oflabels,intermsoftheactionsthatarepermittedorde-nied.Thisobservationi - PDF document

oflabels,intermsoftheactionsthatarepermittedorde-nied.ThisobservationisembodiedinFABLEintworespects.First,programmerscandenecustomsecuritylabelsandassociatethemwiththedatatheyprotectusingdependenttypes.Forexample,aprogrammercoulddenealabelLOW,andanintegervalueprotectedbythislabelwouldhavetypeintfLOWg.Asanotherexample,theprogrammercoulddenealabelACL(Alice,Bob)whereanintegerwithtypeintfACL(Alice,Bob)gismeanttobeaccessedbyonlyAliceorBob.Second,programmersdenetheinterpreta-tionoflabelsinspecialenforcementpolicyfunctionssepa-ratedfromtherestoftheprogram.Forexample,theseman-ticsofouraccesscontrollabelcouldbeimplementedbythefollowingenforcementpolicyfunction:policyaccess simple(acl:lab,x:intfaclg)=if(memberuseracl)thenfgxelse�1ThisfunctiontakesalabellikeACL(Alice,Bob)asitsrstargument,andanintegerprotectedbythatACLasitssec-ondargument.Ifthecurrentuser(representedbyvariableuser)isamemberofx'sACL(accordingtosomefunctionmember,notshown),thenxisreturnedwithitslabelre-moved,expressedbythesyntaxfgx,sothatitcanbeac-cessedbythemainprogram.Ifthemembershiptestfails,itreturns�1andx'svalueisnotreleased.FABLEdoesnot,inandofitself,guaranteethatasecuritypolicyiscorrectlyimplemented,butFABLE'sdesigngreatlysimpliesproofofthisfact.Inparticular,FABLE'stypesys-temensuresthatlabeleddata(thatis,datawithatypetflg)istreatedabstractlybythemainprogram,sincetermswithalabeledtypecanonlybeconstructed,examined,orchangedwithinenforcementpolicycode.Moreover,FABLE'stypesystemensuresthatthemainprogramcannotseverorforgetheassociationbetweenalabelandthedataitprotects.Ineffect,FABLEensurescompletemediationoftheuser'sla-belpolicyinthatnodatacanbeaccessedwithoutconsultingthecorrectsecuritypolicy.TodemonstrateFABLE'sexibilitywehaveusedittoen-codearangeofpolicies,includingaccesscontrol,static[32]anddynamicinformationow[46]withformsofdeclas-sication[20],provenancetracking[7]andpoliciesbasedonsecurityautomata[42].Inourexperience,thesound-nessofFABLEmakesproofsofsecuritypropertiesnomoredifcult—andarguablysimpler—thanproofsofsim-ilarpropertiesinspecializedlanguages[30,40,41].Todemonstratethisfactwepresentproofsofcorrectnessforouraccesscontrol,provenance,andstaticinformationowpolicies.FABLEopensthepossibilityofpartiallyautomat-ingsuchproofs,alongthelinesofuser-denedtypesys-tems[8],thoughweleaveexplorationofthisissuetofuturework.Toourknowledge,noexistingframeworkenablestheenforcementofsuchawidevarietyofsecuritypolicieswithanequallyhighlevelofassurance.ToevaluateFABLE'spracticalitywehaveimplementedFABLEasanextensiontotheLINKSwebprogramminglanguage[12].WecalltheresultinglanguageSELINKS(forSecurity-EnhancedLINKS).Wehavebuilttwosub-stantialapplicationsusingSELINKS:SEWIKI,a3500-linesecureblog/wikiinspiredbyIntellipedia[31]thatimple-mentsacombinedaccesscontrolandprovenancepolicy,andSEWINESTORE,a1000-linee-commerceapplicationdistributedwithLINKSextendedwithanaccesscontrolpol-icy.Ingeneral,wehavefoundthatFABLE'slabel-basedsecuritypoliciesareneitherlackingnorburdensome,andthemodularseparationoftheenforcementpolicypermittedsomereuseofpolicycodebetweenthetwoapplications.IntheremainderofthepaperwepresentFABLE,ourcorelanguagefordeningandenforcingcustom,label-basedse-curitypolicies(Section2).WeshowhowFABLEcanbeusedtodenearangeofsecuritypoliciesandthatFABLE'sdesignsimpliesproofsthatthesepoliciesareimplementedcorrectly(Section3).InSection4wediscussourSELINKSimplementationofFABLEforbuildingwebapplicationsandourexperiencebuildingSEWIKIandSEWINESTORE.Section5discussesrelatedwork,andSection6sketchesfu-tureworkandconcludes.2FABLE:SystemFwithLabelsThissectionpresentsthesyntax,staticsemantics,andoperationalsemanticsofFABLE.Thenextsectionillus-tratesFABLE'sexibilitybypresentingexamplepoliciesalongwithproofsoftheirattendantsecurityproperties.2.1.SyntaxFigure1denesFABLE'ssyntax.Throughout,weusethenotation~atostandforalistofelementsoftheforma1;:::;an;wherethecontextisclear,wewillalsotreat~aasthesetofelementsfa1;:::;ang.Expressionseextendastandardpolymorphicl-calculus,SystemF[16].Standardformsincludeintegervaluesn,variablesx,abstractionslx:t:e,termapplicatione1e2,thexpointcombinatorxx:t:v,typeabstractionLa:eandtypeapplicatione[t].Weexcludemutablereferencesfromthelanguagetosimplifythepresentation.Ourtech-nicalreport[38]extendsthelanguagewithreferencesandconsiderstheireffectonvariouspolicies,e.g.,informationowsthroughsideeffects.ThesyntacticconstructsspecictoFABLEaredistin-guishedinFigure1.TheexpressionC(~e)isalabel,whereCrepresentsanarbitraryconstructorandeachei2~emustitselfbealabel;e.g.,inACL(Alice,Bob),ACLis2-arylabelconstructorandAliceandBobare0-arylabelconstructors.Labelscanbeexaminedbypatternmatching.Forexample,2 typeabbreviationtypenameNa=tine2(Nt07!((a7!t0)t))e2letbindingletx=e1ine2(lx:t:e2)e1forsometpolymorphicfunctiondef.letfhai(x:t)=e1ine2letf=xf:t0:La:lx:t:e1ine2forsomet0policyfunctiondefpolicyfhai(x:t)=e1ine2letf=xf:t0:La:lx:t:([e1])ine2forsomet0dependenttupletypex:tt08a:((x:t)!t0!a)!adependenttupleintroduction(e;e0)La:lf:((x:t)!t0!a):fee0forsomet;t0dependenttupleprojectionletx,y=finef[te](lx:t.ly:t0:e)forsomet;t0;andteFigure2.Syntacticshorthandsxandy—itcanbecalledwithanypairofintegersthathavethesamelabel,irrespectiveofwhatlabelthatmightbe.Weexpressthiskindofpolymorphismbywritingthephantomlabelvariablel,togetherwithanyothernormaltypevari-ableslikea;b;:::,inalistthatfollowsthefunctionname.Intheexampleabove,thephantomvariableofaddarelistedashli.Ofcourse,notalllabelargumentsarephantom.Forinstance,intheaccess