Project Laminar


Laminar is the first system to implement the decentralized information flow control (DIFC) model using a single set of abstractions for OS resources and heap-allocated objects. Programmers express security policies by labeling data with secrecy and integrity labels, and then access the labeled data in lexically scoped security regions. Laminar enforces the security policies specified by the labels at runtime. Laminar is implemented using a modified Java virtual machine and a new Linux security module. Security regions ease incremental deployment and limit dynamic security checks. In our case studies we found that using Laminar we can retrofit DIFC policies on applications with less than 10% of changes to the code. These modified applications incur performance overheads from 1% to 56%.