Controlling Data Flow with a Policy-Based Programming Language for the Web
It has become increasingly easy to write Web applications and other distributed programs by orchestrating invocations to remote third-party services. Increasingly, these third-party services themselves invoke other services and so on, making it difficult for the original application developer to anticipate where his/her data will end up. This may lead to privacy breaches or contractual violations. In this paper, we explore a simple distributed programming language that allows a web service provider to infer automatically where user data will travel to, and the developer to impose statically-checkable constraints on acceptable routes. For example, this may provide confidence that company data will not flow to a competitor, or that privacy-sensitive data goes through an anonymizer before being sent further out.
Unable to display preview. Download preview PDF.
- 1.Abadi, M., Fournet, C.: Access control based on execution history. In: The Internet Society, editor, Network and Distributed System Security Symposium, NDSS, San Diego, CA (2003)Google Scholar
- 4.Collinson, M., Pym, D.J.: Algebra and logic for resource-based systems modelling. Mathematical Structures in Computer Science 19(5) (2009)Google Scholar
- 5.Collinson, M., Pym, D.J.: Algebra and logic for access control. Formal Aspects of Computing 22(2) (2010)Google Scholar
- 7.Murphy VII, T.: Modal Types for Mobile Code. PhD thesis, Carnegie Mellon University, Available as technical report CMU-CS-08-126 (January 2008)Google Scholar
- 10.Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR (July 2002)Google Scholar
- 12.Ferrante, J., Cytron, R., Heights, Y., Rosen, B.K., Wegman Mark, N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, TOPLAS (1991)Google Scholar
- 14.Sans, T., Cervesato, I.: QWeSST for Type-Safe Web Programming. In: Farwer, B. (ed.) Third International Workshop on Logics, Agents, and Mobility — LAM 2010, Edinburgh, Scotland, UK (2010)Google Scholar
- 15.Sans, T., Cervesato, I.: Type-Safe Web Programming in QWeSST. Technical Report CMU-CS-10-125, Department of Computer Science, Carnegie Mellon University, Pittsburgh, PA (June 2010)Google Scholar
- 16.Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: IEEE Symposium on Security and Privacy, pp. 369–383 (2008)Google Scholar