92 research outputs found
Polymonadic Programming
Monads are a popular tool for the working functional programmer to structure
effectful computations. This paper presents polymonads, a generalization of
monads. Polymonads give the familiar monadic bind the more general type forall
a,b. L a -> (a -> M b) -> N b, to compose computations with three different
kinds of effects, rather than just one. Polymonads subsume monads and
parameterized monads, and can express other constructions, including precise
type-and-effect systems and information flow tracking; more generally,
polymonads correspond to Tate's productoid semantic model. We show how to equip
a core language (called lambda-PM) with syntactic support for programming with
polymonads. Type inference and elaboration in lambda-PM allows programmers to
write polymonadic code directly in an ML-like syntax--our algorithms compute
principal types and produce elaborated programs wherein the binds appear
explicitly. Furthermore, we prove that the elaboration is coherent: no matter
which (type-correct) binds are chosen, the elaborated program's semantics will
be the same. Pleasingly, the inferred types are easy to read: the polymonad
laws justify (sometimes dramatic) simplifications, but with no effect on a
type's generality.Comment: In Proceedings MSFP 2014, arXiv:1406.153
Language-based Enforcement of User-defined Security Policies (As Applied to Multi-tier Web Programs)
Over the last 35 years, researchers have proposed many different forms of security policies to control how information is managed by software, e.g., multi-level information flow policies, role-based or history-based access control, data provenance management etc. A large body of work in programming language design and analysis has aimed to ensure that particular kinds of security policies are properly enforced by an application. However, these approaches typically fix the style of security policy and overall security goal, e.g., information flow policies with a goal of noninterference. This limits the programmer's ability to combine policy styles and to apply customized enforcement techniques while still being assured the system is secure.
This dissertation presents a series of programming-language calculi each intended to verify the enforcement of a range of user-defined security policies. Rather than ``bake in'' the semantics of a particular model of security policy, our languages are parameterized by a programmer-provided specification of the policy and enforcement mechanism (in the form of code). Our approach relies on a novel combination of dependent types to correctly associate security policies with the objects they govern, and affine types to account for policy or program operations that include side effects. We have shown that our type systems are expressive enough to verify the enforcement of various forms of access control, provenance, information flow, and automata-based policies. Additionally, our approach facilitates straightforward proofs that programs implementing a particular policy achieve their high-level security goals. We have proved our languages sound and we have proved relevant security properties for each of the policies we have explored. To our knowledge, no prior framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance.
To evaluate the practicality of our solution, we have implemented one of our type systems as part of the Links web-programming language; we call the resulting language SELinks. We report on our experience using SELinks to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. In general, we have found the mechanisms SELinks provides to be both sufficient and relatively easy to use for many common policies, and that the modular separation of user-defined policy code permitted some reuse between the two applications
A theory of typed coercions and its applications
A number of important program rewriting scenarios can be recast as type-directed coercion insertion. These range from more theoretical applications such as coercive subtyping and supporting overloading in type theories, to more practical applications such as integrating static and dynamically typed code using gradual typing, and inlining code to enforce security policies such as access control and provenance tracking. In this paper we give a general theory of typedirected coercion insertion. We specifically explore the inherent tradeoff between expressiveness and ambiguity—the more powerful the strategy for generating coercions, the greater the possibility of several, semantically distinct rewritings for a given program. We consider increasingly powerful coercion generation strategies, work out example applications supported by the increased power (including those mentioned above), and identify the inherent ambiguity problems of each setting, along with various techniques to tame the ambiguities
label-based security enforcement for web applications
This paper presents SELinks, a programming language focused on building secure multi-tier web applications. SE-Links provides a uniform programming model, in the style of LINQ and Ruby on Rails, with language syntax for accessing objects residing either in the database or at the server. Object-level security policies are expressed as fullycustomizable, first-class labels which may themselves be subject to security policies. Access to labeled data is mediated via trusted, user-provided policy enforcement functions. SELinks has two novel features that ensure security policies are enforced correctly and efficiently. First, SELinks implements a type system called Fable that allows a protected object’s type to refer to its protecting label. The type system can check that labeled data is never accessed directly by the program without first consulting the appropriate policy enforcement function. Second, SELinks compiles policy enforcement code to database-resident user-defined functions that can be called directly during query processing. Database-side checking avoids transferring data to the server needlessly, while still allowing policies to be expressed in a customizable and portable manner. Our experience with two sizable web applications, a model health-care database and a secure wiki with fine-grained security policies, indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use, and, when compared to a single-tier approach, improves throughput by nearly an order of magnitude. SELinks is freely available
A Distributed Algorithm for Constructing a Generalization of de Bruijn Graphs
De Bruijn graphs possess many characteristics that
make them a suitable choice for the topology of an overlay
network. These include constant degree at each node,
logarithmic diameter and a highly-regular topology that
permits nodes to make strong assumptions about the global
structure of the network.