simplefunctionofSection1,theaclisalabelargumentthatispassedatruntime.Forsimplic-ity,wedonotformalizephantomvariablepolymorphism.Ourtechnicalreport[38]doesmodelphantomvariablesandcontainstheassociatedproofofsoundness.Example:Accesscontrolpolicy.Figure3illustratesasim-ple,butcomplete,enforcementpolicyforaccesscontrol.Protecteddataisgivenalabellistingthoseusersauthorizedtoaccessthedata.Inparticular,suchdatahastypetfaclgwhereaclencodestheACLasalabel.Thepolicy'sloginfunctioncallsanexternalfunctioncheckpwtoauthenticateauserbycheckingapassword.Ifauthenticationsucceeds(therstpattern),checkpwreturnsalabelUSER(k)wherekissomeuniqueidentierfortheuser.Theloginfunctionreturnsapairconsistingofthislabelandaintegerlabeledwithit;thispairservesasourruntimerep-resentationofaprincipal.Theaccessfunctiontakesthetwoelementsofthispairasitsrsttwoarguments.SinceFABLEenforcesthatonlypoliciescanproducelabeledvalues,weareassuredthatthetermwithtypeintfUSER(k)gcanonlyhavebeenproducedbylogin.Theaccessfunction'slasttwoargumentsconsistoftheprotecteddata'slabel,acl,andthedataitself,data.TheaccessfunctioncallsthememberfunctiontoseewhethertheusertokenuispresentintheACL.Ifsuccessful,thelabelTRUEisreturned,inwhichcaseaccessreturnsthedatawithitsacllabelremoved.2.2.TypingFigure4denesthetypingrulesforFABLE.ThemainjudgmentG`ce:ttypesexpressions.Theindexcindicateswhethereispartofthepolicyortheapplication.Onlypolicytermsarepermittedtousetheunlabelingandrela-belingoperators.Grecordsthreekindsofinformation;x:tmapsvariablestotypes,arecordsaboundtypevariable,andeprecordstheassumptionthatematchespatternp,usedwhencheckingthebranchesofapatternmatch.Therules(T-INT),(T-VAR),(T-FIX),(T-TAB)and(T-TAP)arestandardforpolymorphiclambdacalculi.(T-ABS)and(T-APP)arestandardforadependentlytypedlanguage.(T-ABS)introducesadependentfunctiontypeoftheform(x:t1)!t2.(T-APP)typesanapplicationofa(dependentlytyped)function.Asusual,werequirethetypet1oftheargumenttomatchthetypeofthefor-malparametertothefunction.However,sincexmayoc-curinthereturntypet2,thetypeoftheapplicationmustsubstitutetheactualargumente2forxint2.Asanex-ample,consideranapplicationoftheaccess simplefunc-tion,havingtype(acl:lab)!intfaclg!int,tothetermACL(Alice;Bob).Accordingto(T-APP)theresultingex-pressionisafunctionwithtypeintfACL(Alice,Bob)g!int,whichindicatesthatthefunctioncanbeappliedonlytoanintegerlabeledwithpreciselyACL(Alice,Bob).Thisisthekeyfeatureofdependenttyping—thetypesystemensuresthatassociationsbetweenlabelsandthetermstheyprotectcannotbeforgedorbroken.Rule(T-LAB)givesalabeltermC(~e)asingletonla-beltypelabC(~e)aslongaseachcomponentei2~ehastypelab.AccordingtothisruleACL(Alice,Bob)canbegiventhetypelabACL(Alice,Bob).Forthatmat-ter,theexpression((lx:lab.x)High)canbegiventhetypelab((lx:lab.x)High);thereisnorequirementthatebeavalue.Therule(T-HIDE)allowsasingletonlabeltypelikethisonetobesubsumedtothetypeofalllabels,lab.Rule(T-SHOW)doestheconverse,allowingthetypeofalabeltobemademoreprecise.Rule(T-MATCH)checkspatternmatching.Therstpremiseconrmsthatexpressionebeingmatchedisala-bel.Thesecondlineofpremisesdescribeshowtocheckeachbranchofthematch.Ourpatternsdifferfrompat-ternsin,say,MLintworespects.First,thesecondpremiseonthesecondlinerequiresG;~xi:lab`cpi:lab,indicat-ingthatpatternsinFABLEareallowedtocontainvariablesthataredenedinthecontextG.Second,patternvari-ablesmayoccurmorethanonceinapattern.Bothofthesefeaturesmakeitconvenienttousepatternmatchingtocheckfortermequality.Forexample,intheexpres-sionlety=AliceinmatchxwithACL(y,y))e,thebranch4 G`ce:t ExpressionehastypetinenvironmentGundercolorcEnvironmentsG::=
