skip to main content

Liquid information flow control

Published:03 August 2020Publication History
Skip Abstract Section

Abstract

We present Lifty, a domain-specific language for data-centric applications that manipulate sensitive data. A Lifty programmer annotates the sources of sensitive data with declarative security policies, and the language statically and automatically verifies that the application handles the data according to the policies. Moreover, if verification fails, Lifty suggests a provably correct repair, thereby easing the programmer burden of implementing policy enforcing code throughout the application.

The main insight behind Lifty is to encode information flow control using liquid types, an expressive yet decidable type system. Liquid types enable fully automatic checking of complex, data dependent policies, and power our repair mechanism via type-driven error localization and patch synthesis. Our experience using Lifty to implement three case studies from the literature shows that (1) the Lifty policy language is sufficiently expressive to specify many real-world policies, (2) the Lifty type checker is able to verify secure programs and find leaks in insecure programs quickly, and (3) even if the programmer leaves out all policy enforcing code, the Lifty repair engine is able to patch all leaks automatically within a reasonable time.

Skip Supplemental Material Section

Supplemental Material

Presentation at ICFP '20

References

  1. Rajeev Alur, Arjun Radhakrishna, and Abhishek Udupa. 2017. Scaling Enumerative Program Synthesis via Divide and Conquer. In TACAS. 319-336.Google ScholarGoogle Scholar
  2. O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. 2012. Sharing Mobile Code Securely with Information Flow Control. In Oakland.Google ScholarGoogle Scholar
  3. Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted execution of policy-agnostic programs. In PLAS.Google ScholarGoogle Scholar
  4. Niklas Broberg, Bart van Delft, and David Sands. 2017. Paragon-Practical programming with information flow control. Journal of Computer Security 25, 4-5 ( 2017 ), 323-365.Google ScholarGoogle ScholarCross RefCross Ref
  5. Pablo Buiras, Dimitrios Vytiniotis, and Alejandro Russo. 2015. HLIO: Mixing static and dynamic typing for information-flow control in Haskell. In ICFP. 289-301.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving compilation of end-to-end verification of security enforcement. In PLDI.Google ScholarGoogle Scholar
  7. Adam Chlipala. 2010. Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications. In OSDI.Google ScholarGoogle Scholar
  8. Catalin Cimpanu. 2020. Walgreens says mobile app leaked users' personal data. https://www.zdnet.com/article/walgreenssays-mobile-app-leaked-users-personal-data/.Google ScholarGoogle Scholar
  9. Benjamin Cosman and Ranjit Jhala. 2017. Local refinement typing. PACMPL 1, ICFP ( 2017 ), 26 : 1-26 : 27.Google ScholarGoogle Scholar
  10. K. Crary, A. Kliger, and F. Pfenning. 2005. A monadic analysis of information flow security with mutable state. Journal of Functional Programming 15, 2 (March 2005 ).Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Dominique Devriese and Frank Piessens. 2011. Information flow enforcement in monadic libraries. In ACM SIGPLAN Workshop on Types in Language Design and Implementation. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Isil Dillig and Thomas Dillig. 2013. Explain: A Tool for Performing Abductive Inference. In CAV. 684-689.Google ScholarGoogle Scholar
  13. Cory Doctorow. 2015. United website breach let fliers see each others' private data. https://boingboing.net/ 2015 /01/28/unitedwebsite-breach-let-flie.html.Google ScholarGoogle Scholar
  14. Matthew Fredrikson, Richard Joiner, Somesh Jha, Thomas W. Reps, Phillip A. Porras, Hassen Saïdi, and Vinod Yegneswaran. 2012. Eficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement. In CAV.Google ScholarGoogle Scholar
  15. Vinod Ganapathy, Trent Jaeger, and Somesh Jha. 2006. Retrofitting Legacy Code for Authorization Policy Enforcement. In SP.Google ScholarGoogle Scholar
  16. Daniel B. Gifin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. 2017. Hails: Protecting Data Privacy in Untrusted Web Applications. Journal of Computer Security 25 ( 2017 ).Google ScholarGoogle Scholar