We propose a distributed protocol that constructs an
approximation of a de Bruijn graph in the presence of an
arbitrary number of nodes. We show that the degree of each
node is constant and that the diameter of the network is no
worse than 2logN, where N is the number of nodes. The
cost of the join and the departure procedures are O(logN)
in the worst case. To the best of our knowledge, this is the
first distributed protocol that provides such deterministic
guarantees
Defeating Script Injection Attacks with Browser Enforced Embedded Policies
Web sites that accept and display content such as wiki articles or
comments typically filter the content to prevent injected script code
from running in browsers that view the site. The diversity of browser
rendering algorithms and the desire to allow rich content makes
filtering quite difficult, however, and attacks such as the Samy and
Yamanner worms have exploited filtering weaknesses. To solve this
problem, this paper proposes a simple mechanism called Browser-Enforced
Embedded Policies (BEEP). The idea is that a web site can embed a policy inside
its pages that specifies which scripts are allowed to run. The
browser, which knows exactly when it will run a script, can enforce
this policy perfectly. We have added BEEP support to several
browsers, and built tools to simplify adding policies to web
applications. We found that supporting BEEP in browsers
requires only small and localized modifications, modifying web
applications requires minimal effort, and enforcing policies is
generally lightweight
SteelCore: An extensible concurrent separation logic for effectful dependently typed programs
Much recent research has been devoted to modeling effects within type theory. Building on this work, we observe that effectful type theories can provide a foundation on which to build semantics for more complex programming constructs and program logics, extending the reasoning principles that apply within the host effectful type theory itself. Concretely, our main contribution is a semantics for concurrent separation logic (CSL) within the F* proof assistant in a manner that enables dependently typed, effectful F* programs to make use of concurrency and to be specified and verified using a full-featured, extensible CSL. In contrast to prior approaches, we directly derive the partial-correctness Hoare rules for CSL from the denotation of computations in the effectful semantics of non-deterministically interleaved atomic actions. Demonstrating the flexibility of our semantics, we build generic, verified libraries that support various concurrency constructs, ranging from dynamically allocated, storable spin locks, to protocol-indexed channels. We conclude that our effectful semantics provides a simple yet expressive basis on which to layer domain-specific languages and logics for verified, concurrent programming.Fil: Swamy, Nikhil. Microsoft Research; Estados UnidosFil: Rastogi, Aseem. Microsoft Research; IndiaFil: Fromherz, Aymeric. University of Carnegie Mellon; Estados UnidosFil: Merigoux, Denis. Institut National de Recherche en Informatique et en Automatique; FranciaFil: Ahman, Danel. University of Ljubljana; EsloveniaFil: MartÃnez, Guido. Consejo Nacional de Investigaciones CientÃficas y Técnicas. Centro CientÃfico Tecnológico Conicet - Rosario. Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas. Universidad Nacional de Rosario. Centro Internacional Franco Argentino de Ciencias de la Información y de Sistemas; Argentin
Meta-F*: Proof Automation with SMT, Tactics, and Metaprograms
We introduce Meta-F*, a tactics and metaprogramming framework for the F*
program verifier. The main novelty of Meta-F* is allowing the use of tactics
and metaprogramming to discharge assertions not solvable by SMT, or to just
simplify them into well-behaved SMT fragments. Plus, Meta-F* can be used to
generate verified code automatically.
Meta-F* is implemented as an F* effect, which, given the powerful effect
system of F*, heavily increases code reuse and even enables the lightweight
verification of metaprograms. Metaprograms can be either interpreted, or
compiled to efficient native code that can be dynamically loaded into the F*
type-checker and can interoperate with interpreted code. Evaluation on
realistic case studies shows that Meta-F* provides substantial gains in proof
development, efficiency, and robustness.Comment: Full version of ESOP'19 pape
- …