research-article

Faceted execution of policy-agnostic programs

Authors:

Thomas H. Austin,

Cormac Flanagan,

Armando Solar-LezamaAuthors Info & Claims

PLAS '13: Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security

Pages 15 - 26

https://doi.org/10.1145/2465106.2465121

Published: 20 June 2013 Publication History

Abstract

It is important for applications to protect sensitive data. Even for simple confidentiality and integrity policies, it is often difficult for programmers to reason about how the policies should interact and how to enforce policies across the program. A promising approach is policy-agnostic programming, a model that allows the programmer to implement policies separately from core functionality. Yang et al. describe Jeeves, a programming language that supports information flow policies describing how to reveal sensitive values in different output channels. Jeeves uses symbolic evaluation and constraint-solving to produce outputs adhering to the policies. This strategy provides strong confidentiality guarantees but limits expressiveness and implementation feasibility.

We extend Jeeves with faceted values, which exploit the structure of sensitive values to yield both greater expressiveness and to facilitate reasoning about runtime behavior. We present a faceted semantics for Jeeves and describe a model for propagating multiple views of sensitive information through a program. We provide a proof of termination-insensitive non-interference and describe how the semantics facilitate reasoning about program behavior.

References

[1]

Scalatra: A tiny Sinatra-like web framework for Scala. http://www.scalatra.org/.

[2]

G. Antoniou. A tutorial on default logics. ACM Computing Surveys (CSUR), 31(4), 1999.

Digital Library

[3]

A. Askarov and A. Myers. A semantic framework for declassification and endorsement. In European Symposium on Programming (ESOP), 2010.

Digital Library

[4]

A. Askarov and A. Sabelfeld. Tight enforcement of informationrelease policies for dynamic languages. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2009.

Digital Library

[5]

A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Terminationinsensitive noninterference leaks more than just a bit. In ESORICS?08. Springer-Verlag, 2008.

Digital Library

[6]

T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In Symposium on Principles of Programming Languages (POPL), 2012.

Digital Library

[7]

C. Barrett, A. Stump, and C. Tinelli. The SMT-LIB standard: Version 2.0. In SMT Workshop, 2010.

[8]

A. Birgisson, A. Russo, and A. Sabelfeld. Capabilities for information flow. In Workshop on Programming Languages and Analysis for Security (PLAS), 2011.

Digital Library

[9]

N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In European Symposium on Programming (ESOP), 2006.

Digital Library

[10]

R. Capizzi, A. Longo, V. Venkatakrishnan, and A. Sistla. Preventing information leaks through shadow executions. In Annual Computer Security Applications Conference (ACSAC), dec 2008.

Digital Library

[11]

M. Carbin, D. Kim, S. Misailovic, and M. Rinard. Proving acceptability properties of relaxed nondeterministic approximate programs. In Conference on Programming Language Design and Implementation (PLDI), 2012.

Digital Library

[12]

J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-to-end verification of security enforcement. In Conference on Programming Language Design and Implementation (PLDI), 2010.

Digital Library

[13]

A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In USENIX Conference on Operating Systems Design and Implementation (OSDI), 2012.

Digital Library

[14]

S. Chong and A. C. Myers. Security policies for downgrading. In Conference on Computer and Communications Security (CCS), 2004.

Digital Library

[15]

D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5), 1976.

Digital Library

[16]

D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20(7):504--513, 1977.

Digital Library

[17]

D. Devriese and F. Piessens. Noninterference through secure multiexecution. IEEE Symposium on Security and Privacy, 2010.

Digital Library

[18]

J. Fischer, R. Majumdar, and S. Esmaeilsabzali. Engage: a deployment management system. In Conference on Programming Language Design and Implementation (PLDI), 2012.

Digital Library

[19]

N. Foster, R. Harrison, M. J. Freedman, C. Monsanto, J. Rexford, A. Story, and D. Walker. Frenetic: a network programming language. In International Conference on Functional Programming (ICFP), 2011.

Digital Library

[20]

G. L. Guernic,A. Banerjee, T. P. Jensen, and D. A. Schmidt. Automatabased confidentiality monitoring. In ASIAN, 2006.

[21]

M. Hanus, H. Kuchen, J. J. Moreno-Navarro, R. Aachen, and I. Ii. Curry: A truly functional logic language, 1995.

[22]

N. Heintze and J. G. Riecke. The SLam calculus: Programming with secrecy and integrity. In Symposium on Principles of Programming Languages (POPL), 1998.

