In this talk, I will present HiStar, a new operating system designed to enforce the security of user data in untrusted or malicious applications. For example, numerous web sites have had massive data compromises due to poorly-written application code. HiStar can ensure that even malicious application code in a web server cannot disclose sensitive user data.

The key idea is to specify application security in terms of information flow, or what can happen to the data, and enforce it at a narrow kernel interface that makes all information flow explicit. HiStar shows that this is practical, by implementing a Unix environment in an untrusted user library whose security policies are enforced by HiStar's small kernel.

HiStar's information flow control allows small amounts of trusted application code to enforce security of complex, untrusted applications in a Unix-like environment. I will present HiStar's web server, where the only fully-trusted component is the kernel, and even if most components were malicious, they could not compromise user data. Time permitting, I will also describe how we scale this web server to multiple machines so that no machine is fully trusted.

Nickolai Zeldovich is a postdoctoral scholar at Stanford University in the Secure Computer Systems group. His research interests focus on security, operating systems, and distributed systems. He is currently working on HiStar, an operating system designed to enforce the security of user data in untrusted or malicious applications. In the past, he has worked on the Collective, a virtual machine-based computing infrastructure providing security, ease of management, and mobility.