Abstract
We present Lifty, a domain-specific language for data-centric applications that manipulate sensitive data. A Lifty programmer annotates the sources of sensitive data with declarative security policies, and the language statically and automatically verifies that the application handles the data according to the policies. Moreover, if verification fails, Lifty suggests a provably correct repair, thereby easing the programmer burden of implementing policy enforcing code throughout the application.
The main insight behind Lifty is to encode information flow control using liquid types, an expressive yet decidable type system. Liquid types enable fully automatic checking of complex, data dependent policies, and power our repair mechanism via type-driven error localization and patch synthesis. Our experience using Lifty to implement three case studies from the literature shows that (1) the Lifty policy language is sufficiently expressive to specify many real-world policies, (2) the Lifty type checker is able to verify secure programs and find leaks in insecure programs quickly, and (3) even if the programmer leaves out all policy enforcing code, the Lifty repair engine is able to patch all leaks automatically within a reasonable time.
Supplemental Material
- Rajeev Alur, Arjun Radhakrishna, and Abhishek Udupa. 2017. Scaling Enumerative Program Synthesis via Divide and Conquer. In TACAS. 319-336.Google Scholar
- O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. 2012. Sharing Mobile Code Securely with Information Flow Control. In Oakland.Google Scholar
- Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted execution of policy-agnostic programs. In PLAS.Google Scholar
- Niklas Broberg, Bart van Delft, and David Sands. 2017. Paragon-Practical programming with information flow control. Journal of Computer Security 25, 4-5 ( 2017 ), 323-365.Google Scholar
Cross Ref
- Pablo Buiras, Dimitrios Vytiniotis, and Alejandro Russo. 2015. HLIO: Mixing static and dynamic typing for information-flow control in Haskell. In ICFP. 289-301.Google Scholar
Digital Library
- Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving compilation of end-to-end verification of security enforcement. In PLDI.Google Scholar
- Adam Chlipala. 2010. Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications. In OSDI.Google Scholar
- Catalin Cimpanu. 2020. Walgreens says mobile app leaked users' personal data. https://www.zdnet.com/article/walgreenssays-mobile-app-leaked-users-personal-data/.Google Scholar
- Benjamin Cosman and Ranjit Jhala. 2017. Local refinement typing. PACMPL 1, ICFP ( 2017 ), 26 : 1-26 : 27.Google Scholar
- K. Crary, A. Kliger, and F. Pfenning. 2005. A monadic analysis of information flow security with mutable state. Journal of Functional Programming 15, 2 (March 2005 ).Google Scholar
Digital Library
- Dominique Devriese and Frank Piessens. 2011. Information flow enforcement in monadic libraries. In ACM SIGPLAN Workshop on Types in Language Design and Implementation. ACM.Google Scholar
Digital Library
- Isil Dillig and Thomas Dillig. 2013. Explain: A Tool for Performing Abductive Inference. In CAV. 684-689.Google Scholar
- Cory Doctorow. 2015. United website breach let fliers see each others' private data. https://boingboing.net/ 2015 /01/28/unitedwebsite-breach-let-flie.html.Google Scholar
- Matthew Fredrikson, Richard Joiner, Somesh Jha, Thomas W. Reps, Phillip A. Porras, Hassen Saïdi, and Vinod Yegneswaran. 2012. Eficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement. In CAV.Google Scholar
- Vinod Ganapathy, Trent Jaeger, and Somesh Jha. 2006. Retrofitting Legacy Code for Authorization Policy Enforcement. In SP.Google Scholar
- Daniel B. Gifin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. 2017. Hails: Protecting Data Privacy in Untrusted Web Applications. Journal of Computer Security 25 ( 2017 ).Google Scholar
- Daniel B. Gifin, Amit Levy, Deian Stefan, David Terei, David Mazières, John C. Mitchell, and Alejandro Russo. 2012. Hails: Protecting Data Privacy in Untrusted Web Applications. In OSDI. 47-60.Google Scholar
- William R. Harris, Somesh Jha, and Thomas Reps. 2010. DIFC Programs by Automatic Instrumentation. In CCS.Google Scholar
- Kashmir Hill. 2017. How Facebook Outs Sex Workers. https://gizmodo.com /how-facebook-outs-sex-workers-1818861596Google Scholar
- Hossein Hojjat, Philipp Rümmer, Jedidiah McClurg, Pavol Cerný, and Nate Foster. 2016. Optimizing horn solvers for network repair. In FMCAD. 73-80.Google Scholar
- J. Hughes. 2000. Generalising monads to arrows. Science of Computer Programming 37, 1-3 ( 2000 ), 67-111.Google Scholar
Digital Library
- Troy Hunt. 2020. Have I Been Pwned: Check if your email has been compromised in a data breach. https://haveibeenpwned. com/.Google Scholar
- Limin Jia and Steve Zdancewic. 2009. Encoding information flow in Aura. In PLAS.Google Scholar
- Etienne Kneuss, Manos Koukoutos, and Viktor Kuncak. 2015. Deductive Program Repair. In CAV.Google Scholar
- Etienne Kneuss, Ivan Kuraj, Viktor Kuncak, and Philippe Suter. 2013. Synthesis modulo recursive functions. In OOPSLA. 407-426.Google Scholar
- Kenneth Knowles and Cormac Flanagan. 2010. Hybrid Type Checking. ACM Trans. Program. Lang. Syst. 32, 2, Article 6 ( Feb. 2010 ), 34 pages.Google Scholar
Digital Library
- Viktor Kuncak, Mikaël Mayer, Ruzica Piskac, and Philippe Suter. 2010. Complete functional synthesis. In PLDI.Google Scholar
- Peng Li and Steve Zdancewic. 2005. Downgrading Policies and Relaxed Noninterference. ( 2005 ).Google Scholar
- Peng Li and Steve Zdancewic. 2006. Encoding Information Flow in Haskell. In CSFW.Google Scholar
- J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. 2009. Fabric: a platform for secure distributed computation and storage. In SOSP. ACM.Google Scholar
- Calvin Loncaric, Satish Chandra, Cole Schlesinger, and Manu Sridharan. 2016. A Practical Framework for Type Inference Error Explanation. In OOPSLA. ACM.Google Scholar
- Luísa Lourenço and Luís Caires. 2014. Information flow analysis for valued-indexed data security compartments. In Trustworthy Global Computing. Springer, 180-198.Google Scholar
- Luísa Lourenço and Luís Caires. 2015. Dependent information flow types. In POPL. ACM, 317-328.Google Scholar
Digital Library
- Zohar Manna and Richard Waldinger. 1980. A Deductive Approach to Program Synthesis. ACM Trans. Program. Lang. Syst. 2, 1 (Jan. 1980 ).Google Scholar
Digital Library
- Simon Marlow. 2010. Haskell 2010 language report. https://www.haskell.org/onlinereport/haskell2010/Google Scholar
- Benoît Montagu, Benjamin C. Pierce, and Randy Pollack. 2013. A Theory of Information-Flow Labels. In CSF.Google Scholar
- Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In POPL.Google Scholar
- Andrew C Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology (TOSEM) 9, 4 ( 2000 ), 410-442.Google Scholar
Digital Library
- James Parker, Niki Vazou, and Michael Hicks. 2019. LWeb: Information flow security for multi-tier web applications. Proceedings of the ACM on Programming Languages 3, POPL ( 2019 ), 1-30.Google Scholar
Digital Library
- S. Peyton Jones. 2001. Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software construction 180 ( 2001 ), 47.Google Scholar
- Nadia Polikarpova, Ivan Kuraj, and Armando Solar-Lezama. 2016. Program Synthesis from Polymorphic Refinement Types. In PLDI.Google Scholar
- Nadia Polikarpova, Deian Stefan, Jean Yang, Shachar Itzhaky, Travis Hance, and Armando Solar-Lezama. 2020. Liquid Information Flow Control. CoRR abs/1607.03445 ( 2020 ). arXiv: 1607.03445 http://arxiv.org/abs/1607.03445Google Scholar
- François Pottier and Vincent Simonet. 2002. Information flow inference for ML. In POPL. 319-330.Google Scholar
- Privacy Rights Clearinghouse. 2020. Data Breaches. https://www.privacyrights.org/data-breach/.Google Scholar
- Vineet Rajani and Deepak Garg. 2020. On the expressiveness and semantics of information flow types. Journal of Computer Security 28 ( 2020 ).Google Scholar
- Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. 2008. Liquid types. In PLDI.Google Scholar
- Alejandro Russo. 2015. Functional Pearl: Two Can Keep a Secret, If One of Them Uses Haskell. In ICFP.Google Scholar
- Alejandro Russo, Koen Claessen, and John Hughes. 2008. A Library for Light-weight Information-flow Security in Haskell. In Haskell Symposium.Google Scholar
