Abstract
It is becoming increasingly important for applications to protect sensitive data. With current techniques, the programmer bears the burden of ensuring that the application's behavior adheres to policies about where sensitive values may flow. Unfortunately, privacy policies are difficult to manage because their global nature requires coordinated reasoning and enforcement. To address this problem, we describe a programming model that makes the system responsible for ensuring adherence to privacy policies. The programming model has two components: 1) core programs describing functionality independent of privacy concerns and 2) declarative, decentralized policies controlling how sensitive values are disclosed. Each sensitive value encapsulates multiple views; policies describe which views are allowed based on the output context. The system is responsible for automatically ensuring that outputs are consistent with the policies. We have implemented this programming model in a new functional constraint language named Jeeves. In Jeeves, sensitive values are introduced as symbolic variables and policies correspond to constraints that are resolved at output channels. We have implemented Jeeves as a Scala library using an SMT solver as a model finder. In this paper we describe the dynamic and static semantics of Jeeves and the properties about policy enforcement that the semantics guarantees. We also describe our experience implementing a conference management system and a social network.
Supplemental Material
- G. Antoniou. A tutorial on default logics. ACM Computing Surveys (CSUR), 31(4):337--359, 1999. Google Scholar
Digital Library
- C. Barrett, A. Stump, and C. Tinelli. The smt-lib standard: Version 2.0. In SMT Workshop, 2010.Google Scholar
- B. Borsboom, B. v. Amstel, and F. Groeneveld. PleaseRobMe. http://pleaserobme.com, July 2011.Google Scholar
- J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-to-end verification of security enforcement. SIGPLAN Not., 45 (6):412--423, 2010. ISSN 0362-1340. doi: http://doi.acm.org/10.1145/1809028.1806643. Google Scholar
Digital Library
- A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--, Berkeley, CA, USA, 2010. USENIX Association. URL http://portal.acm.org/citation.cfm?id=1924943.1924951. Google Scholar
Digital Library
- B. Demsky and M. Rinard. Data structure repair using goal-directed reasoning. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 176--185, New York, NY, USA, 2005. ACM. ISBN 1-59593-963-2. doi: http://doi.acm.org/10.1145/1062455.1062499. Google Scholar
Digital Library
- D. Devriese and F. Piessens. Noninterference through secure multiexecution. Security and Privacy, IEEE Symposium on, 0:109--124, 2010. ISSN 1081-6011. doi: http://doi.ieeecomputersociety.org/10.1109/SP.2010.15. Google Scholar
Digital Library
- R. W. Floyd. Nondeterministic algorithms. J. ACM, 14:636--644, October 1967. ISSN 0004-5411. doi: http://doi.acm.org/10.1145/321420.321422. URL http://doi.acm.org/10.1145/321420.321422. Google Scholar
Digital Library
- M. Hanus. Improving control of logic programs by using functional logic languages. In Proc. of the 4th International Symposium on Programming Language Implementation and Logic Programming, pages 1--23. Springer LNCS 631, 1992. Google Scholar
Digital Library
- M. Hanus, H. Kuchen, J. J. Moreno-Navarro, R. Aachen, and I. Ii. Curry: A truly functional logic language, 1995.Google Scholar
- G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. In ECOOP, pages 220--242, 1997.Google Scholar
Cross Ref
- E. Kohler. HotCRP. http://www.cs.ucla.edu/~kohler/hotcrp/.Google Scholar
- V. Kuncak, M. Mayer, R. Piskac, and P. Suter. Complete functional synthesis. In PLDI, pages 316--329, 2010. Google Scholar
Digital Library
- J. R. Lewis, J. Launchbury, E. Meijer, and M. B. Shields. Implicit parameters: dynamic scoping with static types. In Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '00, pages 108--118, New York, NY, USA, 2000. ACM. ISBN 1-58113-125-9. doi: http://doi.acm.org/10.1145/325694.325708. URL http://doi.acm.org/10.1145/325694.325708. Google Scholar
Digital Library
- J. W. Lloyd. Programming in an integrated functional and logic language. Journal of Functional and Logic Programming, 3, 1999.Google Scholar
- C. Morgan. The specification statement. ACM Trans. Program. Lang. Syst., 10(3):403--419, 1988. ISSN 0164-0925. doi: http://doi.acm.org/10.1145/44501.44503. Google Scholar
Digital Library
- L. D. Moura and N. Björner. Z3: An efficient SMT solver. In Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2008. Google Scholar
Digital Library
- A. Mück and T. Streicher. A tiny constraint functional logic language and its continuation semantics. In ESOP '94: Proceedings of the 5th European Symposium on Programming, pages 439--453, London, UK, 1994. Springer-Verlag. ISBN 3-540-57880-3. Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 228--241, 1999. Google Scholar
Digital Library
- M. Odersky, P. Altherr, V. Cremet, B. Emir, S. Maneth, S. Micheloud, N. Mihaylov, M. Schinz, E. Stenman, and M. Zenger. An overview of the scala programming language. Technical report, Citeseer, 2004.Google Scholar
- D. Rayside, A. Milicevic, K. Yessenov, G. Dennis, and D. Jackson. Agile specifications. In OOPSLA Companion, pages 999--1006, 2009. Google Scholar
Digital Library
- H. Samimi, E. D. Aung, and T. D. Millstein. Falling back on executable specifications. In ECOOP, pages 552--576, 2010. Google Scholar
Digital Library
- D. R. Smith. A generative approach to aspect-oriented programming. In G. Karsai and E. Visser, editors, GPCE, volume 3286 of Lecture Notes in Computer Science, pages 39--54. Springer, 2004. ISBN 3-540-23580-9.Google Scholar
- D. R. Smith. Aspects as invariants. In O. Danvy, H. Mairson, F. Henglein, and A. Pettorossi, editors, Automatic Program Development: A Tribute to Robert Paige, pages 270--286, 2008.Google Scholar
- Z. Somogyi, F. J. Henderson, and T. C. Conway. Mercury, an efficient purely declarative logic programming language. In In Proceedings of the Australian Computer Science Conference, pages 499--512, 1995.Google Scholar
- J. E. Vascellaro. Facebook grapples with privacy issues. In The Wall Street Journal. May 19 2010.Google Scholar
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the 22th ACM Symposium on Operating Systems Principles (SOSP '09), Big Sky, Montana, October 2009. Google Scholar
Digital Library
- H. Zhao. Hiphop for PHP: Move fast. http://developers.facebook.com/blog/post/358/, February 2010.Google Scholar
Index Terms
A language for automatically enforcing privacy policies
Recommendations
Faceted execution of policy-agnostic programs
PLAS '13: Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for securityIt is important for applications to protect sensitive data. Even for simple confidentiality and integrity policies, it is often difficult for programmers to reason about how the policies should interact and how to enforce policies across the program. A ...
A language for automatically enforcing privacy policies
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesIt is becoming increasingly important for applications to protect sensitive data. With current techniques, the programmer bears the burden of ensuring that the application's behavior adheres to policies about where sensitive values may flow. ...
Enforcing Privacy Policies with Meta-Code
APSys '15: Proceedings of the 6th Asia-Pacific Workshop on SystemsThis paper proposes a mechanism for expressing and enforcing security policies for shared data. Security policies are expressed as stateful meta-code operations; meta-code can express a broad class of policies, including access-based policies, use-based ...







Comments