Stephen Chong

Civitas: Toward a Secure Voting System

Civitas is the first electronic voting system that is coercion-resistant, universally and voter verifiable, and suitable for remote voting. This paper describes the design and implementation of Civitas. Assurance is established in the design through security proofs, and in the implementation through information-flow security analysis. Experimental results give a quantitative evaluation of the tradeoffs between time, cost, and security.

Secure web applications via automatic partitioning

Swift is a new, principled approach to building web applications that are secure by construction. In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the browser, and Java code running on the server. To improve interactive performance, code and data are placed on the client side. However, security-critical code and data are always placed on the server. Code and data can also be replicated across the client and server, to obtain both security and performance. A max-flow algorithm is used to place code and data in a way that minimizes client-server communication.

Scalable extensibility via nested inheritance

Inheritance is a useful mechanism for factoring and reusing code. However, it has limitations for building extensible systems. We describe <i>nested inheritance</i>, a mechanism that addresses some of the limitations of ordinary inheritance and other code reuse mechanisms. Using our experience with an extensible compiler framework, we show how nested inheritance can be used to construct highly extensible software frameworks. The essential aspects of nested inheritance are formalized in a simple object-oriented language with an operational semantics and type system. The type system of this language is sound, so no run-time type checking is required to implement it and no run-time type errors can occur. We describe our implementation of nested inheritance as an unobtrusive extension of the Java language, called Jx. Our prototype implementation translates Jx code to ordinary Java code, without duplicating inherited code.

Security policies for downgrading

A long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security policies for downgrading and a security type system that incorporates them, allowing secure downgrading of information through an explicit declassification operation. Examples are given showing that the downgrading policy language captures useful aspects of designer intent. These policies are connected to a semantic security condition that generalizes noninterference, and the type system is shown to enforce this security condition.

Asynchronous functional reactive programming for GUIs

Graphical user interfaces (GUIs) mediate many of our interactions with computers. Functional Reactive Programming (FRP) is a promising approach to GUI design, providing high-level, declarative, compositional abstractions to describe user interactions and time-dependent computations. We present Elm, a practical FRP language focused on easy creation of responsive GUIs. Elm has two major features: simple declarative support for Asynchronous FRP; and purely functional graphical layout. Asynchronous FRP allows the programmer to specify when the global ordering of event processing can be violated, and thus enables efficient concurrent execution of FRP programs; long-running computation can be executed asynchronously and not adversely affect the responsiveness of the user interface. Layout in Elm is achieved using a purely functional declarative framework that makes it simple to create and combine text, images, and video into rich multimedia displays. Together, Elms two major features simplify the complicated task of creating responsive and usable GUIs.

Using replication and partitioning to build secure distributed systems

A challenging unsolved security problem is how to specify and enforce system-wide security policies; this problem is even more acute in distributed systems with mutual distrust. This paper describes a way to enforce policies for data confidentiality and integrity in such an environment. Programs annotated with security specifications are statically checked and then transformed by the compiler to run securely on a distributed system with untrusted hosts. The code and data of the computation are partitioned across the available hosts in accordance with the security specification. The key contribution is automatic replication of code and data to increase assurance of integrity, without harming confidentiality, and without placing undue trust in any host. The compiler automatically generates secure run-time protocols for communication among the replicated code partitions. Results are given from a prototype implementation applied to various distributed programs.

Provenance: a future history

Science, industry, and society are being revolutionized by radical new capabilities for information sharing, distributed computation, and collaboration offered by the World Wide Web. This revolution promises dramatic benefits but also poses serious risks due to the fluid nature of digital information. One important cross-cutting issue is managing and recording provenance, or metadata about the origin, context, or history of data. We posit that provenance will play a central role in emerging advanced digital infrastructures. In this paper, we outline the current state of provenance research and practice, identify hard open research problems involving provenance semantics, formal modeling, and security, and articulate a vision for the future of provenance.

Information-flow security for interactive programs

Interactive programs allow users to engage in input and output throughout execution. The ubiquity of such programs motivates the development of models for reasoning about their information-flow security, yet no such models seem to exist for imperative programming languages. Further, existing language-based security conditions founded on noninteractive models permit insecure information flows in interactive imperative programs. This paper formulates new strategy-based information-flow security conditions for a simple imperative programming language that includes input and output operators. The semantics of the language enables a fine-grained approach to the resolution of nondeterministic choices. The security conditions leverage this approach to prohibit refinement attacks while still permitting observable nondeterminism. Extending the language with probabilistic choice yields a corresponding definition of probabilistic noninterference. A soundness theorem demonstrates the feasibility of statically enforcing the security conditions via a simple type system. These results constitute a step toward understanding and enforcing information-flow security in real-world programming languages, which include similar input and output operators

Language-based information erasure

Real computing systems sometimes need to forget sensitive information. This paper explores the specification and semantics of information erasure policies, which impose a strong, end-to-end requirement that information be either erased or made less accessible. Simple lattice-based information flow policies, corresponding to a noninterference requirement, are augmented with the ability to express explicit erasure and declassification policies. Examples are given of applying this expressive policy language to real systems. The paper gives tools for reasoning about policy enforcement either statically or dynamically. Further, the significance of these policies to security is formally explained in terms of trace-based semantic security properties: generalizations of noninterference that accommodate erasure and declassification.

Decentralized robustness

Robustness links confidentiality and integrity properties of a computing system and has been identified as a useful property for characterizing and enforcing security. Previous characterizations of robustness have been with respect to a single idealized attacker; this paper shows how to define robustness for systems with mutual distrust. Further, we demonstrate that the decentralized label model (DLM) can be extended to support fine-grained reasoning about robustness in such systems. The DLM is a natural choice for capturing robustness requirements because decentralized labels are explicitly expressed in terms of principals that can be used to characterize the power of attackers across both the confidentiality and integrity axes. New rules are proposed for statically checking robustness and qualified robustness using an extended DLM; the resulting type system is shown to soundly enforce robustness. Finally, sound approximations are developed for checking programs with bounded but unknown label parameters, which is useful for security-typed languages. In sum, the paper shows how to use robustness to gain assurance about secure information flow and information release in systems with complex security requirements