Experience shows that most programmers can't write secure code. Few applications have the luxury of being written by security-conscious programmers, and thus the vast majority of all software is untrustworthy. At the same time, operating systems and networks have spectacularly failed to control the damage caused by subverted software.
However, one technique--information flow control--has proven capable of limiting damage by buggy and even malicious software. The military has long used this technique to protect sensitive data against Trojan horses, but retrofitting existing operating systems with information flow control is a lengthy and difficult process, often unable to keep pace with the evolution of commodity software.
We intend to develop a clean-slate infrastructure for distributed applications in which the lowest-level abstractions are specifically designed to control information flow. We will re-think the architecture of operating systems, networks, and even processors to realize an infrastructure that relies on a small, highly-secure, and, at least in part, mechanically checkable trusted computing base. On top of this base, we will implement interfaces that resemble the network programming APIs to which Unix programmers are accustomed.
Our infrastructure will aim to give programmers as much freedom as possible to structure their applications, subject only to information flow constraints. Our motivating application will be scalable Internet web sites replicated across multiple servers.
??Traditionally, much of computer system security centers aroundrestricting what operations can be performed in various contexts. Bycontrast, this project set out to build systems in which securitycenters around the data. For instance, a web site's policy might holdthat a user's private profile information should only be viewed by theuser herself or an administrator of the system. To enforce such apolicy, the system must provide information flow control (IFC)--i.e.,it must trace information propagating through the system and restrictits unauthorized dissemination. While IFC dates back to the 60s, it is traditionally retrofitted ontomore traditional access control frameworks. In this project were-thought our network protocols, operating systems, and hardware toprovide information flow control from the ground up at the lowestlevel. We showed that more traditional access control can beimplemented on top of an IFC substrate, in less security-criticalcode. The resulting systems provided a new and attractive datapoint,balancing relatively high assurance IFC (which depended on thecorrectness of only small amounts of code) with a high degree ofsource code compatibility with existing systems. More importantly,our systems let applications themselves leverage underlying IFCfunctions, allowing application security to rest directly on thesecurity properties guaranteed by the underlying operating system. The research led to a number of artifacts, all available underopen-source licenses. The HiStar operating system, which began theproject, demonstrated how a 20,000 line operating system kernel couldboth enforce IFC and provide low-level facilities sufficient toimplement a more traditional operating system interface in anuntrusted (and hence not security-critical) library. The Loki projectshowed that simple hardware support from the CPU could approximatelyhalve the amount of fully trusted code in the kernel. The DStarnetwork protocol demonstrated that it is possible to enforcedistributed IFC in a decentralized way, with no central root of trust.Cinder demonstrated the applicability of our ideas to a mobile phone. In addition, our research required us to develop several technologiesthat are of more general interest. Notably, tcpcrypt is a simple andbackwards-compatible extension to the ubiquitous TCP protocol thatallows opportunistic encryption everywhere and strong securitywherever there is application-level authentication. Trusted HTTPdemonstrated that, unlike the status quo, password authentication inthe browser can be used for strong mutual authentication of servers tobrowsers as well as browsers to servers.