Digital Library

[23]

S. Hunt and D. Sands. On flow-sensitive security types. In Symposium on Principles of Programming Languages (POPL), 2006.

Digital Library

[24]

V. Kashyap, B. Wiedermann, and B. Hardekopf. Timing- and termination-sensitive secure information flow: Exploring a new approach. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[25]

G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. In ECOOP, 1997.

[26]

A. Köksal, V. Kuncak, and P. Suter. Constraints as control. In Symposium on Principles of Programming Languages (POPL), 2012.

Digital Library

[27]

C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. Technical Report MSR-TR-2011-94, Microsoft Research Technical Report, 2011

[28]

J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: a platform for secure distributed computation and storage. In Symposium on Operating System Principles (SOSP), 2009.

Digital Library

[29]

J. W. Lloyd. Programming in an integrated functional and logic language. Journal of Functional and Logic Programming, 3, 1999.

[30]

F. McSherry. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In International Conference on Management of Data (SIGMOD), 2009.

Digital Library

[31]

A. Milicevic, D. Rayside, K. Yessenov, and D. Jackson. Unifying execution of imperative and declarative code. In International Conference on Software Engineering (ICSE), 2011.

Digital Library

[32]

S.Moore, A. Askarov, and S. Chong. Precise enforcement of progresssensitive security. In ACM Conference on Computer and Communications Security, pages 881?893, 2012.

Digital Library

[33]

L. D. Moura and N. Björner. Z3: An efficient SMT solver. In Tools and algorithms for the construction and analysis of systems (TACAS), 2008.

Digital Library

[34]

A. C. Myers. JFlow: Practical mostly-static information flow control. 1999.

[35]

P. Naldurg and R. K. R. Seal: a logic programming framework for specifying and verifying access control models. In ACM Symposium on Access Control Models and Technologies, pages 83?92, 2011.

Digital Library

[36]

A. Nanevski, A. Banerjee, and D. Garg. Verification of information flow and access control policies with dependent types. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[37]

M. Odersky, P. Altherr, V. Cremet, B. Emir, S. Maneth, S. Micheloud, N. Mihaylov, M. Schinz, E. Stenman, and M. Zenger. An overview of the scala programming language. Technical report, Citeseer, 2004.

[38]

F. Pottier and V. Simonet. Information flow inference for ML. ACM Transactions on Programming Languages and Systems (TOPLAS), 25 (1), 2003.

Digital Library

[39]

W. Rafnsson and A. Sabelfeld. Limiting information leakage in eventbased communication. In Workshop on Programming Languages and Analysis for Security (PLAS). ACM, 2011.

Digital Library

[40]

A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2010.

Digital Library

[41]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), 2003.

Digital Library

[42]

P. Shroff, S. F. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. In CSF, 2007.

Digital Library

[43]

G. Smith. Principles of secure information flow analysis. In M. Christodorescu, S. Jha, D. Maughan, D. Song, and C. Wang, editors, Malware Detection, volume 27 of Advances in Information Security, pages 291--307. Springer, 2007. ISBN 978-0-387-32720-4.

[44]

Z. Somogyi, F. J. Henderson, and T. C. Conway. Mercury, an efficient purely declarative logic programming language. In Australian Computer Science Conference, 1995.

[45]

N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In International Conference on Functional Programming (ICFP), 2011.

Digital Library

[46]

J. Vaughan and S. Chong. Inference of expressive declassification policies. In IEEE Security and Privacy, 2011.

Digital Library

[47]

D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3), 1996.

Digital Library

[48]

J. Yang, K. Yessenov, and A. Solar-Lezama. A language for automatically enforcing privacy policies. In Symposium on Principles of Programming Languages (POPL), 2012.

Digital Library

[49]

A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Symposium on Operating System Principles (SOSP), 2009.

Digital Library

[50]

S. Zdancewic. A type system for robust declassification. In 19th Mathematical Foundations of Programming Semantics Conference, 2003.

