Jeeves Talk Spring 2012

Jeeves A Language for

Enforcing Privacy

Jean Yang with Kuat Yessenov

and Armando Solar-Lezama

My Biggest Fear

Jean Yang / Jeeves 2

Spotify “Private

Session” tells

everyone what I

really listen to.


More May Be at Stake…

I’m not home!


Want

applications to

adhere to

privacy settings.

Verify the

applications.

Choose Your Adventure

Maintain

control;

spend

time and $.

Make it easier

to write the

applications.

Introduce

abstraction;

spend less

time and $.

Want

applications to

adhere to

privacy settings. Make it easier

to write the

applications.

Introduce

abstraction;

spend less

time and $.

What’s hard?

getLocation ?

Displaying User Locations

to Other Users

5 Jean Yang / Jeeves

getLocation

No Privacy Concerns

Alice

A

Secret

club

Whatever!

A

Secret

club

6

def getLocation (user: User): Location = user.location

Jean Yang / Jeeves

getLocation

getLocation

Alice

Owner Viewer

Simple policy Only my

friends can

see my

location. A

Secret

club A

Secret

club


getLocation

Owner Viewer

Which policies

apply where?

Policy

interaction?

Finer-Grained Policies

Alice

Only my

friends can

see my

location. A

Only

members

know this

exists.

Secret

club

A

Diner

Not a

member!

Locations


Jeeves Mission

Make it easier for the

programmer to preserve

confidentiality of user data.


What’s Hard?

Function

Function

Scrubbed data

Data

Programmer check/filter


Scrubbed data

Functionality

and policy are

intertwined.


Scrubbed data

Our Solution

Function

Function

Scrubbed data

Data

Automatic

enforcement

Policy Separation of policies

from functionality

11



Tagged data

Jean Yang / Jeeves

Policy-Agnostic Programs def getLocation (user: User) (viewer: User)

: Location = {

if (isFriends user viewer) {

if (canSee user.location viewer) {

user.location;

} else { scrub(user.location, “Work”); }

} else { undisclosedLocation; }

}

12

def getLocation (user: User): Location =

user.location

Sta

te o

f th

e A

rt

Jeeves

Jean Yang / Jeeves

Talk Outline

Jeeves

language

How it

works

Coding in

Jeeves


Jeeves Language

Function

Function

Tagged data

Scrubbed data

Data Sensitive values 1

Policy Policies 2

Automatic

contextual

enforcement

3


| Secret

club

A

Low confidentiality High confidentiality

Diner

A

Diner Secret

club

Jeeves for Locations


val location: String = <“school” | “MIT”>a

level a in

Core Functionality

val msg: String = “Alice is at ” + location

Contextual Enforcement

print {alice} msg /* “Alice is at MIT” */

print {bob} msg /* “Alice is at school” */

Low component High component Policies

policy a: context != alice low

Using Jeeves

Level variable

{ low, high }

16

Sensitive Values

Jean Yang / Jeeves

Like a Butler…

“[Jeeves] lets a programmer delegate

privacy responsibilities and concentrate on

the actual function of their code,


much like a party host might entrust their

butler with ensuring the needs of each

guest are met so they can spend more

time socialising.”


Policy

Programmer is free to

focus on core functionality.

Jeeves

language

How it

works

Coding in

Jeeves

Talk Outline


How Jeeves Works

Function

Function

Symbolic

expressions

Concrete value

Symbolic values Constraints

Symbolic

evaluation

Implicit

parameter

Solver


Name Location

Alice MIT

Bob Facebook

Claire Google

Representing Sensitive

Values in Jeeves

Name Location

Alice ?|MITa

Bob Facebook

Claire ?|Googleb

Policy

Policy

Without Jeeves Jeeves


Runtime Environment

context != alice a = low … b = low

1 + ((x1 = Facebook) ? 1 : 0)

+ ((x2 = Facebook) ? 1 : 0)

Symbolic Evaluation for

Information Flow Name Location

Alice |a

Bob Facebook

Claire |b

How many people

are at Facebook? Outputs computed from

sensitive values are symbolic

& concretized under the policy

environment.


Jeeves Non-Interference

Guarantee

L | H a

Consider the sensitive value

Low component High component Level variable

Given a fixed L, all executions where a must be

low produce equivalent outputs no matter the

value of H.



More subtle design

decisions help with

writing real-world

programs.


Static Checks

Function

Function

Symbolic

expressions

Concrete value


Symbolic

evaluation

SMT solving

Symbolic values flow

only where expected.

Evaluation does not

introduce

nontermination.

Contexts are

well-formed.

Outputs are concrete.

