Aura: A Programming Language with Authorization and Audit

Duration: 1 hour 5 mins 24 secs

Share this media item:

Embed this media item:

<iframe width="_width_" height="_height_" src="https://sms.cam.ac.uk/media/746018/embed" frameborder="0" scrolling="no" allowfullscreen></iframe>

Choose size:

About this item

Available Formats

About this item

Description:	http://www.talks.cam.ac.uk/talk/index/22090


Created:	2010-03-12 11:39
Collection:	Computer Laboratory Wednesday Seminars
Publisher:	University of Cambridge
Copyright:	University of Cambridge
Language:	eng (English)
Distribution:	World (downloadable)
Explicit content:	No
Aspect Ratio:	4:3
Screencast:	No
Bumper:	/sms-ingest/static/new-4x3-bumper.dv
Trailer:	/sms-ingest/static/new-4x3-trailer.dv


Abstract:	Existing mechanisms for authorizing and auditing the flow of information in networked computer systems are insufficient to meet the security requirements of high-assurance software systems. Current best practices typically rely on operating-system provided file permissions for authorization and an ad-hoc combination of OS and network-level (e.g. firewall-level) logging to generate audit trails. This talk will describe work on a security-oriented programming language called Aura that attempts to address this problem of auditable information flows in a more principled way. Aura supports a built-in notion of principal and its type system incorporates ideas from authorization logic and information-flow constraints. These features, together with the Aura run-time system, enforce strong information-flow policies while generating good audit trails. These audit trails record access-control decisions (such as uses of downgrading or declassification) that influence how information flows through the system. Aura’s programming model is intended to smoothly integrate information-flow and access control constraints with the cryptographic enforcement mechanisms necessary in a distributed computing environment. This is joint work with Jeff Vaughan, Limin Jia, Karl Mazurak, Jianzhou Zhou, Joseph Schorr, and Luke Zarko.

Abstract:

Existing mechanisms for authorizing and auditing the flow of information in networked computer systems are insufficient to meet the security requirements of high-assurance software systems. Current best practices typically rely on operating-system provided file permissions for authorization and an ad-hoc combination of OS and network-level (e.g. firewall-level) logging to generate audit trails.

This talk will describe work on a security-oriented programming language called Aura that attempts to address this problem of auditable information flows in a more principled way. Aura supports a built-in notion of principal and its type system incorporates ideas from authorization logic and information-flow constraints. These features, together with the Aura run-time system, enforce strong information-flow policies while generating good audit trails. These audit trails record access-control decisions (such as uses of downgrading or declassification) that influence how information flows through the system. Aura’s programming model is intended to smoothly integrate information-flow and access control constraints with the cryptographic enforcement mechanisms necessary in a distributed computing environment.

This is joint work with Jeff Vaughan, Limin Jia, Karl Mazurak, Jianzhou Zhou, Joseph Schorr, and Luke Zarko.

Available Formats

Format	Quality	Bitrate	Size
MPEG-4 Video	480x360	1.84 Mbits/sec	904.33 MB	View	Download
WebM	480x360	375.08 kbits/sec	178.57 MB	View	Download
Flash Video	480x360	806.3 kbits/sec	386.81 MB	View	Download
Flash Video	320x240	437.02 kbits/sec	209.66 MB	View	Download
iPod Video	480x360	505.24 kbits/sec	242.38 MB	View	Download
iPod Video	320x240	472.62 kbits/sec	226.73 MB	View	Download
MP3	44100 Hz	125.0 kbits/sec	59.76 MB	Listen	Download
Auto *	(Allows browser to choose a format it supports)

Streaming Media Service Upload

Aura: A Programming Language with Authorization and Audit