A language for automatically enforcing privacy policies

It is becoming increasingly important for applications to protect sensitive data. With current techniques, the programmer bears the burden of ensuring that the application's behavior adheres to policies about where sensitive values may flow. Unfortunately, privacy policies are difficult to manage because their global nature requires coordinated reasoning and enforcement. To address this problem, we describe a programming model that makes the system responsible for ensuring adherence to privacy policies. The programming model has two components: 1) core programs describing functionality independent of privacy concerns and 2) declarative, decentralized policies controlling how sensitive values are disclosed. Each sensitive value encapsulates multiple views; policies describe which views are allowed based on the output context. The system is responsible for automatically ensuring that outputs are consistent with the policies. We have implemented this programming model in a new functional constraint language named Jeeves. In Jeeves, sensitive values are introduced as symbolic variables and policies correspond to constraints that are resolved at output channels. We have implemented Jeeves as a Scala library using an SMT solver as a model finder. In this paper we describe the dynamic and static semantics of Jeeves and the properties about policy enforcement that the semantics guarantees. We also describe our experience implementing a conference management system and a social network.

[1]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[2]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[3]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[4]  Douglas R. Smith Aspects as Invariants , 2008 .

[5]  Robert W. Floyd,et al.  Nondeterministic Algorithms , 1967, JACM.

[6]  Derek Rayside,et al.  Agile specifications , 2009, OOPSLA Companion.

[7]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[8]  Martin Odersky,et al.  An Overview of the Scala Programming Language , 2004 .

[9]  Thomas Streicher,et al.  A Tiny Constrain Functional Logic Language and Its Continuation Semantics , 1994, ESOP.

[10]  C. Allan Birch,et al.  Mercury , 1964, Pediatric Environmental Health.

[11]  Brian Demsky Data structure repair using goal-directed reasoning , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Michael Hanus,et al.  Improving Control of Logic Programs by Using Functional Logic Languages , 1992, PLILP.

[13]  John W. Lloyd,et al.  Programming in an Integrated Functional and Logic Language , 1999, J. Funct. Log. Program..

[14]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Ruzica Piskac,et al.  Complete functional synthesis , 2010, PLDI '10.

[16]  Todd D. Millstein,et al.  Falling Back on Executable Specifications , 2010, ECOOP.

[17]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[18]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[19]  Douglas R. Smith A Generative Approach to Aspect-Oriented Programming , 2004, GPCE.

[20]  Grigoris Antoniou,et al.  A tutorial on default logics , 1999, CSUR.

[21]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[22]  John Launchbury,et al.  Implicit parameters: dynamic scoping with static types , 2000, POPL '00.

[23]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[24]  M. Hanus,et al.  Curry: A Truly Functional Logic Language , 1995 .

[25]  Carroll Morgan,et al.  The specification statement , 1988, TOPL.

[26]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .