TY - GEN
T1 - A software-hardware architecture for self-protecting data
AU - Chen, Yu Yuan
AU - Jamkhedkar, Pramod A.
AU - Lee, Ruby B.
PY - 2012
Y1 - 2012
N2 - We propose a software-hardware architecture, DataSafe, that realizes the concept of self-protecting data: data that is protected by a given policy whenever it is accessed by any application - including unvetted third-party applications. Our architecture provides dynamic instantiations of secure data compartments (SDCs), with hardware monitoring of the information flows from the compartment using hardware policy tags associated with the data at runtime. Unbypassable hardware output control prevents confidential information from being leaked out. Unlike previous hardware information flow tracking systems, DataSafe software architecture bridges the semantic gap by supporting flexible, high-level software policies for the data, seamlessly translating these policies to efficient hardware tags at runtime. Applications need not be modified to interface to these software-hardware mechanisms. DataSafe architecture is designed to prevent illegitimate secondary dissemination of protected plaintext data by authorized recipients, to track and protect data derived from sensitive data, and to provide lifetime enforcement of the confidentiality policies associated with the sensitive data.
AB - We propose a software-hardware architecture, DataSafe, that realizes the concept of self-protecting data: data that is protected by a given policy whenever it is accessed by any application - including unvetted third-party applications. Our architecture provides dynamic instantiations of secure data compartments (SDCs), with hardware monitoring of the information flows from the compartment using hardware policy tags associated with the data at runtime. Unbypassable hardware output control prevents confidential information from being leaked out. Unlike previous hardware information flow tracking systems, DataSafe software architecture bridges the semantic gap by supporting flexible, high-level software policies for the data, seamlessly translating these policies to efficient hardware tags at runtime. Applications need not be modified to interface to these software-hardware mechanisms. DataSafe architecture is designed to prevent illegitimate secondary dissemination of protected plaintext data by authorized recipients, to track and protect data derived from sensitive data, and to provide lifetime enforcement of the confidentiality policies associated with the sensitive data.
KW - Architecture
KW - Information flow tracking
KW - Self-protecting data
UR - http://www.scopus.com/inward/record.url?scp=84869482676&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84869482676&partnerID=8YFLogxK
U2 - 10.1145/2382196.2382201
DO - 10.1145/2382196.2382201
M3 - Conference contribution
AN - SCOPUS:84869482676
SN - 9781450316507
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 14
EP - 27
BT - CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
T2 - 2012 ACM Conference on Computer and Communications Security, CCS 2012
Y2 - 16 October 2012 through 18 October 2012
ER -