  17. Daniel B. Gifin, Amit Levy, Deian Stefan, David Terei, David Mazières, John C. Mitchell, and Alejandro Russo. 2012. Hails: Protecting Data Privacy in Untrusted Web Applications. In OSDI. 47-60.Google ScholarGoogle Scholar
  18. William R. Harris, Somesh Jha, and Thomas Reps. 2010. DIFC Programs by Automatic Instrumentation. In CCS.Google ScholarGoogle Scholar
  19. Kashmir Hill. 2017. How Facebook Outs Sex Workers. https://gizmodo.com /how-facebook-outs-sex-workers-1818861596Google ScholarGoogle Scholar
  20. Hossein Hojjat, Philipp Rümmer, Jedidiah McClurg, Pavol Cerný, and Nate Foster. 2016. Optimizing horn solvers for network repair. In FMCAD. 73-80.Google ScholarGoogle Scholar
  21. J. Hughes. 2000. Generalising monads to arrows. Science of Computer Programming 37, 1-3 ( 2000 ), 67-111.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Troy Hunt. 2020. Have I Been Pwned: Check if your email has been compromised in a data breach. https://haveibeenpwned. com/.Google ScholarGoogle Scholar
  23. Limin Jia and Steve Zdancewic. 2009. Encoding information flow in Aura. In PLAS.Google ScholarGoogle Scholar
  24. Etienne Kneuss, Manos Koukoutos, and Viktor Kuncak. 2015. Deductive Program Repair. In CAV.Google ScholarGoogle Scholar
  25. Etienne Kneuss, Ivan Kuraj, Viktor Kuncak, and Philippe Suter. 2013. Synthesis modulo recursive functions. In OOPSLA. 407-426.Google ScholarGoogle Scholar
  26. Kenneth Knowles and Cormac Flanagan. 2010. Hybrid Type Checking. ACM Trans. Program. Lang. Syst. 32, 2, Article 6 ( Feb. 2010 ), 34 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Viktor Kuncak, Mikaël Mayer, Ruzica Piskac, and Philippe Suter. 2010. Complete functional synthesis. In PLDI.Google ScholarGoogle Scholar
  28. Peng Li and Steve Zdancewic. 2005. Downgrading Policies and Relaxed Noninterference. ( 2005 ).Google ScholarGoogle Scholar
  29. Peng Li and Steve Zdancewic. 2006. Encoding Information Flow in Haskell. In CSFW.Google ScholarGoogle Scholar
  30. J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. 2009. Fabric: a platform for secure distributed computation and storage. In SOSP. ACM.Google ScholarGoogle Scholar
  31. Calvin Loncaric, Satish Chandra, Cole Schlesinger, and Manu Sridharan. 2016. A Practical Framework for Type Inference Error Explanation. In OOPSLA. ACM.Google ScholarGoogle Scholar
  32. Luísa Lourenço and Luís Caires. 2014. Information flow analysis for valued-indexed data security compartments. In Trustworthy Global Computing. Springer, 180-198.Google ScholarGoogle Scholar
  33. Luísa Lourenço and Luís Caires. 2015. Dependent information flow types. In POPL. ACM, 317-328.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Zohar Manna and Richard Waldinger. 1980. A Deductive Approach to Program Synthesis. ACM Trans. Program. Lang. Syst. 2, 1 (Jan. 1980 ).Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Simon Marlow. 2010. Haskell 2010 language report. https://www.haskell.org/onlinereport/haskell2010/Google ScholarGoogle Scholar
  36. Benoît Montagu, Benjamin C. Pierce, and Randy Pollack. 2013. A Theory of Information-Flow Labels. In CSF.Google ScholarGoogle Scholar
  37. Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In POPL.Google ScholarGoogle Scholar
  38. Andrew C Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology (TOSEM) 9, 4 ( 2000 ), 410-442.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. James Parker, Niki Vazou, and Michael Hicks. 2019. LWeb: Information flow security for multi-tier web applications. Proceedings of the ACM on Programming Languages 3, POPL ( 2019 ), 1-30.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. S. Peyton Jones. 2001. Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering theories of software construction 180 ( 2001 ), 47.Google ScholarGoogle Scholar
  41. Nadia Polikarpova, Ivan Kuraj, and Armando Solar-Lezama. 2016. Program Synthesis from Polymorphic Refinement Types. In PLDI.Google ScholarGoogle Scholar
  42. Nadia Polikarpova, Deian Stefan, Jean Yang, Shachar Itzhaky, Travis Hance, and Armando Solar-Lezama. 2020. Liquid Information Flow Control. CoRR abs/1607.03445 ( 2020 ). arXiv: 1607.03445 http://arxiv.org/abs/1607.03445Google ScholarGoogle Scholar
  43. François Pottier and Vincent Simonet. 2002. Information flow inference for ML. In POPL. 319-330.Google ScholarGoogle Scholar
  44. Privacy Rights Clearinghouse. 2020. Data Breaches. https://www.privacyrights.org/data-breach/.Google ScholarGoogle Scholar
