Toward Secure Services from Untrusted Developers

Abstract

We present a secure service prototype built from untrusted, contributed code. The service manages private data for a variety of different users, and user programs frequently require access to other users' private data. However, aside from covert timing channels, no part of the service can corrupt private data or leak it between users or outside the system without permission from the data's owners. Instead, owners may choose to reveal their data in a controlled manner. This application model is demonstrated by Muenster, a job search website that protects both the integrity and secrecy of each user's data. In spite of running untrusted code, Muenster and other services can prevent overt leaks because the untrusted modules are constrained by the operating system to follow pre-specified security policies, which are nevertheless flexible enough for programmers to do useful work. We build Muenster atop Asbestos, a recently described operating system based on a form of decentralized information flow control [5].

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 06, 2007
Accession Number
ADA477345

Entities

People

  • Alexander Yip
  • David Mazières
  • Eddie Kohier
  • Frans Kaashoek
  • Maxwell Krohn
  • Micah Brodsky
  • Petros Efstathopoulos
  • Robert Morris
  • Steve Vandebogart

Organizations

  • Massachusetts Institute of Technology

Tags

Communities of Interest

  • Cyber
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Asbestos
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Debugging
  • Flow
  • Hypervelocity Flow
  • Language
  • Models
  • Operating Systems
  • Programming Languages
  • Security
  • Servers (Computer Hardware)
  • Virtual Machines
  • Web Browsers
  • Web Service

Fields of Study

  • Computer science

Readers

  • Database Systems and Applications
  • Economics