Symbolic

expressions

Function

Function

Concrete value


A

Stateful Policies

Alice

Only people

near me can

see my

location.

policy a: ((distance context.loc alice.loc) > radius ) low

But Alice’s location is

changing…

Design Decision: Delay policy evaluation until output.

Secret

club



Circular Dependencies


| a GPS

coordinates

Unknown

location

alice.loc =

print {alice} alice.loc

alice.loc alice.loc

Circular dependency!




| a GPS

coordinates

Unknown

location

alice.loc =


Location unknown;

distance unknown;

a is low

Location is GPS coords;

distance is 0;

a is high

The policies permit

both solutions!




| a GPS

coordinates

Unknown

location

alice.loc =


Design Decision: Jeeves execution model

chooses outcome that

yields maximal

functionality.

Use default logic to

implement this…

Jeeves System

Function

Function

Symbolic

expressions

Concrete value

Data Policies

Jeeves

runtime

Output

Well-formed values.

Evaluation

produces well-

formed values.

Guarantee: outputs shown

according to policies. 31 Jean Yang / Jeeves


FINALLY.. I CAN FOCUS ON FUNCTIONALITY!

Jeeves

language

How it

works

Talk Outline

33

Coding in

Jeeves

Jean Yang / Jeeves

Implementation

+

v 3

Overload operators to

create symbolic expressions.

=

v 2

Runtime

Environment

SMT Solver

Use an SMT

solver as a

model finder.

print

Propagate policies.

Delay

evaluation of

policies until

output.

policy


JeevesLib in One Slide val aliceLoc = StringVal (“MIT")

val defaultLoc = StringVal (“school")}


print_concrete (alice, location) // “MIT” print_concrete (bob, location) // “school”

val location: Symbolic =

mkSensitive( a // Level variable

, aliceLoc // High-confidentiality value

, defaultLoc ) // Low-confidentiality value

val a = mkLevel () // Level variable

policy (a, !(CONTEXT === alice), LOW) // Policy

Conference

Management System


Papers Reviews Needs review

Reviewed

Accepted

Labels

The rest is just setting permissions…

Conf. Management

Permissions


Submission Review Rebuttal Public

Authors Reviewers Program

committee

JConf Backend

User Role

Paper Title

Author

Reviews

Tags

…

Policy

Policy

Policy

Review Reviewer

Content

Policy

Policy Context

Viewer: User

CStage: Stage Po

licy

Policy

ex. Submission

Core Program •Search papers.

•Display papers.

•Add and remove tags.

•Assign and submit reviews.

Fu

ncti

on

ality


Does not

need to

know about

policies.


Page as

rendered

for paper

reviewer

Page as

rendered

for paper

author

SQL

(Squeryl)

Jeeves

backend

Scalatra

frontend

Authors not

visible to

reviewer

Reviewer

not visible to

authors

Only author

can edit

Functionality vs. Policy File Total LOC Policy LOC

ConfUser.scala 212 21

PaperRecord.scala 304 75

PaperReview.scala 116 32

ConfContext.scala 6 0







Backend + Squeryl 800 0








Frontend (Scalatra) 629 0

Frontend (SSP) 798 0








Frontend (Scalatra) 629 0

Frontend (SSP) 798 0

Total 2865 128


< 5%

Future Directions


Integrity/robustness;

policy expression.

Language

Compiler

Push more work to compiler.

Runtime

Scaling: reduce role of solver;

optimize runtime for

anticipated use cases.

l

Jeeves Team


Armando

Solar-Lezama

Jean Yang Kuat Yessenov

Patrick Long,

Jesse Klimov

MIT PRIMES

Program

Conclusions

Website: sites.google.com/site/jeevesprogramming

Google Code: code.google.com/p/scalasmt

Contact: [email protected]

The Jeeves language:

separating

functionality from

privacy policies.

Language and runtime to

automatically enforce

privacy policies.

Implementation as

embedded DSL in Scala.

Early experience

using Jeeves:

conference

management system.


Backup Slides


Language Restrictions

Function

Function

Symbolic

expressions

Concrete value


Symbolic

evaluation

SMT solving

Constraints Symbolic values

Arithmetic and

Boolean constraints

with conditionals &

implications.

Primitives and objects.

No functions.


No functions,

quantifiers, or

theory of lists.


Program

L

a

Standard

Non-Interference

H1

H2

Hn-1

Hn

Does not depend

on the H-value

Output

Does not

depend on the

H-value

= low


Program

L

a

Jeeves

Non-Interference

H1

H2

Hn-1

Hn

= low

Output

Cannot distinguish

between H-values that

imply a = low

Depends on the

H-value


Program

L

a

Jeeves

Non-Interference

= low

Output

Program does not leak

information about H.

H

Technology

Jeeves Talk Spring 2012