  45. Vineet Rajani and Deepak Garg. 2020. On the expressiveness and semantics of information flow types. Journal of Computer Security 28 ( 2020 ).Google ScholarGoogle Scholar
  46. Patrick Maxim Rondon, Ming Kawaguchi, and Ranjit Jhala. 2008. Liquid types. In PLDI.Google ScholarGoogle Scholar
  47. Alejandro Russo. 2015. Functional Pearl: Two Can Keep a Secret, If One of Them Uses Haskell. In ICFP.Google ScholarGoogle Scholar
  48. Alejandro Russo, Koen Claessen, and John Hughes. 2008. A Library for Light-weight Information-flow Security in Haskell. In Haskell Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21, 1 ( 2003 ).Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Eric L. Seidel, Huma Sibghat, Kamalika Chaudhuri, Westley Weimer, and Ranjit Jhala. 2017. Learning to blame: localizing novice type errors with data-driven diagnosis. PACMPL 1, OOPSLA ( 2017 ), 60 : 1-60 : 27.Google ScholarGoogle Scholar
  51. E.G. Sirer, W. de Bruijn, P. Reynolds, A. Shieh, K. Walsh, D. Williams, and F.B. Schneider. 2011. Logical attestation: an authorization architecture for trustworthy computing. In SOSP. 249-264.Google ScholarGoogle Scholar
  52. Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS. The Internet Society.Google ScholarGoogle Scholar
  53. Deian Stefan, David Mazières, John C. Mitchell, and Alejandro Russo. 2017. Flexible dynamic information flow control in the presence of exceptions. J. Funct. Program. 27 ( 2017 ).Google ScholarGoogle Scholar
  54. Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. 2011a. Disjunction Category Labels. In Nordic Conference on Security IT Systems (NordSec). Springer.Google ScholarGoogle Scholar
  55. Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011b. Flexible Dynamic Information Flow Control in Haskell. In Haskell Symposium. ACM SIGPLAN.Google ScholarGoogle Scholar
  56. Nikhil Swamy, Juan Chen, and Ravi Chugh. 2010. Enforcing Stateful Authorization and Information Flow Policies in Fine. In ESOP.Google ScholarGoogle Scholar
  57. Nikhil Swamy, Juan Chen, Cédric Fournet, Pierre-Yves Strub, Karthikeyan Bhargavan, and Jean Yang. 2011. Secure distributed programming with value-dependent types. In ICFP.Google ScholarGoogle Scholar
  58. Nikhil Swamy, Michael Hicks, and Gavin M. Bierman. 2009. A Theory of Typed Coercions and Its Applications. In ICFP. ACM.Google ScholarGoogle Scholar
  59. Marco Vassena and Alejandro Russo. 2016. On Formalizing Information-Flow Control Libraries. In PLAS, Toby C. Murray and Deian Stefan (Eds.). ACM, 15-28.Google ScholarGoogle Scholar
  60. Marco Vassena, Alejandro Russo, Pablo Buiras, and Lucas Waye. 2018. MAC: a verified static information-flow control library. Journal of logical and algebraic methods in programming 95 ( 2018 ), 148-180.Google ScholarGoogle Scholar
  61. Niki Vazou, Patrick Maxim Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In ESOP.Google ScholarGoogle Scholar
  62. Niki Vazou, Eric L. Seidel, and Ranjit Jhala. 2014a. LiquidHaskell: experience with refinement types in the real world. In Haskell Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon L. Peyton Jones. 2014b. Refinement types for Haskell. In ICFP.Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Chelsea Voss. 2016. private email communication.Google ScholarGoogle Scholar
  65. Jean Yang. 2017. James Comey's Twitter Security Problem Is Your Problem, Too. https://www.technologyreview.com/s/ 604286/james-comeys-twitter-security-problem-is-your-problem-tooGoogle ScholarGoogle Scholar
  66. Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. 2016. Precise, Dynamic Information Flow for Database-backed Applications. In PLDI.Google ScholarGoogle Scholar
  67. Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies.Google ScholarGoogle Scholar
  68. Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. SOSP ( 2009 ).Google ScholarGoogle Scholar
  69. Danfeng Zhang, Andrew C. Myers, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2015. Diagnosing type errors with class. In PLDI.Google ScholarGoogle Scholar
  70. Lantian Zheng and Andrew C. Myers. 2007. Dynamic security labels and static information flow control. International Journal of Information Security 6, 2 ( 2007 ), 67-84.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Liquid information flow control

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!