Abstract:

The recent successes of server-side applications (e.g. Google and Facebook applications) hint that tomorrow's computing platform might not be the local desktop but rather the extensible remote Web site. Unfortunately, these new server-side platforms, built on conventional operating systems, are committing the same security mistakes already ossified in today's insecure desktops.

In this talk, I will discuss how to secure both today's Web sites and tomorrow's Web computing platforms with a new OS technique called Decentralized Information Flow Control (DIFC). A DIFC system tracks the flow of secret data as it is copied from file to file and communicated from process to process. In the end, the OS lets modules known as "declassifiers" legislate policies for secret data exiting to the network. DIFC provides better security than standard OSes because it allows developers to concentrate security-critical code in small, audit-friendly declassifiers, which remain small and contained even as the overall system balloons with new features.

This talk presents DIFC, an implementation of DIFC for Linux, and a case study of a complex, popular open-source application (MoinMoin Wiki) secured with DIFC. MoinMoin is a prototype for more ambitious and general work to come, such as a novel Web-based application platform with encouraging security guarantees.

Joint work with: Micah Brodsky, Natan Cliffer, Petros Efstathopoulos, Cliff Frey, Eddie Kohler, David Mazieres, Robert Morris, Frans Kaashoek, Steve VanDeBogart, Mike Walfish, Alex Yip, David Ziegler