jx:tjajepjG1;G2Substitutionss::=
j(x7!e)j(a7!t)js1;s2Colorsc::=poljappG`cn:int(T-INT)x:t2G G`cx:t(T-VAR)G`tG;f:t`cv:t G`cxf:t:v:t(T-FIX)G;a`ce:t G`cLa:e:8a:t(T-TAB)G`tG`ce:8a:t0 G`ce[t]:(a7!t)t0(T-TAP)G`tG;x:t`ce:t0 G`clx:t:e:(x:t)!t0(T-ABS)G`ce1:(x:t1)!t2G`ce2:t1 G`ce1e2:(x7!e2)t2(T-APP)G`cei:lab G`cC(~e):labC(~e)(T-LAB)G`ce:labe0 G`ce:lab(T-HIDE)G`ce:lab G`ce:labe(T-SHOW)G`ce:labG`tpn=xwherex62dom(G)~xi=FV(pi)ndom(G)G;~xi:lab`cpi:labG;~xi:lab;epi`cei:t G`cmatchewithp1)e1:::pn)en:t(T-MATCH)G`pole:tfe0g G`polfge:t(T-UNLAB)G`pole:tG`pole0:lab G`polfe0ge:tfe0g(T-RELAB)G`pole:t G`c([e]):t(T-POL)G`ce:tG`t=t0 G`ce:t0(T-CONV) G`t=t0 Typestandt0areconvertibleTypecontextsT::=jfegjx:!tjx:t!j8a:TermlabelcontextsL::=labjtfgG`t=t(TE-ID)G`t=t0 G`t0=t(TE-SYM)G`t=t0 G`T
t=T
t0(TE-CTX)ep2G G`L
e=L
p(TE-REFINE)8s:(dom(s)=FV(e1)^G`s(e1):lab))s(e1)c s(e2) G`L
e1=L
e2(TE-REDUCE) G`t Typetiswell-formedinenvironmentGG`int(K-INT)a2G G`a(K-TVAR)G`lab(K-LAB)G`pole:lab G`labe(K-SLAB)G`tG`pole:lab G`tfeg(K-LABT)G`t1G;x:t1`t2 G`(x:t1)!t2(K-FUN)G;a`t G`8a:t(K-ALL)Figure4.StaticsemanticsofFABLEproceduresthatcanbeusedtopartiallydecidetypecon-vertibility.Onesimplicationwouldbetoattempttoshowconvertibilityforclosedtypesonly—i.e.nofreevariables.InourimplementationofFABLE,SELINKS,weuseacom-binationofthreetechniques.First,weusetypeinformation.Iflisfreeinatype,andthedeclaredtypeoflislabe,thenwecanusethisinformationtosubstituteeforl.Simi-larly,ifthetypecontextincludesanassumptionoftheformle(whencheckingthebranchofapattern),wecansub-stitutelwithe.Finally,sincetype-levelexpressionstypi-callymanipulatelabelsbypatternmatching,weuseasim-pleheuristictodeterminewhichbranchtotakewhenpat-ternmatchingexpressionswithfreevariables.Thesetech-niquessufceforalltheexamplesinthispaperandbothourSEWIKIandSEWINESTOREapplications.Ourtechnicalreport[38]discussesthesedecisionproceduresingreaterdetailandprovesthemsound.Finally,thejudgmentG`tstatesthattiswell-formedinG.Rules(K-INT),(K-TVAR),and(K-LAB)arestandard,(K-FUN)denesthestandardscopingrulesfornamesindependentfunctiontypes,and(K-ALL)denesthestan-dardscopingruleforuniversallyquantiedtypevariables.(K-SLAB)and(K-LABT)ensurethatallexpressionsethatappearintypescanbegivenlab-type.Noticethattype-6 ec e0 Small-stepchromaticreductionrulesEvaluationcontextsEc::=ejvcj[t]jC(~vc;;~e)jmatchwithpi)eijfegjfgec e0 Ec
ec Ec
e0(E-CTX)epol e0 ([e])app ([e0])(E-POL)(lx:t:e)vcc (x7!vc)e(E-APP)(La:e)[t]c (a7!t)e(E-TAP)xf:t:vc (f7!xf:t:v)v(E-FIX)8ij:vc6pi:sivcpj:sj matchvcwithp1)e1:::pn)enc sj(ej)(E-MATCH)([C(~u)])app C(~u)(E-BLAB)([n])app n(E-BINT)([lx:t:e])app lx:t:([e])(E-BABS)([La:e])app La:([e])(E-BTAB)([e])pol e(E-NEST)fgfegvpolpol vpol(E-UNLAB) ep:s Expressionematchespatternpundersubstitutionspp:
