Flexible Manipulation of Labeled Values for Information-Flow Control Libraries

The programming language Haskell plays a unique, privileged role in Information-Flow Control (IFC) research: it is able to enforce information security via libraries. Many state-of-the-art libraries (e.g., LIO, HLIO, and MAC) allow computations to manipulate data with different security labels by introducing the notion of labeled values, which protect values with explicit labels by means of an abstract data type. While computations have an underlying algebraic structure in such libraries (i.e. monads), there is no research on structures for labeled values and their impact on the programming model. In this paper, we add the functor structure to labeled values, which allows programmers to conveniently and securely perform computations without side-effects on such values, and an applicative operator, which extends this feature to work on multiple labeled values combined by a multi-parameter function. This functionality simplifies code, as it does not force programmers to spawn threads to manipulate sensitive data with side-effect free operations. Additionally, we present a relabel primitive which securely modifies the label of labeled values. This operation also helps to simplify code when aggregating data with heterogeneous labels, as it does not require spawning threads to do so. We provide mechanized proofs of the soundness our contributions for the security library MAC, although we remark that our ideas apply to LIO and HLIO as well.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Deepak Garg,et al.  Progress-Sensitive Security for SPARK , 2016, ESSoS.

[3]  Alejandro Russo,et al.  Secure Multi-execution in Haskell , 2011, Ershov Memorial Conference.

[4]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[5]  Alejandro Russo,et al.  Functional pearl: two can keep a secret, if one of them uses Haskell , 2015, ICFP.

[6]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[7]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[8]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[9]  Dominique Devriese,et al.  Information flow enforcement in monadic libraries , 2011, TLDI '11.

[10]  John Hughes,et al.  Why Functional Programming Matters , 1989, Comput. J..

[11]  Yuan Tian,et al.  Run-time Monitoring and Formal Analysis of Information Flows in Chromium , 2015, NDSS.

[12]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[13]  Lujo Bauer,et al.  Run-Time Enforcement of Information-Flow Properties on Android - (Extended Abstract) , 2013, ESORICS.

[14]  Kenneth Knowles,et al.  Faceted Dynamic Information Flow via Control and Data Monads , 2016, POST.

[15]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[16]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[17]  Roland Wismüller,et al.  APEFS: An Infrastructure for Permission-Based Filtering of Android Apps , 2012, MobiSec.

[18]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[19]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[20]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[21]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[22]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[23]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[24]  David Sands,et al.  Paragon for Practical Programming with Information-Flow Control , 2013, APLAS.

[25]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[26]  Vincent Simonet The Flow Caml system , 2003 .

[27]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[28]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[29]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[30]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[31]  Alejandro Russo,et al.  A Library for Secure Multi-threaded Information Flow in Haskell , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[32]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Conor McBride,et al.  Applicative programming with effects , 2008, J. Funct. Program..

[34]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[35]  Alejandro Russo,et al.  HLIO: mixing static and dynamic typing for information-flow control in Haskell , 2015, ICFP.

[36]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[37]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[38]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[39]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.