Abstract
Distributed, event-driven applications that process sensitive user data and involve multiple organisational domains must comply with complex security requirements. Ideally, developers want to express security policy for such applications in data-centric terms, controlling the flow of information throughout the system. Current middleware does not support the specification of such end-to-end security policy and lacks uniform mechanisms for enforcement.
We describe DEFCon-Policy, a middleware that enforces security policy in multi-domain, event-driven applications. Event flow policy is expressed in a high-level language that specifies permitted flows between distributed software components. The middleware limits the interaction of components based on the policy and the data that components have observed. It achieves this by labelling data and assigning privileges to components. We evaluate DEFCon-Policy in a realistic medical scenario and demonstrate that it can provide global security guarantees without burdening application developers.
Chapter PDF
Similar content being viewed by others
Keywords
References
Luckham, D.: The Power of Events: An Introduction to Complex Event Processing in Distributed Enterprise Systems. Addison-Wesley, Reading (2002)
Efstathopoulos, P., Krohn, M., VanDeBogart, S., et al.: Labels and event processes in the Asbestos Operating System. In: SOSP 2005, pp. 17–30. ACM, New York (2005)
Zeldovich, N., Kohler, E., et al.: Making information flow explicit in HiStar. In: OSDI 2006, Berkeley, CA, USA, pp. 263–278 (2006)
Myers, A., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)
Chong, S., Vikram, K., Myers, A.: SIF: Enforcing confidentiality and integrity in web applications. In: USENIX Security Symposium, Berkeley, CA, pp. 1–16 (2007)
Papagiannis, I., Migliavacca, M., Eyers, D.M., Shand, B., Bacon, J., Pietzuch, P.: Enforcing user privacy in web applications using Erlang. In: Web 2.0 Security and Privacy (W2SP), Oakland, CA, USA. IEEE, Los Alamitos (2010)
Miglivacca, M., Papagiannis, I., Eyers, D., Shand, B., Bacon, J., Pietzuch, P.: High-performance event processing with information security. In: USENIX Annual Technical Conference, Boston, MA, USA, pp. 1–15 (2010)
Bandara, A., Kakas, A., Lupu, E., Russo, A.: Using argumentation logic for firewall policy specification and analysis. In: Distributed Systems: Operations and Management (DSOM), Dublin, Ireland, pp. 185–196 (2006)
Mont, M.C., Pearson, S., Bramhall, P.: Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. In: Mařík, V., Štěpánková, O., Retschitzegger, W. (eds.) DEXA 2003. LNCS, vol. 2736, pp. 377–382. Springer, Heidelberg (2003)
Chadwick, D.W., Lievens, S.F.: Enforcing ”sticky” security policies throughout a distributed application. In: Middleware Security (MidSec), pp. 1–6. ACM, New York (2008)
Krohn, M., Yip, A., Brodsky, M., et al.: Information flow control for standard OS abstractions. In: SOSP 2007, pp. 321–334. ACM, New York (2007)
Zeldovich, N., Boyd-Wickizer, S., Mazières, D.: Securing distributed systems with information flow control. In: NSDI 2008, Berkeley, CA, USA, pp. 293–308 (2008)
Efstathopoulos, P., Kohler, E.: Manageable fine-grained information flow. In: EuroSys European Conference on Computer Systems, pp. 301–313. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Migliavacca, M., Papagiannis, I., Eyers, D.M., Shand, B., Bacon, J., Pietzuch, P. (2010). Distributed Middleware Enforcement of Event Flow Security Policy. In: Gupta, I., Mascolo, C. (eds) Middleware 2010. Middleware 2010. Lecture Notes in Computer Science, vol 6452. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16955-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-16955-7_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16954-0
Online ISBN: 978-3-642-16955-7
eBook Packages: Computer ScienceComputer Science (R0)