Abstract
Data containers enable users to control access to their data while untrusted applications compute on it. However, they require replicating an application inside each container - compromising functionality, programmability, and performance. We propose DATS - a system to run web applications that retains application usability and efficiency through a mix of hardware capability enhanced containers and the introduction of two new primitives modeled after the popular model-view-controller (MVC) pattern. (1) DATS introduces a templating language to create views that compose data across data containers. (2) DATS uses authenticated storage and confinement to enable an untrusted storage service, such as memcached and deduplication, to operate on plain-text data across containers. These two primitives act as robust declassifiers that allow DATS to enforce non-interference across containers, taking large applications out of the trusted computing base (TCB). We showcase eight different web applications including Gitlab and a Slack-like chat, significantly improve the worst-case overheads due to application replication, and demonstrate usable performance for common-case usage.
- Advanced multi layered unification filesystem (AUFS). http://aufs. sourceforge.net.Google Scholar
- Celery. http://www.celeryproject.org.Google Scholar
- CVE Details. http://www.cvedetails.com/vulnerability-list.Google Scholar
- Docker. http://docker.com.Google Scholar
- Recent zero-day exploits. https://www.fireeye.com/current-threats/ recent-zero-day-attacks.html.Google Scholar
- Flask. http://flask.pocoo.org.Google Scholar
- Gitlab security vulnerabilities. https://www.cvedetails.com/ vulnerability-list/vendor_id-13074/Gitlab.html.Google Scholar
- 20 famous websites vulnerable to cross site scripting (XSS) attack. http://thehackernews.com/2011/09/20-famous-websitesvulnerable- to-cross.html.Google Scholar
- HITRUST alliance. https://hitrustalliance.net. {10} Linux Containers. http://linuxcontainers.org.Google Scholar
- Mattermost security updates. https://about.mattermost.com/securityupdates/.Google Scholar
- Mustache. http://mustache.github.io.Google Scholar
- OWASP top ten project. https://www.owasp.org/index.php/OWASP_ Top_Ten_Project.Google Scholar
- React - a JavaScript library for building user interfaces. http://facebook. github.io/react.Google Scholar
- Redis. http://redis.io.Google Scholar
- Comparison of web template engines. https://en.wikipedia.org/wiki/ Comparison_of_web_template_engines (accessed Aug 2017).Google Scholar
- RFC 6455 - the websocket protocol. https://tools.ietf.org/html/rfc6455.Google Scholar
- Wikipedia - SQL Injection. https://en.wikipedia.org/wiki/SQL_ injection#Examples.Google Scholar
- The security flaws at the heart of the Panama Papers. http://www.wired.co.uk/article/panama-papers-mossack-fonsecawebsite- security-problems.Google Scholar
- WSGI. http://wsgi.org.Google Scholar
- D. Akhawe, F. Li,W. He, P. Saxena, and D. Song. Data-confined HTML5 applications. In Computer Security -- ESORICS, 2013.Google Scholar
- S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer. SCONE: Secure Linux Containers with Intel SGX. In Symp. on Operating Systems Design and Implementation (OSDI), Nov. 2016. Google ScholarDigital Library
- A. Askarov, D. Zhang, and A. C. Myers. Predictive black-box mitigation of timing channels. In ACM Conf. on Computer&Communications Security (CCS), Oct. 2011. Google ScholarDigital Library
- T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. Jan. 2012.Google Scholar
- A. Aviram, S.-C. Weng, S. Hu, and B. Ford. Efficient system-enforced deterministic parallelism. In Symp. on Operating Systems Design and Implementation (OSDI), Oct. 2012. Google ScholarDigital Library
- S. Biswas, D. Franklin, A. Savage, R. Dixon, T. Sherwood, and F. T. Chong. Multi-execution: Multicore caching for data-similar executions. In Intl. Symp. on Computer Architecture (ISCA), June 2009. Google ScholarDigital Library
- M. Castro, M. Costa, and J.-P. Martin. Better bug reporting with better privacy. In Intl. Conf. on Arch. Support for Programming Languages&Operating Systems (ASPLOS), Mar. 2008. Google ScholarDigital Library
- Y.-Y. Chen, P. A. Jamkhedkar, and R. B. Lee. A software-hardware architecture for self-protecting data. In ACM Conf. on Computer&Communications Security (CCS), Oct. 2012. Google ScholarDigital Library
- R. Cheng, W. Scott, P. Ellenbogen, J. Howell, F. Roesner, A. Krishnamurthy, and T. Anderson. Radiatus: Strong user isolation for scalable web applications. In ACM Symp. on Cloud Computing (SoCC), Oct. 2016.Google Scholar
