Abstract
Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no security-typed language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies which address a range of concerns including forms of access control and information flow tracking.
This paper presents Fine, a new source-level security-typed language that, through the use of a simple module system and dependent, refinement, and affine types, checks the enforcement of dynamic security policies applied to real software. Fine is proven sound. A prototype implementation of the compiler and several example programs are available from http://research.microsoft.com/fine .
Chapter PDF
References
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: CSF (2008)
Bertot, Y., Castéran, P.: Coq’Art: Interactive Theorem Proving and Program Development. Springer, Heidelberg (2004)
Borgstroem, J., Gordon, A., Pucella, R.: Roles, stacks, histories: A triple for hoare. Technical Report MSR-TR-2009-97, Microsoft Research (2009)
Chlipala, A., Malecha, G., Morrisett, G., Shinnar, A., Wisnesky, R.: Effective interactive proofs for higher-order imperative programs. In: ICFP (2009)
Chong, S., Myers, A.C., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java + information flow (July 2006); Software release
de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)
Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. LNCS. Springer, Heidelberg (2006)
ECMA. Standard ECMA-335: Common language infrastructure (2006)
Flanagan, C.: Hybrid type checking. In: POPL. ACM, New York (2006)
Flanagan, C., Sabry, A., Duba, B.F., Felleisen, M.: The essence of compiling with continuations. In: PLDI. ACM, New York (1993)
Grossman, D., Morrisett, G., Zdancewic, S.: Syntactic type abstraction. ACM TOPLAS 22(6) (2000)
Jackson, D.: Alloy: a lightweight object modelling notation. TOSEM 11(2) (2002)
Jia, L., Vaughan, J., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., Zdancewic, S.: Aura: A programming language for authorization and audit. In: ICFP (2008)
Krishnamurthi, S., Hopkins, P.W., Mccarthy, J., Graunke, P.T., Pettyjohn, G., Felleisen, M.: Implementation and use of the PLT Scheme web server. HOSC 20(4) (2007)
Levy, H.M.: Capability-Based Computer Systems. Butterworth-Heinemann, Butterworths (1984)
McBride, C., McKinna, J.: The view from the left. JFP 14(1) (2004)
Norell, U.: Towards a practical programming language based on dependent type theory. PhD thesis, Chalmers Institute of Technology (2007)
Simonet, V.: FlowCaml in a nutshell. In: Hutton, G. (ed.) APPSEM-II, pp. 152–165 (2003)
Stump, A., Deters, M., Petcher, A., Schiller, T., Simpson, T.: Verified programming in Guru. In: PLPV (2008)
Swamy, N., Chen, J., Chugh, R.: Enforcing stateful authorization and information flow policies in Fine. Technical Report MSR-TR-2009-164, Microsoft Research (2009)
Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: S&P (2008)
Swamy, N., Hicks, M.: Verified enforcement of stateful information release policies. In: PLAS (2008)
Syme, D., Granicz, A., Cisternino, A.: Expert F#. Apress (2007)
Wadler, P.: Linear types can change the world. In: Prog. Concepts and Methods (1990)
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: SOSP (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Swamy, N., Chen, J., Chugh, R. (2010). Enforcing Stateful Authorization and Information Flow Policies in Fine . In: Gordon, A.D. (eds) Programming Languages and Systems. ESOP 2010. Lecture Notes in Computer Science, vol 6012. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11957-6_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-11957-6_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11956-9
Online ISBN: 978-3-642-11957-6
eBook Packages: Computer ScienceComputer Science (R0)