ABSTRACT
Protecting confidentiality of data has become increasingly important for computing systems. Information-flow techniques have been developed over the years to achieve that purpose, leading to special-purpose languages that guarantee information-flow security in programs. However, rather than producing a new language from scratch, information-flow security can also be provided as a library. This has been done previously in Haskell using the arrow framework. In this paper, we show that arrows are not necessary to design such libraries and that a less general notion, namely monads, is sufficient to achieve the same goals. We present a monadic library to provide information-flow security for Haskell programs. The library introduces mechanisms to protect confidentiality of data for pure computations, that we then easily, and modularly, extend to include dealing with side-effects. We also present combinators to dynamically enforce different declassification policies when release of information is required in a controlled manner. It is possible to enforce policies related to what, by whom, and when information is released or a combination of them. The well-known concept of monads together with the light-weight characteristic of our approach makes the library suitable to build applications where confidentiality of data is an issue.
Supplemental Material
Available for Download
- M. Abadi, A. Banerjee, N. Heintze, and J. Riecke. A core calculus of dependency. In Proc. ACM Symp. on Principles of Programming Languages, pages 147--160, January 1999. Google Scholar
Digital Library
- A. Askarov and A. Sabelfeld. Localized delimited release: combining the what and where dimensions of information release. In PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security, pages 53--60, New York, NY, USA, 2007. ACM. Google Scholar
Digital Library
- N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies. In Peter Sestoft, editor, Proc. European Symp. on Programming, volume 3924 of Lecture Notes in Computer Science, pages 180--196. Springer, 2006. Google Scholar
Digital Library
- S. Chong and A. C. Myers. Security policies for downgrading. In ACM Conference on Computer and Communications Security, pages 198--209, October 2004. Google Scholar
Digital Library
- D. Clark, S. Hunt, and P. Malacaria. Quantitative analysis of the leakage of confidential data. In QAPL'01, Proc. Quantitative Aspects of Programming Languages, volume 59 of ENTCS. Elsevier, 2002.Google Scholar
- E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 297--335. Academic Press, 1978.Google Scholar
- K. Crary, A. Kliger, and F. Pfenning. A monadic analysis of information flow security with mutable state, 2003.Google Scholar
- D. E. Denning. A lattice model of secure information flow. Comm. of the ACM, 19(5):236--243, May 1976. Google Scholar
Digital Library
- D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504--513, July 1977. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, April 1982.Google Scholar
Cross Ref
- G. Le Guernic, A. Banerjee, T. Jensen, and D. Schmidt. Automata-based confidentiality monitoring. In Proc. Annual Asian Computing Science Conference, volume 4435 of LNCS, pages 75--89. Springer-Verlag, December 2006. Google Scholar
Digital Library
- W. L. Harrison and J. Hook. Achieving information flow security through precise control of effects. In CSFW '05: Proceedings of the 18th IEEE workshop on Computer Security Foundations, pages 16--30,Washington, DC, USA, 2005. IEEE Computer Society. Google Scholar
Digital Library
- N. Heintze and J. G. Riecke. The SLam calculus: programming with secrecy and integrity. In Proc. ACM Symp. on Principles of Programming Languages, pages 365--377, January 1998. Google Scholar
Digital Library
- J. Hughes. Generalising monads to arrows. Science of Computer Programming, 37(1-3):67--111, 2000. Google Scholar
Digital Library
- M. H. Jackson. Linux shadow password howto. Available at http://tldp.org/HOWTO/Shadow-Password-HOWTO.html, 1996.Google Scholar
- J. R. Lewis, J. Launchbury, E. Meijer, and M. B. Shields. Implicit parameters: dynamic scoping with static types. In POPL '00: Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 108--118, New York, NY, USA, 2000. ACM. Google Scholar
Digital Library
- P. Li and S. Zdancewic. Encoding Information Flow in Haskell. In CSFW '06: Proceedings of the 19th IEEE Workshop on Computer Security Foundations. IEEE Computer Society, 2006. Google Scholar
Digital Library
- P. Li and S. Zdancewic. Arrows for secure information flow. Available at http://www.seas.upenn.edu/~lipeng/homepage/lz06tcs.pdf, 2007.Google Scholar
