akrish

I just came back from WWW 2010 where I presented a research project I’ve been working on for the majority of my undergraduate years. The project is about building web applications with high level security properties that can be verified in a code review. This post is about the project and why I think it’s really cool.

I’d like to start off by convincing you that we need web applications with verifiable high-level security properties. First, what is a high level security property? It’s an application-specific guarantee about the privacy and integrity of user data maintained by the application. For example, as a user of an online banking application, I’d like some assurance that I cannot lose money unless I have authorized a transaction. I’d also like some guarantee that only I can view my account balances and transaction histories. These are high-level properties regarding the integrity and privacy of my data. And these are the kinds of guarantees that we want with our web applications; it’s not enough to just defend an app from XSS and CSRF.

Since these properties can be violated by the application itself (as opposed to external attackers), we have to make sure that the application does not violate them. This requires a code review. Unfortunately, with state-of-the-art technologies, and with sophisticated, complex applications, these code review are incredibly challenging. I would argue that they are infeasible. Why? Because verifying that a high-level property is achieved involves an exhaustive review of the application. With current application architectures, every object has the privileges necessary to violate whatever security property we’re interested in. In order guarantee that the application satisfies a property, we therefore have to make sure that the entire application does not violate it. Since applications are enormous, this is very challenging.

My project looked at making these code review easier by partitioning an application into components and granting only specific privileges to each component. Partitioning an application and exposing limited privileges facilitates a code review because now only parts of the application have the privileges needed to violate any particular security property. Auditors may not even have to look at certain application modules because they can guarantee a priori that those modules cannot violate the properties we are interested in.

All we’re doing here is bringing the idea of least privilege to web applications. We used an object capability approach to achieving least privilege in application components. Our goal was to confine each application component to a reduced-privilege context. We took a multi-faceted approach. First, we prevented application components from constructing additional privilege. We did this by requiring that applications are written in an object-capability language (in our case Joe-E). Second, we prevented the application from maintaining state outside of a semi-persistent session object (By semi-persistent, I mean that it lives in memory but is maintained across multiple HTTP requests). Combined, these two properties imply that all privileges to user data and resources must reside within the session object. Finally, we use wrapper objects to expose only a subset of the session object to each application component. This effectively confines each application component into a reduced-privilege context.

In terms of implementation, we built Capsules, a prototype framework that extends the Java Servlet Framework with these ideas. As mentioned, we require that applications are written in Joe-E, an object capability subset of Java. We use several Joe-E features to achieve the three aspects of our approach. First, Joe-E prevents objects from constructing privileges from scratch. Secondly, Joe-E allows us to declare application components (called Servlets) as immutable, which, in short, means that they cannot maintain state. Finally, Joe-E allows us to construct wrapper objects that actually encapsulate their internal state, so that Servlets must go through the interfaces exposed by the wrapper rather than using reflection to obtain a reference to the underlying session object. In this way, Joe-E helps us establish these reduced-privilege contexts.

We also conducted an evaluation of this framework by building a simple web mail application and verifying that the application maintains the privacy and integrity of user mailboxes. In this analysis, we discovered that there were several application components that we could completely ignore, simply because they had no way to violate the privacy and integrity properties. While our application was simple, we believe that this kind of analysis will also apply to more sophisticated applications, making it more practical to review these kinds of high-level properties.

So that’s a overview of the Capsules project. I’ve ommited most of the technical details so that I could concisely convey the main points. If you are interested, I encourage you to read our paper or see the slides for my talk (although I don’t think the slides will be very helpful apart from the pretty pictures). Finally, please feel free to contact me if you have questions or are interested in talking to me about the project.

Now that you’ve visited all of the schools you’ve been admitted to, it’s time to make a decision. For some people, this is a really easy process, for others (like me) this is incredibly difficult. A lot of people that I talked to made their decisions for various factors that didn’t really apply to me (i.e. family, girlfriend, etc.). If these “external” factors apply, then you’ll probably look at things like research and prestige.

Note: This article will be predominantly about my personal experience. I don’t really have any experience to talk about anything else. However, I think there may be some takeaways that are more generally applicable.

