Securing untrustworthy software using information flow control

This dissertation shows that trustworthy applications can be built out of largely untrustworthy code, by using information flow control to reason about the effects of code execution. Using this technique we construct a scalable distributed web server, in which most application code is untrusted and there are no fully-trusted machines or components. Building secure applications from untrusted code requires safely executing arbitrary code on sensitive data, something that no current operating system provides satisfactory mechanisms for. To address this, we built a new operating system called HiStar that allows any user or application to specify precise data security policies. The HiStar kernel has a simple, narrow system call interface that enforces these policies by controlling information flow. HiStar provides a Unix-like environment with acceptable performance that is implemented in an untrusted user-level library but uses the kernel to enforce security, and runs a wide variety of Unix applications. The system has no notion of superuser and no fully trusted code other than the kernel. HiStar's features permit several novel applications, including an entirely untrusted login process, separation of data between virtual private networks, and privacy-preserving, untrusted virus scanners. In a distributed setting, controlling information flow between processes on mutually distrustful machines poses another technical challenge. We addressed this by developing DStar, a framework for controlling information flow in distributed systems. DStar describes information flow restrictions associated with network messages, and allows multiple machines to enforce an overall information flow policy. DStar separates policy from trust by using self-certifying information flow restrictions, which include a public key in their name. HiStar applications can use DStar to safely run untrusted code across multiple HiStar machines. For example, a highly privilege-separated HiStar web server can take advantage of multiple HiStar machines for performance scalability by only adding a small amount of trusted DStar code. Even a fully-compromised machine can only subvert the security of users that use or have recently used that machine. Finally, DStar eases incremental deployment, by allowing legacy systems to securely execute just the least-trusted code on HiStar.