Title:
Practical Data-Leak Prevention for Legacy Applications in Enterprise Networks
Practical Data-Leak Prevention for Legacy Applications in Enterprise Networks
Author(s)
Mundada, Yogesh
Ramachandran, Anirudh
Tariq, Mukarram Bin
Feamster, Nick
Ramachandran, Anirudh
Tariq, Mukarram Bin
Feamster, Nick
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
Organizations must control where private information
spreads; this problem is referred to in the industry as
data leak prevention. Commercial solutions for DLP
are based on scanning content; these impose high overhead
and are easily evaded. Research solutions for this
problem, information flow control, require rewriting applications
or running a custom operating system, which
makes these approaches difficult to deploy. They also
typically enforce information flow control on a single
host, not across a network, making it difficult to implement
an information flow control policy for a network of
machines. This paper presents Pedigree, which enforces
information flow control across a network for legacy
applications. Pedigree allows enterprise administrators
and users to associate a label with each file and process;
a small, trusted module on the host uses these labels to
determine whether two processes on the same host can
communicate. When a process attempts to communicate
across the network, Pedigree tracks these information
flows and enforces information flow control either
at end-hosts or at a network switch. Pedigree allows
users and operators to specify network-wide information
flow policies rather than having to specify and implement
policies for each host. Enforcing information
flow policies in the network allows Pedigree to operate
in networks with heterogeneous devices and operating
systems. We present the design and implementation of
Pedigree, show that it can prevent data leaks, and investigate
its feasibility and usability in common environments.
Sponsor
Date Issued
2011
Extent
Resource Type
Text
Resource Subtype
Technical Report