Fable: A Language for Enforcing User-defined Security Policies

This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance.

[1]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[2]  Shane Markstrum,et al.  A framework for implementing pluggable type systems , 2006, OOPSLA '06.

[3]  David Aspinall,et al.  Advanced Topics in Types and Programming Languages , 2004 .

[4]  Michael Hicks,et al.  Verified Enforcement of Automaton-based Information Release Policies , 2008 .

[5]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[6]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[7]  James Cheney,et al.  Provenance as Dependency Analysis , 2007, DBPL.

[8]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[9]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[10]  Benjamin C. Pierce,et al.  Advanced Topics In Types And Programming Languages , 2004 .

[11]  Michael Hicks,et al.  Dynamic rebinding for marshalling and update, via redex-time and destruct-time reduction , 2007, Journal of Functional Programming.

[12]  Fritz Henglein,et al.  Type inference and semi-unification , 1988, LISP and Functional Programming.

[13]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[14]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[15]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[16]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[17]  J. Y. Girard,et al.  Interpretation fonctionelle et elimination des coupures dans l'aritmetique d'ordre superieur , 1972 .

[18]  Lennart Augustsson,et al.  Cayenne—a language with dependent types , 1998, ICFP '98.

[19]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[20]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[21]  Simon L. Peyton Jones,et al.  The Implementation of Functional Programming Languages , 1987 .

[22]  Daniel F. Sterne,et al.  A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[23]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[24]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[25]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[26]  Hongwei Xi,et al.  Applied Type System: Extended Abstract , 2003, TYPES.

[27]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[28]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[29]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[30]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[31]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[32]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[33]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[34]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[35]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[36]  Boniface Hicks,et al.  Trusted declassification:: high-level policy for a security-typed language , 2006, PLAS '06.

[37]  William A. Arbaugh,et al.  Applying flow-sensitive CQUAL to verify MINIX authorization check placement , 2006, PLAS '06.

[38]  James Cheney,et al.  Provenance management in curated databases , 2006, SIGMOD Conference.

[39]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[40]  Todd Millstein,et al.  Mechanized Metatheory for User-Defined Type Extensions ∗ , 2006 .

[41]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[42]  Robert Harper,et al.  Compiling polymorphism using intensional type analysis , 1995, POPL '95.

[43]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[44]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[45]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[46]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[47]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[48]  Dan Grossman,et al.  Syntactic type abstraction , 2000, TOPL.

[49]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[50]  Trent Jaeger,et al.  From Trusted to Secure: Building and Executing Applications That Enforce System Security , 2007, USENIX Annual Technical Conference.

[51]  Shane Markstrum,et al.  Semantic type qualifiers , 2005, PLDI '05.

[52]  Carl E. Landwehr The Best Available Technologies for Computer Security , 1983, Computer.

[53]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[54]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[55]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[56]  Philip Wadler,et al.  Links: Web Programming Without Tiers , 2006, FMCO.

[57]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).