Digital Library
- Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1 ( 2003 ).Google Scholar
Digital Library
- Eric L. Seidel, Huma Sibghat, Kamalika Chaudhuri, Westley Weimer, and Ranjit Jhala. 2017. Learning to blame: localizing novice type errors with data-driven diagnosis. PACMPL 1, OOPSLA ( 2017 ), 60 : 1-60 : 27.Google Scholar
- E.G. Sirer, W. de Bruijn, P. Reynolds, A. Shieh, K. Walsh, D. Williams, and F.B. Schneider. 2011. Logical attestation: an authorization architecture for trustworthy computing. In SOSP. 249-264.Google Scholar
- Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS. The Internet Society.Google Scholar
- Deian Stefan, David Mazières, John C. Mitchell, and Alejandro Russo. 2017. Flexible dynamic information flow control in the presence of exceptions. J. Funct. Program. 27 ( 2017 ).Google Scholar
- Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. 2011a. Disjunction Category Labels. In Nordic Conference on Security IT Systems (NordSec). Springer.Google Scholar
- Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011b. Flexible Dynamic Information Flow Control in Haskell. In Haskell Symposium. ACM SIGPLAN.Google Scholar
- Nikhil Swamy, Juan Chen, and Ravi Chugh. 2010. Enforcing Stateful Authorization and Information Flow Policies in Fine. In ESOP.Google Scholar
- Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and Jean Yang. 2011. Secure distributed programming with value-dependent types. In ICFP.Google Scholar
- Nikhil Swamy, Michael Hicks, and Gavin M. Bierman. 2009. A Theory of Typed Coercions and Its Applications. In ICFP. ACM.Google Scholar
- Marco Vassena and Alejandro Russo. 2016. On Formalizing Information-Flow Control Libraries. In PLAS, Toby C. Murray and Deian Stefan (Eds.). ACM, 15-28.Google Scholar
- Marco Vassena, Alejandro Russo, Pablo Buiras, and Lucas Waye. 2018. MAC: a verified static information-flow control library. Journal of logical and algebraic methods in programming 95 ( 2018 ), 148-180.Google Scholar
- Niki Vazou, Patrick Maxim Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In ESOP.Google Scholar
- Niki Vazou, Eric L. Seidel, and Ranjit Jhala. 2014a. LiquidHaskell: experience with refinement types in the real world. In Haskell Symposium.Google Scholar
Digital Library
- Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon L. Peyton Jones. 2014b. Refinement types for Haskell. In ICFP.Google Scholar
Digital Library
- Chelsea Voss. 2016. private email communication.Google Scholar
- Jean Yang. 2017. James Comey's Twitter Security Problem Is Your Problem, Too. https://www.technologyreview.com/s/ 604286/james-comeys-twitter-security-problem-is-your-problem-tooGoogle Scholar
- Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. 2016. Precise, Dynamic Information Flow for Database-backed Applications. In PLDI.Google Scholar
- Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies.Google Scholar
- Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. SOSP ( 2009 ).Google Scholar
- Danfeng Zhang, Andrew C. Myers, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2015. Diagnosing type errors with class. In PLDI.Google Scholar
- Lantian Zheng and Andrew C. Myers. 2007. Dynamic security labels and static information flow control. International Journal of Information Security 6, 2 ( 2007 ), 67-84.Google Scholar
Cross Ref
Index Terms
Liquid information flow control
Recommendations
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityNoninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
Low-level liquid types
POPL '10: Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesWe present Low-Level Liquid Types , a refinement type system for C based on Liquid Types . Low-Level Liquid Types combine refinement types with three key elements to automate verification of critical safety properties of low-level programs: First, by ...
LWeb: information flow security for multi-tier web applications
This paper presents LWeb, a framework for enforcing label-based, information flow policies in database-using web applications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The ...






Comments