- W. W.-Y. Cheng. Information Flow for Secure Distributed Applications. Ph.D., MIT, Cambridge, MA, USA, Aug. 2009. Also as Technical Report MIT-CSAIL-TR-2009-040.Google ScholarCross Ref
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In Intl. Symp. on Computer Architecture (ISCA), May 2007. Google ScholarDigital Library
- J. B. Dennis and E. C. V. Horn. Programming semantics for multiprogrammed computations. Comm. ACM, Mar. 1966. Google ScholarDigital Library
- D. Devriese and F. Piersens. Noninterference through secure multiexecution. In IEEE Symp. on Security and Privacy, May 2010. Google ScholarDigital Library
- C. Dwork. Differential privacy. In International Colloquium on Automata, Languages and Programming (ICALP), July 2006. Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and Event Processes in the Asbestos Operating System. Oct. 2005.Google Scholar
- A. J. Feldman, A. Blankstein, M. J. Freedman, and E. W. Felten. Social networking with frientegrity: privacy and integrity with an untrusted provider. In USENIX Security Symposium, Aug. 2012. Google ScholarDigital Library
- W. Felter, A. Ferreira, R. Rajamony, and J. Rubio. An updated performance comparison of virtual machines and linux containers. Technical report, IBM Research Division, July 2014.Google Scholar
- D. B. Giffin, A. Levy, D. Stefan, D. Terei, J. Mitchell, D. Mazières, and A. Russo. Hails: Protecting data privacy in untrusted web applications. In Symp. on Operating Systems Design and Implementation (OSDI), Oct. 2012. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symp. on Security and Privacy, Apr. 1982.Google ScholarCross Ref
- T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel. Ryoan: A distributed sandbox for untrusted computation on secret data. In Symp. on Operating Systems Design and Implementation (OSDI), Nov. 2016. Google ScholarDigital Library
- Intel Software Guard Extensions Programming Reference. Intel, Oct. 2014.Google Scholar
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In ACM Symp. on Operating Systems Principles (SOSP), Oct. 2009. Google ScholarDigital Library
- M. Krohn. Information Flow Control for Secure Web Sites. PhD thesis, MIT, 2008. Google ScholarDigital Library
- S. Lee, E. L. Wong, D. Goel, M. Dahlin, and V. Shmatikov. - Box: A platform for privacy-preserving apps. In USENIX Symp. on Networked Systems Design and Implementation (NSDI), Apr. 2013. Google ScholarDigital Library
- H. M. Levy. Capability-Based Computer Systems. Digital Press, 1984. Google ScholarDigital Library
- N. Li, T. Li, and S. Venkatasubramanian. t-closeness: Privacy beyond k-anonymity and l-diversity. In Intl. Conf. on Data Engineering (ICDE), Apr. 2007.Google ScholarCross Ref
- J. Liu, M. D. George, K. Vikram, X. Qi, L.Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In ACM Symp. on Operating Systems Principles (SOSP), Oct. 2009. Google ScholarDigital Library
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In USENIX Annual Technical Conf. (ATC), 2001. Google ScholarDigital Library
- A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. L-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data, Mar. 2007. Google ScholarDigital Library
- F. McSherry. Privacy integrated queries. In SIGMOD, June 2009.Google ScholarDigital Library
- P. Mohan, A. Thakurta, E. Shi, D. Song, and D. E. Culler. GUPT: Privacy preserving data analysis made easy. In SIGMOD, May 2012. Google ScholarDigital Library
- A. Nadkarni, B. Andow, W. Enck, and S. Jha. Practical DIFC enforcement on Android. In USENIX Security Symposium, Aug. 2016.Google ScholarDigital Library
- B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. Clamp: Practical prevention of large-scale data leaks. In IEEE Symp. on Security and Privacy, May 2009. Google ScholarDigital Library
- B. Parno, J. M. McCune, and A. Perrig. Bootstrapping trust in commodity computers. In IEEE Symp. on Security and Privacy, May 2010. Google ScholarDigital Library
- V. Rastogi and S. Nath. Differentially private aggregation of distributed time-series with transformation and encryption. In SIGMOD, June 2010. DATS - Data Containers for Web Applications ASPLOS'18, March 24--28, 2018, Williamsburg, VA, USA Google ScholarDigital Library
- I. Roy, S. T. Setty, A. Kilzer, V. Shmatikov, and E. Witchel. Airavat: Security and privacy for mapreduce. In USENIX Symp. on Networked Systems Design and Implementation (NSDI), Apr. 2010. Google ScholarDigital Library