Digital Library

[51]

D. Zhang, A. Askarov, and A. C. Myers. Predictive mitigation of timing channels in interactive systems. In Conference on Computer and Communications Security (CCS), 2011.

Digital Library

Cited By

Lescisin MMahmoud Q(2023)Design and Development of Policy Enforcement for the Privacy by Design Framework2023 20th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA59173.2023.10479230(1-6)Online publication date: 4-Dec-2023
https://doi.org/10.1109/AICCSA59173.2023.10479230
Young JBittner PWalkingshaw EThüm T(2023)Variational satisfiability solving: efficiently solving lots of related SAT problemsEmpirical Software Engineering10.1007/s10664-022-10217-328:1Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1007/s10664-022-10217-3
Larisch JAqeel WLum MGoldschlag YKannan LTorshizi KWang YChung TLevin DMaggs BMislove AParno BWilson CYin HStavrou ACremers CShi E(2022)HammurabiProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560594(1857-1870)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560594
Show More Cited By

Index Terms

Faceted execution of policy-agnostic programs
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features

Recommendations

A language for automatically enforcing privacy policies
POPL '12

It is becoming increasingly important for applications to protect sensitive data. With current techniques, the programmer bears the burden of ensuring that the application's behavior adheres to policies about where sensitive values may flow. ...
A language for automatically enforcing privacy policies
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

It is becoming increasingly important for applications to protect sensitive data. With current techniques, the programmer bears the burden of ensuring that the application's behavior adheres to policies about where sensitive values may flow. ...
An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLAS '13: Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security

June 2013

96 pages

ISBN:9781450321440

DOI:10.1145/2465106

Program Chairs:
Prasad Naldurg
IBM Research India
,
Nikhil Swamy
Microsoft Research Redmond

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '13

Sponsor:

SIGPLAN

PLDI '13: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 20, 2013

Washington, Seattle, USA

Acceptance Rates

PLAS '13 Paper Acceptance Rate 8 of 14 submissions, 57%;

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
196
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lescisin MMahmoud Q(2023)Design and Development of Policy Enforcement for the Privacy by Design Framework2023 20th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA59173.2023.10479230(1-6)Online publication date: 4-Dec-2023
https://doi.org/10.1109/AICCSA59173.2023.10479230
Young JBittner PWalkingshaw EThüm T(2023)Variational satisfiability solving: efficiently solving lots of related SAT problemsEmpirical Software Engineering10.1007/s10664-022-10217-328:1Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1007/s10664-022-10217-3
Larisch JAqeel WLum MGoldschlag YKannan LTorshizi KWang YChung TLevin DMaggs BMislove AParno BWilson CYin HStavrou ACremers CShi E(2022)HammurabiProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560594(1857-1870)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560594
McCall MBichhawat AJia L(2022)Compositional Information Flow Monitoring for Reactive Programs2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00036(467-486)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00036
Wong CSantiesteban PKästner CLe Goues CSpinellis DGousios GChechik MDi Penta M(2021)VarFix: balancing edit expressiveness and search effectiveness in automated program repairProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468600(354-366)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468600
Renner JSanchez-Stern ABrown FLerner SStefan DFreund SYahav E(2021)Scooter & Sidecar: a domain-specific approach to writing secure database migrationsProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454072(710-724)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454072
Polinsky IDatta PBates AEnck WLobo JDi Pietro RChowdhury O(2021)SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless ComputingProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463567(175-186)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463567
Bruckner FPampus JHowar F(2021)A Policy-Agnostic Programming Language for the International Data SpacesData Management Technologies and Applications10.1007/978-3-030-83014-4_9(172-194)Online publication date: 23-Jul-2021
https://doi.org/10.1007/978-3-030-83014-4_9
Kozyri ESchneider F(2020)RIF: Reactive information flow labelsJournal of Computer Security10.3233/JCS-191316(1-38)Online publication date: 5-Mar-2020
https://doi.org/10.3233/JCS-191316
Polikarpova NStefan DYang JItzhaky SHance TSolar-Lezama A(2020)Liquid information flow controlProceedings of the ACM on Programming Languages10.1145/34089874:ICFP(1-30)Online publication date: 3-Aug-2020
https://dl.acm.org/doi/10.1145/3408987
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten