CT-T: A Clean-Slate Infrastructure for Information Flow Control

CT-T：用于信息流控制的全新基础设施

• 批准号: 0716806
• 负责人: David Mazières
• 金额: --
• 依托单位: Stanford University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-09-01 至 2011-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0716806&HistoricalAwards=false
• 关键词: CT; Clean; Slate; Infrastructure; Information

Experience shows that most programmers can't write secure code. Few applications have the luxury of being written by security-conscious programmers, and thus the vast majority of all software is untrustworthy. At the same time, operating systems and networks have spectacularly failed to control the damage caused by subverted software.However, one technique--information flow control--has proven capable of limiting damage by buggy and even malicious software. The military has long used this technique to protect sensitive data against Trojan horses, but retrofitting existing operating systems with information flow control is a lengthy and difficult process, often unable to keep pace with the evolution of commodity software.We intend to develop a clean-slate infrastructure for distributed applications in which the lowest-level abstractions are specifically designed to control information flow. We will re-think the architecture of operating systems, networks, and even processors to realize an infrastructure that relies on a small, highly-secure, and, at least in part, mechanically checkable trusted computing base. On top of this base, we will implement interfaces that resemble the network programming APIs to which Unix programmers are accustomed.Our infrastructure will aim to give programmers as much freedom as possible to structure their applications, subject only to information flow constraints. Our motivating application will be scalable Internet web sites replicated across multiple servers.

经验表明，大多数程序员都写不出安全的代码。很少有应用程序是由具有安全意识的程序员编写的，因此绝大多数软件都是不值得信任的。与此同时，操作系统和网络在控制被颠覆的软件所造成的损害方面明显失败。然而，有一种技术——信息流控制——已被证明能够限制漏洞甚至恶意软件的损害。军方长期以来一直使用这种技术来保护敏感数据免受特洛伊木马的侵害，但用信息流控制改造现有的操作系统是一个漫长而困难的过程，通常无法跟上商用软件的发展步伐。我们打算为分布式应用程序开发一个全新的基础设施，在这个基础设施中，最低级别的抽象是专门设计用来控制信息流的。我们将重新考虑操作系统、网络甚至处理器的体系结构，以实现依赖于一个小型的、高度安全的、至少在一定程度上是机械上可检查的可信计算基础的基础结构。在此基础之上，我们将实现类似于Unix程序员所习惯的网络编程api的接口。我们的基础架构旨在给程序员尽可能多的自由来构建他们的应用程序，只受信息流约束。我们的激励应用程序将是跨多个服务器复制的可扩展Internet网站。