Disclaimer: A lot of this article is about my perception of graduate schools based on very short visits. At this point, I have no way of confirming these perceptions and I encourage you to make your own observations and come up with your own perceptions. I also do not intend to offend anyone at any of the schools I write about.

For me, the decision was ultimately between Carnegie Mellon University and MIT. While I visited both Princeton and the University of Washington, and both are excellent schools, I decided not to consider them for various reasons. I felt that I would not be happy at Princeton because there isn’t really much around except for the school and I felt that the students lived almost like undergrads, which I definitely didn’t want. At UW, there was only one professor who I was interested in working with and I felt it was kind of a risk to go to a school where there was only one potential advisor.

I really enjoyed my visit to CMU. First of all, my brother is a grad student there, so I got to hang out with him and meet a lot of his friends. I think part of the reason that I liked it so much was that his friends and the other students made me feel really welcome. Of course, I got to meet with several faculty members that I am interested in working with and I felt that I connected with some of them as well. It seemed like a much more friendly place and consequently, I left with a really warm feeling about the place.

I also enjoyed my visit to MIT but definitely less than the CMU one. The visit was less organized, which lead me to believe that they didn’t care as much about their admits (and consequently their students). Further, I didn’t get to interact with nearly as many grad students as I did at other schools, and this lead me to believe that the students were not as social as at other schools. At the same time, I met with a couple of professors that I was excited about working with, and of course, people are doing amazing research there. Ultimately, the social stuff doesn’t matter as much as the quality of research that I’ll be doing and I felt that at going to MIT I would have the opportunity to do really interesting stuff.

As a mentioned, I had a really hard time deciding between CMU and MIT. This was mostly because my intuition was telling me to choose CMU, but almost everyone else I talked to pushed me towards MIT. Usually, what other people think doesn’t really concern me, but for some reason this time it really made me doubt my gut; I think part of this was that my roommates were relentless in convincing me to choose MIT.

Ultimately, I decided on CMU for several reasons. For one, after reading several computational biology papers, I started to feel that I was more interesting in the methods side of the field and less interested in the data side. The research going on at MIT is definitely more data-driven, whereas at CMU there are people interested in biological results as well as methods. In terms of methods, I’m interested in machine learning approaches and CMU is basically the place to be for machine learning research.

Additionally, I mentioned that I felt more welcome at CMU and along with this, I felt that I would fit in better socially there. I don’t think this should be discounted, because I’m going to be a grad student for several years; if I’m unhappy, I’m very likely to quit or leave with a masters, which is not my goal. Obviously, it’s hard to determine where you will be happy from just a visit weekend, but it’s still something you should think about. Anyway, when making a decision between similar programs (in terms of research), you may want to think about your expected happiness.

One reason that a lot of my friends pushed me towards MIT was this prestige issue. Certainly, MIT has a better reputation that CMU in the eyes of the general public. However, in the CS community, both schools are pretty equivalent and in the machine learning community, I would argue that CMU is a little more prestigious. I think a lot of people are inclined to think about this because attending a prestigious institution will open doors for you later on in life. For most degrees, I agree; however, for PhD. programs, I’m not sure how true this is, especially when considering schools like MIT and CMU. Once you finish your doctorate, doors are going to open for you depending on the quality of your publications; your graduate institution will only help you in so far as it will influence your research.

One thing that helped me out a lot was talking to a bunch of people all over the place. I talked to my brother and a friend of his at CMU, friends at Berkeley, and people I knew at MIT. I also sent emails and had phone conversations with professors and other researchers at both CMU and MIT to get a better feel for what the environments were like at both places. Don’t hesitate to do this, but be aware that no one is going to make the decision for you. Most people you talk to will say something like, “Well you’re in a good place because you can’t go wrong.” While this is reassuring, it also doesn’t really help you in making a decision.

Finally, go with your intuition. That book “Blink” would recommend the same thing (I think). When you’re faced with a decision like I was, you really can’t go wrong and there are obviously some reasons why you’re tending to a particular place. Just go with it, I’m sure you’ll be happy.

———

I guess that’s the end of my series of posts on graduate school. I’d be really happy to hear wether people are finding this useful or not. Also if you have any comments or disagreeing opinions, please let me know.