Enforcing Information Flow Policies with Type-Targeted Program Synthesis

We present a technique for static enforcement of high-level, declarative information flow policies. Given a program that manipulates sensitive data and a set of declarative policies on the data, our technique automatically inserts policy-enforcing code throughout the program to make it provably secure with respect to the policies. We achieve this through a new approach we call type-targeted program synthesis, which enables the application of traditional synthesis techniques in the context of global policy enforcement. The key insight is that, given an appropriate encoding of policy compliance in a type system, we can use type inference to decompose a global policy enforcement problem into a series of small, local program synthesis problems that can be solved independently. We implement this approach in Lifty, a core DSL for data-centric applications. Our experience using the DSL to implement three case studies shows that (1) Lifty's centralized, declarative policy definitions make it easier to write secure data-centric applications, and (2) the Lifty compiler is able to efficiently synthesize all necessary policy-enforcing code, including the code required to prevent several reported real-world information leaks.

[1]  Ranjit Jhala,et al.  Refinement types for Haskell , 2014, ICFP.

[2]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[4]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[5]  Deian Stefan,et al.  Building secure systems with LIO (demo) , 2014, Haskell '14.

[6]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[7]  Borzoo Bonakdarpour,et al.  Runtime Verification of k-Safety Hyperproperties in HyperLTL , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[8]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  Ranjit Jhala,et al.  Local refinement typing , 2017, Proc. ACM Program. Lang..

[11]  Armando Solar-Lezama,et al.  Faceted execution of policy-agnostic programs , 2013, PLAS '13.

[12]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[13]  Limin Jia,et al.  Encoding information flow in Aura , 2009, PLAS '09.

[14]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[15]  Sumit Gulwani,et al.  FlashRelate: extracting relational data from semi-structured spreadsheets using examples , 2015, PLDI.

[16]  Sumit Gulwani,et al.  Automating string processing in spreadsheets using input-output examples , 2011, POPL '11.

[17]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[18]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[19]  Isil Dillig,et al.  Component-based synthesis of table consolidation and transformation tasks from examples , 2016, PLDI.

[20]  Isil Dillig,et al.  Explain: A Tool for Performing Abductive Inference , 2013, CAV.

[21]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[22]  Kamalika Chaudhuri,et al.  Learning to Blame: Localizing Novice Type Errors with Data-Driven Diagnosis , 2017 .

[23]  Arjun Radhakrishna,et al.  Scaling Enumerative Program Synthesis via Divide and Conquer , 2017, TACAS.

[24]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[25]  Somesh Jha,et al.  Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement , 2012, CAV.

[26]  Ruzica Piskac,et al.  Complete functional synthesis , 2010, PLDI '10.