Dependent Types for Safe and Secure Web Programming

Dependently-typed languages allow precise types to be used during development, facilitating static reasoning about program behaviour. However, with the use of more specific types comes the disadvantage that it becomes increasingly difficult to write programs that are accepted by a type checker, meaning additional proofs may have to be specified manually. Embedded domain-specific languages (EDSLs) can help address this problem by introducing a layer of abstraction over more precise underlying types, allowing domain-specific code to be written in a verified high-level language without imposing additional proof obligations on an application developer. In this paper, we apply this technique to web programming. Using the dependently typed programming language Idris, we show how to use EDSLs to enforce resource usage protocols associated with common web operations such as CGI, database access and session handling. We also introduce an EDSL which uses dependent types to facilitate the creation and handling of web forms, reducing the scope for programmer error and possible security implications.

[1]  Philip Wadler,et al.  The Essence of Form Abstraction , 2008, APLAS.

[2]  Marinus J. Plasmeijer,et al.  A Conference Management System Based on the iData Toolkit , 2006, IFL.

[3]  Edwin Brady,et al.  Idris, a general-purpose dependently typed programming language: Design and implementation , 2013, Journal of Functional Programming.

[4]  Heiko Bck The Definitive Guide to NetBeans Platform , 2009 .

[5]  Christian Queinnec Inverting back the inversion of control or, continuations versus page-centric programming , 2003, SIGP.

[6]  Dirk Fox,et al.  Cross Site Scripting (XSS) , 2012, Datenschutz und Datensicherheit - DuD.

[7]  Heiko Böck,et al.  Java Persistence API , 2012 .

[8]  Edwin Brady,et al.  Programming and reasoning with algebraic effects and dependent types , 2013, ICFP.

[9]  Robert DeLine,et al.  Typestates for Objects , 2004, ECOOP.

[10]  Gordon D. Plotkin,et al.  Handlers of Algebraic Effects , 2009, ESOP.

[11]  Adam Chlipala,et al.  Ur: statically-typed metaprogramming with type-level record computation , 2010, PLDI '10.

[12]  Conor McBride,et al.  Applicative programming with effects , 2008, J. Funct. Program..

[13]  Edwin Brady,et al.  Resource-Safe Systems Programming with Embedded Domain Specific Languages , 2012, PADL.

[14]  Marinus J. Plasmeijer,et al.  iData for the World Wide Web - Programming Interconnected Web Forms , 2006, FLOPS.

[15]  Marinus J. Plasmeijer,et al.  iTasks: executable specifications of interactive work flow systems for the web , 2007, ICFP '07.

[16]  P. Medawar A view from the left , 1984, Nature.

[17]  Kenji Takeda,et al.  Strongly-Typed Language Support for Internet- Scale Information Sources , 2012 .

[18]  David Raymond Christiansen,et al.  Dependent type providers , 2013, WGP '13.

[19]  Lee Garber Security, Privacy, and Policy Roundup , 2012, IEEE Security & Privacy.

[20]  Eelco Visser,et al.  WebDSL: A Case Study in Domain-Specific Language Engineering , 2007, GTTSE.

[21]  Erik Meijer Server side web scripting in Haskell , 2000, J. Funct. Program..

[22]  Peter Thiemann,et al.  WASH/CGI: Server-Side Web Scripting with Sessions and Typed, Compositional Forms , 2002, PADL.