Neon: system support for derived data management

Authors:
Qing Zhang;John McCullough;Justin Ma;Nabil Schear;Michael Vrable;Amin Vahdat;Alex C. Snoeren;Geoffrey M. Voelker;Stefan Savage
Affiliations:
UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA;UIUC, Champaign, IL, USA;UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA;UCSD, San Diego, CA, USA
Venue:
Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Year:
2010

Citing 31
Cited 8

A decentralized model for information flow control

Proceedings of the sixteenth ACM symposium on Operating systems principles
JFlow: practical mostly-static information flow control

Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Certification of programs for secure information flow

Communications of the ACM
A lattice model of secure information flow

Communications of the ACM
Secure Execution via Program Shepherding

Proceedings of the 11th USENIX Security Symposium
Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Secure program execution via dynamic information flow tracking

ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
Minos: Control Data Attack Prevention Orthogonal to Memory Model

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs

HPCA '05 Proceedings of the 11th International Symposium on High-Performance Computer Architecture
Defeating Memory Corruption Attacks via Pointer Taintedness Detection

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Labels and event processes in the asbestos operating system

Proceedings of the twentieth ACM symposium on Operating systems principles
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting

ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Practical taint-based protection using demand emulation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Understanding data lifetime via whole system simulation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Taking a Hard-Line Approach to Encryption

Computer
Making information flow explicit in HiStar

OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Provenance-aware storage systems

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Secure web applications via automatic partitioning

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Information flow control for standard OS abstractions

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Understanding and visualizing full systems with data flow tomography

Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
A Virtual Machine Based Information Flow Control System for Policy Enforcement

Electronic Notes in Theoretical Computer Science (ENTCS)
Manageable fine-grained information flow

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
SIF: enforcing confidentiality and integrity in web applications

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Securing distributed systems with information flow control

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Pointless tainting?: evaluating the practicality of pointer tainting

Proceedings of the 4th ACM European conference on Computer systems
Causality-based versioning

FAST '09 Proccedings of the 7th conference on File and storage technologies
Hardware enforcement of application security policies using tagged memory

OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation

Small trusted primitives for dependable systems

ACM SIGOPS Operating Systems Review
Do you know where your data are?: secure data capsules for deployable data protection

HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Taint-exchange: a generic system for cross-process and cross-host taint tracking

IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Tracking payment card data flow using virtual machine state introspection

Proceedings of the 27th Annual Computer Security Applications Conference
Path-exploration lifting: hi-fi tests for lo-fi emulators

ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
Silverline: data and network isolation for cloud services

HotCloud'11 Proceedings of the 3rd USENIX conference on Hot topics in cloud computing
πBox: a platform for privacy-preserving apps

nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
SilverLine: preventing data leaks from compromised web applications

Proceedings of the 29th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Modern organizations face increasingly complex information management requirements. A combination of commercial needs, legal liability and regulatory imperatives has created a patchwork of mandated policies. Among these, personally identifying customer records must be carefully access-controlled, sensitive files must be encrypted on mobile computers to guard against physical theft, and intellectual property must be protected from both exposure and "poisoning." However, enforcing such policies can be quite difficult in practice since users routinely share data over networks and derive new files from these inputs--incidentally laundering any policy restrictions. In this paper, we describe a virtual machine monitor system called Neon that transparently labels derived data using byte-level "tints" and tracks these labels end to end across commodity applications, operating systems and networks. Our goal with Neon is to explore the viability and utility of transparent information flow tracking within conventional networked systems when used in the manner in which they were intended. We demonstrate that this mechanism allows the enforcement of a variety of data management policies, including data-dependent confinement, mandatory I/O encryption, and intellectual property management.