favorite15ESTRELA allows specification of different classes of policies separate from the application code, and enforces them by attaching them to the APIs based on the context.
favorite2Interestingly, the policy state allows us, among other things, to limit the view of the existence of sensitive values in certain cases without which the policies might leak some (meta-)information about the data that was requested access to.
favorite2In ESTRELA, the policies are specified centrally, similar to contracts [17, 31], and enforced using tags attached to the remote APIs exposed by the server instead of being added as intertwined checks in the API code.
favorite3To address this issue of policy compliance, we present ESTRELA, a framework that allows specification of privacy policies separately from the code and enforces it on the interfaces that access the sensitive data.
favorite6Web applications routinely access sensitive and confidential data of users through remote APIs, the privacy of which is governed by different policies specified by the application developer and implemented as checks across application code and database queries.
favorite11In Lifty, downgrading does not normally appear in user-written code; rather, the compiler uses it when generating policy checks for self-referential policies (see Sec. As is customary for expressive type systems, the rules in Fig. Our insight is that we can re-purpose liquid type inference [Cosman and Jhala 2017; Rondon et al.
favorite3To support safe enforcement Proceedings of the ACM on Programming Languages, Vol. 3.3), and features a custom security guarantee, which we call contextual noninterference (Sec. A statement can modify the store (set) or output a value to a user (print).
favorite13In this section we show how a careful encoding of information flow security into a type system (Sec. 2.3.1) allows us to instead use type inference for precise fault localization (Sec. Concretely, type-checking the code in Fig. 3 against the policy module, leads to a type error in line 5, which flags the term get (status p) as unsafe, and moreover, gives its expected type, which can be used as the local specification for patch synthesis (Sec. The Lifty type system builds upon existing work on security monads [Russo et al.
favorite24Enforcing Information Flow Policies with Type-Targeted Program Synthesis NADIA POLIKARPOVA, University of California, San Diego JEAN YANG, Carnegie Mellon University SHACHAR ITZHAKY, Technion TRAVIS HANCE, Carnegie Mellon University ARMANDO SOLAR-LEZAMA, Massachusetts Institute of Technology We present a technique for static enforcement of high-level, declarative information flow policies.
favorite4The programmer associates information flow policies with fields in the data schema, codes within the subset of Python supported by our Jeeves library, and accesses the database only through the Jacqueline API.
favorite2In Jacqueline, the application runtime and object-relational mapping dynamically manipulate sensitive values and policies so the programmer may omit repeated checks.
favorite3Using this approach, the programmer factors out the implementation of information flow policies from application code and database queries.
favorite1858Indeed, the difficulty of reasoning about how sensitive data flows through both application code and database queries has led to leaks in systems from the HotCRP conference management system  to the social networking site Facebook .
favorite6We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop.