Building Distributed Systems With Information Flow Control

Computing technology has made recording and copying information cheap and convenient, resulting in numerous security problems: from accidental copying leading to confidentiality breaches to rapid proliferation of spam, worms and other malicious code. At the same time, distributed information systems provide value through efficient information dissemination. This thesis investigates techniques that address the challenge of building distributed systems while providing the assurance of security. This thesis first focuses on web information systems based on the clientserver communication paradigm. Servlet Information Flow (SIF) is a novel software framework for building high-assurance web applications. Security concerns are expressed as end-to-end confidentiality and integrity policies within the application code. Expressive policies allow users and application providers to protect information from one another. Together, the compiler and the runtime apply information flow analysis to prevent flow of confidential information to clients and flow of low-integrity information from clients, thereby moving the trust out of the application and into the framework. This increased assurance is obtained with modest enforcement overhead. Where SIF enables servers to quickly and securely disseminate data to numerous clients, Swift is a new approach for building web applications that allows moving code, in addition to data, to clients. Moving code to the client makes the applications more responsive for the clients, since not every user request needs a round trip to the server. While more efficient, this mechanism introduces security complications since the client can manipulate code running on it and influence, or gain illegal access to, sensitive server-side data. Swift allows the programmer to write the entire application code as a single sequential Java-like program with security policy annotations. The compiler automatically partitions the program between the client and server so as to respect all security policies while generating efficient client-server communication protocols. Finally, this thesis identifies a general problem for distributed systems: read channels, which leak information via the pattern of data fetch requests to an untrusted host. We first discuss a type systems approach based on attaching an access label to each reference to a remote object. We show how the type system can prevent read channels by statically discovering their presence in a distributed program. We also discuss the expressiveness limitations of the type system approach. To address these limitations, we present a program transformation technique based on abstract interpretation to automatically eliminate read channels in any given program. We evaluate the performance of this technique on some benchmark programs