(U-PATID)vx:x7!v(U-VAR)8i:si=(s0;:::;si�1)eisipi:si C(~e)C(~p):~s(U-CON)Figure5.DynamicsemanticsofFABLE(havingthesametypeandlabelasv1)shouldevaluateinthesamewayasP—itshouldproducethesameresultandtakethesamestepsalongthewaytowardproducingthatresult.Ifthiswerenottruethen,assumingP'sreductionisdeterministic,Pmustbeinferringinformationabouttheprotectedresource.Tomakethisintuitionformal,wewillshowthattheeval-uationsofprogramsPandP0arebisimilar,wheretheonlydifferencebetweenthemisthevalueoftheprotectedre-source.Toexpressthis,rstwedeneanequivalencere-lationcalledsimilarityuptol(analogoustodenitionsoflowequivalence[32,7])whichholdsfortwotermseande0iftheyonlydifferinsub-termsthatarelabeledwithl,withtheintentionthatlisthelabelofrestrictedresources.Denition2(Similarityuptol).Expressionseande0,iden-tieduptoa-renaming,aresimilaruptolabellaccordingtothefollowingrelation:eleflgelflge0ele0l06=l fl0gelfl0ge0ele0 lx:t:ellx:t:e0e1le01e2le02 e1e2le01e02:::Thesecondruleisthemostimportant.Itstatesthatar-bitraryexpressionseande0areconsideredsimilaratlabellwhenbotharelabeledwithl.Otherpartsoftheprogrammustbestructurallyidentical,asstatedbytheremainingcongruencerules(notallareshown;thefullrelationcanbefoundinourtechnicalreport[38]).Weextendsimilaritytoabisimulationasfollows:twosimilartermsarebisimilariftheyalwaysreducetosimilarsubterms,anddosoindef-initelyoruntilnofurtherreductionispossible.Thisnotionofbisimulationisthebasisofouraccesscontrolsecuritytheorem;itisbothtimingandterminationsensitive.Denition3(Bisimulation).Expressionse1ande2arebisimilaratlabell,writtene1le2,ifandonlyife1le2andthereexistse01;e02suchthate1c e01,e2c e02ande01le02.Theorem1(Non-observability).Givena([
])-freeexpres-sionesuchthat(a:ta;m:tm;cap:intfuserg;x:tfaclg`appe:te)whereaclanduserarelabelconstants,andgivenasubsti-tutions=(a7!access;m7!member;cap7!([fuserg0])).Then,fortype-respectingsubstitutionssi=s;x7!viwhere
`appvi:tfaclgfori=1,2,wehave(memberuseraclc False))s1(e)acls2(e).Thistheoremisconcernedwithaprogramethatcontainsnopolicy-bracketedterms(itisjustapplicationcode)but,viathesubstitutions,mayrefertoouraccesscontrolfunc-tionsaccessandmemberthroughthefreevariablesaandm.Additionally,theprogramisgrantedasingleusercapabil-ity([fuserg0])throughthefreevariablecapwhichgivestheprogramtheauthorityofuseruser.Theprogrammayalsorefertosomeprotectedresourcexwhoselabelisacl,buttheauthorityofuserisinsufcienttoaccessxaccordingtotheaccesscontrolpolicybecause(memberuseraclc False).Undertheseconditions,wecanshowthatforanytwo(well-typed)viwesubstituteforxaccordingtosubstitutionsi,theresultingprogramsarebisimilar—theirreductionisin-dependentofthechoiceofvi.Noticethatthistheoremisindifferenttotheactualimple-mentationoftheacllabelandthememberfunction.Thus,whileourexamplepolicyisfairlysimplistic,afarmoreso-phisticatedmodelcouldbeused.Forinstance,wecouldhavechosenlabelstostandforRBAC-orRT-styleroles[23]andmembercouldinvokeadecisionprocedurefordeter-miningrolemembership.Likewise,thetheoremisnotcon-8 