Mark Thober

Dynamic Dependency Monitoring to Secure Information Flow

Although static systems for information flow security are well-studied, few works address run-time information flow monitoring. Run-time information flow control offers distinct advantages in precision and in the ability to support dynamically defined policies. To this end, we here develop a new run-time information flow system based on the runtime tracking of indirect dependencies between program points. Our system tracks both direct and indirect information flows, and noninterference results are proved.

Pagoda: a dynamic overlay network for routing, data management, and multicasting

The tremendous growth of public interest in peer-to-peer systems in recent years has initiated a lot of research work on how to design efficient and robust overlay networks for these systems. While a large collection of scalable peer-to-peer overlay networks has been proposed in recent years, many fundamental questions have remained open. Some of these are: Is it possible to design deterministic peer-to-peer overlay networks with properties comparable to randomized peer-to-peer systems? How can peers of non-uniform bandwidth be organized in an overlay network?We propose a dynamic overlay network called Pagoda that provides solutions to both of these problems. The Pagoda network has a constant degree, a logarithmic diameter, and a 1/logarithmic expansion, and therefore matches the properties of the best randomized overlay networks known so far. However, in contrast to these networks, the Pagoda is deterministic and therefore guarantees these properties. The Pagoda can be used to organize both nodes with uniform bandwidth and nodes with non-uniform bandwidth. For nodes with uniform bandwidth, any node insertion or deletion can be executed with logarithmic work, and for nodes with non-uniform bandwidth, any node insertion and deletion can be executed with polylogarithmic work. Moreover, the Pagoda overlay network can route arbitrary multicast problems with a congestion that is within a logarithmic factor of what a best possible overlay network of logarithmic degree for that particular multicast problem can achieve, even though the Pagoda is a constant degree network. This holds even for nodes of arbitrary non-uniform bandwidths. We also show that the Pagoda network can be used for efficient data management.

Improving usability of information flow security in java

This paper focuses on improving the usability of information flow type systems. We present a static information flow type inference system for Middleweight Java (MJ) which automatically infers information flow labels, thus avoiding the need for a multitude of program annotations. Additionally, policies need only be specified on IO channels, the critical flow boundary. Our type system includes a high degree of parametric polymorphism, necessary to allow classes to be used in multiple security contexts, and to properly distinguish the security policies of different IO channels. We prove a noninterference property for programs that interactively input and output data. We then describe a mechanism that allows users to define top-level policies, which automatically inserts the security policies at the proper points in the program. This provides the further benefit that whomever is defining the policy does not necessarily need intimate knowledge of the program source

Improving coherency of runtime integrity measurement

Recent work in software integrity verification provides techniques for measuring integrity at runtime, where a measurement agent observes the memory image of a running process and constructs some meaningful description of the processs current state. Unlike in static and load time measurement architectures, the target of a runtime measurement is running and hence able to change its state. In this setting, an accurate measurement must reflect a coherent state of the target. A coherent measurement must satisfy two properties: atomicity ensures that a measurement corresponds to the state of the target at a particular point in time and quiescence ensures that the target data is in a consistent state, i.e. not a critical section. We address the former property, showing that we can obtain an atomic measurement using a memory copy-on-write strategy, which we have implemented in the Xen hypervisor. We show that this approach achieves significant performance gains in the memory and time impact to the target, when compared with naive strategies for enforcing atomicity.

Securing information flow via dynamic capture of dependencies

Although static systems for information flow security are well studied, few works address runtime information flow monitoring. Runtime information flow control offers distinct advantages in precision and in the ability to support dynamically defined policies. To this end, we here develop a new runtime information flow system based on the runtime tracking of indirect dependencies between program points. Our system tracks both direct and indirect information flows, and noninterference results are proved.

JMF: Java measurement framework: language-supported runtime integrity measurement

Runtime integrity measurement systems provide the capability to observe the runtime state of a process and to determine whether or not it is acceptable. Existing software systems tend to forgo integrity checks altogether or to enlist static mechanisms (e.g., assertions) to detect unacceptable process states at runtime. A large and growing base of malicious software necessitates more sophisticated handling of threats to process integrity. In this paper, we describe an approach to runtime integrity measurement we call the Java Measurement Framework (JMF) that presents a new way to define and check runtime integrity policies. We define a policy language based on Java that provides an accessible way to write integrity policies and we describe a periodic, dynamic measurer that obtains snapshots of process state, which are evaluated with respect to a policy by an appraiser. With full process state available to the appraiser, policies can express rich relationships between multiple objects, thereby detecting abnormalities in an applications data structures. Our framework may be used to detect a powerful adversary who has the capability to modify both the runtime bytecode and data structures of Java applications. We show that our prototype implementation in Java has acceptable overhead and that it can be used to detect runtime integrity violations in several real Java programs.