- Local Root Exploit. Linux kernel 2.6 local root exploit. Available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465246, February 2008.Google Scholar
- H. Mantel and A. Reinhard. Controlling the what and where of declassification in language-based security. In Rocco De Nicola, editor, European Symposium on Programming (ESOP), volume 4421 of LNCS, pages 141--156. Springer, 2007. ISBN 978-3-540-71314-2. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. ACM Symp. on Operating System Principles, pages 129--142, October 1997. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symp. on Security and Privacy, pages 186--197, May 1998.Google Scholar
Cross Ref
- A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4):410--442, 2000. Google Scholar
Digital Library
- S. K. Nair, P. N. D. Simpson, B. Crispo, and A. S. Tanenbaum. A virtual machine based information flow control system for policy enforcement. The First International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007), September 2007.Google Scholar
- A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security, pages 364--372, New York, NY, USA, 2005. ACM. Google Scholar
Digital Library
- B. C. Pierce. Advanced Topics In Types And Programming Languages. MIT Press, November 2004. ISBN 0262162288. Google Scholar
Digital Library
- F. Pottier and V. Simonet. Information flow inference for ML. In Proc. ACM Symp. on Principles of Programming Languages, pages 319--330, January 2002. Google Scholar
Digital Library
- A. Russo, K. Claessen, and J. Hughes. A library for light-weight information-flow security in Haskell. Software release and documentation. Available at http://www.cs.chalmers.se/~russo/seclib.htm, 2008a. Google Scholar
Digital Library
- A. Russo, K. Claessen, and J. Hughes. A library for light-weight information-flow security in Haskell. Technical Report. Chalmers University of Technology. To appear., October 2008b.Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. A model for delimited information release. In Proc. International Symp. on Software Security (ISSS'03), volume 3233 of LNCS, pages 174--191. Springer-Verlag, October 2004.Google Scholar
Cross Ref
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In CSFW '05: Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 255--269. IEEE Computer Society, 2005. Google Scholar
Digital Library
- P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to secure information flow. Computer Security Foundations Symposium, 2007. CSF '07. 20th IEEE, pages 203--217, 2007. Google Scholar
Digital Library
- V. Simonet. Flow caml in a nutshell. In Graham Hutton, editor, Proceedings of the first APPSEM-II workshop, pages 152--165, March 2003.Google Scholar
- A. S. Tanenbaum. Modern Operating Systems. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2001. ISBN 0130313580. Google Scholar
Digital Library
- T. C. Tsai, A. Russo, and J. Hughes. A library for secure multi-threaded information flow in Haskell. In Proc. of the 20th IEEE Computer Security Foundations Symposium, July 2007. Google Scholar
Digital Library
- S. Tse and S. Zdancewic. Translating dependency into parametricity. In ICFP '04: Proceedings of the ninth ACM SIGPLAN international conference on Functional programming, pages 115--125, New York, NY, USA, 2004. ACM. Google Scholar
Digital Library
- D. Volpano and G. Smith. A type-based approach to program security. In Proc. TAPSOFT'97, volume 1214 of LNCS, pages 607--621. Springer-Verlag, April 1997. Google Scholar
Digital Library
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. J. Computer Security, 4(3):167--187, 1996. Google Scholar
Digital Library
- P.Wadler. Monads for functional programming. In Marktoberdorf Summer School on Program Design Calculi, August 1992.Google Scholar
Index Terms
A library for light-weight information-flow security in haskell
Recommendations
Flexible dynamic information flow control in Haskell
Haskell '11We describe a new, dynamic, floating-label approach to language-based information flow control, and present an implementation in Haskell. A labeled IO monad, LIO, keeps track of a current label and permits restricted access to IO functionality, while ...
A library for light-weight information-flow security in haskell
HASKELL '08Protecting confidentiality of data has become increasingly important for computing systems. Information-flow techniques have been developed over the years to achieve that purpose, leading to special-purpose languages that guarantee information-flow ...
Run-time principals in information-flow type systems
Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in terms of static information—data is labeled high or low security at compile ...







Comments