- B. Russell. KVM and Docker LXC Benchmarking with Open- Stack. http://bodenr.blogspot.com/2014/05/kvm-and-docker-lxcbenchmarking- with.html.Google Scholar
- A. Sabelfeld, A. C., and Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, Jan. 2003. Google ScholarDigital Library
- M. Sherr and M. Blaze. Application containers without virtual machines. In ACM workshop on Virtual machine security, Nov. 2009. Google ScholarDigital Library
- S. Smalley, C. Vance, and W. Salamon. Implementing SELinux as a Linux Security Module. Technical report, NAI Labs, Dec. 2001.Google Scholar
- D. Stefan, E. Z. Yang, P. Marchenko, A. Russo, D. Herman, B. Karp, and D. Mazières. Protecting users by confining javascript with COWL. In Symp. on Operating Systems Design and Implementation (OSDI), Oct. 2014. Google ScholarDigital Library
- E. Stefanov, M. van Dijk, A. Juels, and A. Oprea. Iris: a scalable cloud file system with efficient integrity checks. In Annual Computer Security Applications Conference (ACSAC), Dec. 2010. Google ScholarDigital Library
- L. Sweeney. k-anonimity: A model for protecting privacy. International Journal on Uncertaint, Fuzziness and Knowledge-based Systems, Oct. 2002. Google ScholarDigital Library
- M. Tiwari, P. Mohan, A. Osheroff, H. Alkaff, E. Shi, E. Love, D. Song, and K. Asanovi?. Context-centric security. In Proceedings of the 7th USENIX Workshop on Hot Topics in Security, Aug. 2012. Google ScholarDigital Library
- B. C. Vattikonda, S. Das, and H. Shacham. Eliminating fine grained timers in Xen (short paper). In Proceedings of CCSW 2011, Oct. 2011. Google ScholarDigital Library
- L. Vilanova, M. Ben-Yehuda, N. Navarro, Y. Etsion, and M. Valero. CODOMs: Protecting software with code-centric memory domains. In Intl. Symp. on Computer Architecture (ISCA), June 2014. Google ScholarDigital Library
- L. Vilanova, M. Jordà, N. Navarro, Y. Etsion, and M. Valero. Direct interprocess communication (dipc): Repurposing the codoms architecture to accelerate ipc. In European Conference on Computer Systems (EuroSys), Apr. 2017. Google ScholarDigital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, Sept. 2009. Google ScholarDigital Library
- R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: practical capabilities for UNIX. In USENIX Security Symposium, Aug. 2010. Google ScholarDigital Library
- R. N. M.Watson, J.Woodruff, P. G. Neumann, S.W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A hybrid capabilitysystem architecture for scalable software compartmentalization. In IEEE Symp. on Security and Privacy, May 2015. Google ScholarDigital Library
- Y. Xu and E. Witchel. Maxoid: Transparently confining mobile applications with custom views of state. In European Conference on Computer Systems (EuroSys), Apr. 2015. Google ScholarDigital Library
- Y. Xu and E. Witchel. Earp: Principled storage, sharing, and protection for mobile apps. In USENIX Symp. on Networked Systems Design and Implementation (NSDI), Mar. 2016. Google ScholarDigital Library
- Y. Xu, A. M. Dunn, O. S. Hofmann, M. Z. Lee, S. A. Mehdi, and E. Witchel. Application-defined decentralized access control. In USENIX Annual Technical Conf. (ATC), June 2014. Google ScholarDigital Library
- J. Yang, K. Yessenov, and A. Solar-Lezama. Alanguage for automatically enforcing privacy policies. Jan. 2012.Google Scholar
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In ACM Symp. on Operating Systems Principles (SOSP), Oct. 2009. Google ScholarDigital Library
- S. Zdancewic and A. C. Myers. Robust declassification. In IEEE Computer Security Foundations Workshop, June 2001. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Symp. on Operating Systems Design and Implementation (OSDI), Nov. 2006. Google ScholarDigital Library
- N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In Symp. on Operating Systems Design and Implementation (OSDI), Dec. 2008. Google ScholarDigital Library
- Y. Zhang, J. Katz, and C. Papamanthou. Integridb: Verifiable sql for outsourced databases. In ACM Conf. on Computer&Communications Security (CCS), Oct. 2015. Google ScholarDigital Library
Index Terms
- DATS - Data Containers for Web Applications
Recommendations
DATS - Data Containers for Web Applications
ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating SystemsData containers enable users to control access to their data while untrusted applications compute on it. However, they require replicating an application inside each container - compromising functionality, programmability, and performance. We propose ...
Comments