Multilevel security in the UNIX tradition
Software—Practice & Experience
Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
A lattice model of secure information flow
Communications of the ACM
Protecting privacy using the decentralized label model
ACM Transactions on Software Engineering and Methodology (TOSEM)
ACM Transactions on Computer Systems (TOCS)
Using Replication and Partitioning to Build Secure Distributed Systems
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
LOMAC: Low Water-Mark Integrity Protection for COTS Environments
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Labels and event processes in the asbestos operating system
Proceedings of the twentieth ACM symposium on Operating systems principles
Proceedings of the 12th ACM conference on Computer and communications security
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Evaluating SFI for a CISC architecture
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
A tool for constructing safe extensible C++ systems
COOTS'97 Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS) - Volume 3
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
XFI: software guards for system address spaces
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Making information flow explicit in HiStar
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Preventing Memory Error Exploits with WIT
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Vx32: lightweight user-level sandboxing on the x86
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Fast byte-granularity software fault isolation
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Tightlip: keeping applications from spilling the beans
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Enforcing user-space privilege separation with declarative architectures
Proceedings of the seventh ACM workshop on Scalable trusted computing
| Hi-index | 0.00 |
The model of Decentralized Information Flow Control (DIFC) is effective at improving application security and can support rich confidentiality and integrity policies. We describe the design and implementation of duPro, an efficient user-space information flow control framework. duPro adopts Software-based Fault Isolation (SFI) to isolate protection domains within the same process. It controls the end-to-end information flow at the granularity of SFI domains. Being a user-space framework, duPro does not require any OS changes. Since SFI is more lightweight than hardware-based isolation (e.g., OS processes), the inter-domain communication and scheduling in duPro are more efficient than process-level DIFC systems. Finally, duPro supports a novel checkpointing-restoration mechanism for efficiently reusing protection domains. Experiments demonstrate applications can be ported to duPro with negligible overhead, enhanced security, and with tight control over information flow.