Toward Secure Services from Untrusted Developers

We present a secure service prototype built from untrusted, contributed code. The service manages private data for a variety of different users, and user programs frequently require access to other users’ private data. However, aside from covert timing channels, no part of the service can corrupt private data or leak it between users or outside the system without permission from the data’s owners. Instead, owners may choose to reveal their data in a controlled manner. This application model is demonstrated by Muenster, a job search website that protects both the integrity and secrecy of each user’s data. In spite of running untrusted code, Muenster and other services can prevent overt leaks because the untrusted modules are constrained by the operating system to follow pre-specified security policies, which are nevertheless flexible enough for programmers to do useful work. We build Muenster atop Asbestos, a recently described operating system based on a form of decentralized information flow control [5].