / 31

A Language for Automatically Enforcing Privacy

A Language for Automatically Enforcing Privacy. Jean Yang with Kuat Yessenov and Armando Solar- Lezama. Displaying User Locations to Other Users. ?. getLocation. No Privacy C oncerns. Whatever!. A. A. getLocation. Secret club. Alice. Secret club.

cheung
Download Presentation

A Language for Automatically Enforcing Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Language for Automatically Enforcing Privacy Jean Yang with KuatYessenov and Armando Solar-Lezama

  2. Displaying User Locations to Other Users ? getLocation Jean Yang @ POPL

  3. No Privacy Concerns Whatever! A A getLocation Secret club Alice Secret club defgetLocation (user: User): Location = user.location Jean Yang @ POPL

  4. Simple policy getLocation Only my friends can see my location. A A Owner Viewer Secret club Alice getLocation Secret club Jean Yang @ POPL

  5. Finer-Grained Policies Only members know this exists. Only my friends can see my location. Policy interaction? A A getLocation Secret club Alice Diner Owner Viewer Locations Which policies apply where? Not a member! Jean Yang @ POPL

  6. Programmer Burden Output Context defgetLocation(user: User) (viewer: User) : Location = { if (isFriends user viewer) { if (canSeeuser.location viewer) { user.location; } else { scrub(user.location, “Diner”); } } else { undisclosedLocation; } } Policies Views of sensitive values Jean Yang @ POPL

  7. Our Mission Make it easier for the programmer to preserve confidentiality of user data. Jean Yang @ POPL

  8. What’s Hard? Data Function Programmer check/filter Functionality and policy are intertwined. Scrubbed data Function Programmer check/filter Scrubbed data Jean Yang @ POPL

  9. Our Solution Separation of policies from functionality Policy Data Automatic enforcement Function Programmer check/filter Taggeddata Scrubbed data Function Programmer check/filter Scrubbed data Jean Yang @ POPL

  10. Jeeves Goal defgetLocation(user: User) (viewer: User) : Location = { if (isFriends user viewer) { if (canSeeuser.location viewer) { user.location; } else { scrub(user.location, “Work”); } } else { undisclosedLocation; } } Policy + Functionality State of the Art defgetLocation (user: User): Location = user.location Jeeves Jean Yang @ POPL

  11. Talk Outline Jeeves language How it works Coding in Jeeves Jean Yang @ POPL

  12. Jeeves Language Sensitive values 1 Policy Data Policies 2 Automatic contextual enforcement 3 Function Taggeddata Function Scrubbed data Jean Yang @ POPL

  13. Jeeves for Locations  |  Diner Secret club A A Low confidentiality High confidentiality Diner Secret club Jean Yang @ POPL

  14. Using Jeeves Sensitive Values levela in { low, high } val location: String = <“school” | “MIT”>a Level variable High component Low component Policies policy a: context != alicelow Core Functionality valmsg: String = “Alice is at ” + location Contextual Enforcement print {alice} msg/* “Alice is at MIT” */ print {bob} msg/* “Alice is at school” */ Jean Yang @ POPL

  15. Talk Outline Jeeves language How it works Coding in Jeeves Jean Yang @ POPL

  16. How Jeeves Works Constraints Symbolic values Symbolic evaluation Function Symbolic expressions Implicit parameter Function SMT solving Concrete value Jean Yang @ POPL

  17. Representing Sensitive Values in Jeeves Without Jeeves Jeeves Policy Policy Jean Yang @ POPL

  18. Symbolic Evaluation for Information Flow Runtime Environment context!= alicea = low … b = low How many people are at POPL? Outputs computed from sensitive values are symbolic & concretized under the policy environment. 1 + ((x1 = POPL) ? 1 : 0) + ((x2= POPL) ? 1 : 0) Jean Yang @ POPL

  19. Jeeves Non-InterferenceGuarantee Consider the sensitive value  L |H a Level variable High component Low component Given a fixed L,all executions where amust be low produce equivalent outputs no matter the value of H. Jean Yang @ POPL

  20. StandardNon-Interference H2 Hn H1 Hn-1 L Program a = low Does not depend on the H-value Does not depend on the H-value Output Jean Yang @ POPL

  21. JeevesNon-Interference H2 a = high H1 a = low Hn L Hn-1 Program a = low Depends on the H-value Cannot distinguish between H-values that imply a = low Output Jean Yang @ POPL

  22. JeevesNon-Interference L H Program a = low Program does not leak information about H. Programs to outputs? Output Jean Yang @ POPL

  23. Language Restrictions Primitives and objects. No functions. Constraints Constraints Symbolic values Symbolic values Arithmetic and Boolean constraints with conditionals & implications. Symbolic evaluation Function Symbolic expressions No functions, quantifiers, or theory of lists. Function SMT solving Concrete value Jean Yang @ POPL

  24. Static Checks Constraints Symbolic values Symbolic evaluation Function Function Symbolic values flow only where expected. Symbolic expressions Symbolic expressions Contexts are well-formed. Evaluation does not introduce nontermination. Function Function SMT solving Outputs are concrete. Concrete value Concrete value Jean Yang @ POPL

  25. Stateful Policies Only people near me can see my location. policya: • (distance contextalice • > radius ) low A But Alice’s location is changing… Secret club Alice Jeeves: Delay policy evaluation until output. Jean Yang @ POPL

  26. Jeeves System Policies Data Well-formed values. Jeeves runtime Evaluation produces well-formed values. Function Symbolic expressions Function Output Policies evaluated. Guarantee: outputs shown according to policies. Concrete value Jean Yang @ POPL

  27. Scala Implementation Overload operators to create symbolic expressions. Use an SMT solver as a model finder. + SMT Solver v 3 print Runtime Environment Delay evaluation of policies until output. = policy v 2 Propagate policies. Jean Yang @ POPL

  28. Talk Outline Jeeves language How it works Coding in Jeeves Jean Yang @ POPL

  29. JConf Architecture Paper Title Author Reviews Tags … Review Reviewer Content Policy Policy Context Viewer: User CStage: Stage Policy Policy Policy Policy User Role Policy • Core Program • Search papers. • Display papers. • Add and remove tags. • Assign and submit reviews. Does not need to know about policies. Submission, review, rebuttal, decision, public Functionality Jean Yang @ POPL

  30. Functionality vs. Policy Jean Yang @ POPL

  31. Conclusions The Jeeves language: pushing responsibility of privacy to the runtime. How we designed a language with constraints using symbolic evaluation to provide execution guarantees. Evaluation of Jeeves in practice: conference management example. Website: sites.google.com/site/jeevesprogramming Google Code:code.google.com/p/scalasmt Contact: jeanyang@mit.edu Jean Yang @ POPL

More Related