Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

European Symposium on Programming

ESOP 2010: Programming Languages and Systems pp 529–549Cite as

  1. Home
  2. Programming Languages and Systems
  3. Conference paper
Enforcing Stateful Authorization and Information Flow Policies in Fine

Enforcing Stateful Authorization and Information Flow Policies in Fine

  • Nikhil Swamy17,
  • Juan Chen17 &
  • Ravi Chugh18 
  • Conference paper

  • 1034 Accesses

  • 47 Citations

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 6012)

Abstract

Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no security-typed language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies which address a range of concerns including forms of access control and information flow tracking.

This paper presents Fine, a new source-level security-typed language that, through the use of a simple module system and dependent, refinement, and affine types, checks the enforcement of dynamic security policies applied to real software. Fine is proven sound. A prototype implementation of the compiler and several example programs are available from http://research.microsoft.com/fine .

Keywords

  • Security Policy
  • Dependent Type
  • Stateful Authorization
  • Proof Obligation
  • Type Check

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Chapter PDF

Download to read the full chapter text

References

  1. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement types for secure implementations. In: CSF (2008)

    Google Scholar 

  2. Bertot, Y., Castéran, P.: Coq’Art: Interactive Theorem Proving and Program Development. Springer, Heidelberg (2004)

    MATH  Google Scholar 

  3. Borgstroem, J., Gordon, A., Pucella, R.: Roles, stacks, histories: A triple for hoare. Technical Report MSR-TR-2009-97, Microsoft Research (2009)

    Google Scholar 

  4. Chlipala, A., Malecha, G., Morrisett, G., Shinnar, A., Wisnesky, R.: Effective interactive proofs for higher-order imperative programs. In: ICFP (2009)

    Google Scholar 

  5. Chong, S., Myers, A.C., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java + information flow (July 2006); Software release

    Google Scholar 

  6. de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  7. Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. LNCS. Springer, Heidelberg (2006)

    Google Scholar 

  8. ECMA. Standard ECMA-335: Common language infrastructure (2006)

    Google Scholar 

  9. Flanagan, C.: Hybrid type checking. In: POPL. ACM, New York (2006)

    Google Scholar 

  10. Flanagan, C., Sabry, A., Duba, B.F., Felleisen, M.: The essence of compiling with continuations. In: PLDI. ACM, New York (1993)

    Google Scholar 

  11. Grossman, D., Morrisett, G., Zdancewic, S.: Syntactic type abstraction. ACM TOPLAS 22(6) (2000)

    Google Scholar 

  12. Jackson, D.: Alloy: a lightweight object modelling notation. TOSEM 11(2) (2002)

    Google Scholar 

  13. Jia, L., Vaughan, J., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., Zdancewic, S.: Aura: A programming language for authorization and audit. In: ICFP (2008)

    Google Scholar 

  14. Krishnamurthi, S., Hopkins, P.W., Mccarthy, J., Graunke, P.T., Pettyjohn, G., Felleisen, M.: Implementation and use of the PLT Scheme web server. HOSC 20(4) (2007)

    Google Scholar 

  15. Levy, H.M.: Capability-Based Computer Systems. Butterworth-Heinemann, Butterworths (1984)

    Google Scholar 

  16. McBride, C., McKinna, J.: The view from the left. JFP 14(1) (2004)

    Google Scholar 

  17. Norell, U.: Towards a practical programming language based on dependent type theory. PhD thesis, Chalmers Institute of Technology (2007)

    Google Scholar 

  18. Simonet, V.: FlowCaml in a nutshell. In: Hutton, G. (ed.) APPSEM-II, pp. 152–165 (2003)

    Google Scholar 

  19. Stump, A., Deters, M., Petcher, A., Schiller, T., Simpson, T.: Verified programming in Guru. In: PLPV (2008)

    Google Scholar 

  20. Swamy, N., Chen, J., Chugh, R.: Enforcing stateful authorization and information flow policies in Fine. Technical Report MSR-TR-2009-164, Microsoft Research (2009)

    Google Scholar 

  21. Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: S&P (2008)

    Google Scholar 

  22. Swamy, N., Hicks, M.: Verified enforcement of stateful information release policies. In: PLAS (2008)

    Google Scholar 

  23. Syme, D., Granicz, A., Cisternino, A.: Expert F#. Apress (2007)

    Google Scholar 

  24. Wadler, P.: Linear types can change the world. In: Prog. Concepts and Methods (1990)

    Google Scholar 

  25. Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: SOSP (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, Redmond

    Nikhil Swamy & Juan Chen

  2. University of California, San Diego

    Ravi Chugh

Authors
  1. Nikhil Swamy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Juan Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ravi Chugh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Roger Needham Building, Microsoft Research, 7 J.J. Thomson Ave., CB3 0FB, Cambridge, UK

    Andrew D. Gordon

Rights and permissions

Reprints and Permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Swamy, N., Chen, J., Chugh, R. (2010). Enforcing Stateful Authorization and Information Flow Policies in Fine . In: Gordon, A.D. (eds) Programming Languages and Systems. ESOP 2010. Lecture Notes in Computer Science, vol 6012. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11957-6_28

Download citation

  • .RIS
  • .ENW
  • .BIB

  • DOI: https://doi.org/10.1007/978-3-642-11957-6_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11956-9

  • Online ISBN: 978-3-642-11957-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

34.229.63.28

Not affiliated

Springer Nature

© 2023 Springer Nature