typenameProva=(l:labfAuditorsgaffglg)policyattenhai(x:Prov(Prova))=letl,inner=xinletm,a=innerinletlm=Union(fgl,fgm)in(fAuditorsglm,flmga) policyapplyha,bi(lf:Prov(a!b),mx:Prova)=letl,f=lfinletm,x=mxinlety=(fgf)(fgx)inletlm=Union(fgl,fgm)in(fAuditorsglm,flmgy)Figure6.Enforcingadynamicprovenance-trackingpolicytwovaluesiftheydifferonlyonsub-termsoftypeProvawhoseprovenancelabelmentionsl.Thus,anapplicationprogramethatiscompiledwiththepolicyofFigure6andisexecutedincontextsthatdifferonlyinthechoiceofatrackedvalueoflabellwillcomputeresultsthatdifferonlyinsub-termsthatarealsocoloredusingl.Theorem2(Dependencycorrectness).Givena([
])-freeex-pressionesuchthata:ta;f:tf;x:Provt`appe:t0,andgivenasubstitutions=(a7!apply;f7!atten).Then,fortype-respectingsubstitutionssi=s;x7!viwhere`appvi:Provtfori=1,2itisthecasethatv1lv2implies(s1(e)app v01^s2(e)app v02))v01lv023.3.StaticInformationFlowBothpoliciesdiscussedsofarrelyonruntimechecks.ThissectionillustrateshowFABLEcanbeusedtoencodestaticlattice-basedinformationowpoliciesthatrequirenoruntimechecks.Inastaticinformationowtypesystem(asfoundinFlowCaml[32])labelslhavenorun-timewit-ness;theyonlyappearintypestflg.Labelsareorderedbyarelationvthattypicallyformsalattice.Thisorderingisliftedtoasubtypingrelationonlabeledtypessuchthatl1vl2)tfl1g:tfl2g.Assumingthelatticeorderingisxedduringexecution,well-typedprogramscanbeproventoadheretothepolicydenedbytheinitiallabelassign-mentappearinginthetypes.Figure7illustratesthepolicyfunctions,alongwithasmallsampleprogram.Inourencodingwedeneatwo-pointsecuritylatticewithatomiclabelsHIGHandLOWandprotectedexpressionswillhavelabeledtypesliketfHIGHg.TheorderingLOWHIGHisexempliedbythelub(leastupperbound)operationforthelattice.Thejoinfunction(similartotheattenfunctionfromFigure6)combinesmultiplelabelsonatypeintoasinglelabel.Theinterest-ingthinghereisthelabelattachedtoxisalabelexpres-sionlublm,ratherthananlabelvaluelikeHIGH.Thetyperule(T-CONV)presentedinFigure4canbeusedtoshowthatatermwithtypeintflubHIGHLOWgcanbegiventypeintfHIGHg(sincelubHIGHLOWc HIGH).Thisiscriti-caltobeingabletotypeprogramsthatusethispolicy.Thepolicyincludesasubsumptionfunctionsub,whichtakesasargumentsatermxwithtypeaflgandalabelpolicylub(x:lab,y:lab)=matchx,ywith ,HIGHjHIGH, )HIGHj , )LOWpolicyjoinha,l,mi(x:aflgfmg)=(flublmgfgfgx)policysubha,li(x:aflg,m:lab)=(flublmgfgx)policyapplyha,b,l,mi(f:(a!b)flg,x:a)=flg((fgf)x)Figure7.Enforcinganinformationowpolicymandallowsxtobeusedatthetypeaflublmg.Thisisarestatementofthesubsumptionruleabove,aslvmimpliesltm=m.(Oncetypesareerased,joinandsubarebothessentiallytheidentityfunctionandcouldbeopti-mizedaway.)Finally,thepolicyfunctionapplyunlabelsthefunctionfinordertocallit,andthenaddsf'slabelonthecomputedresult.Considerthefollowingclientprogramasanexampleus-ageofthestaticinformationowpolicy.letclient(f:(intfHIGHg!intfHIGHg)fLOWg,x:intfLOWg)=letx=(sub[int]xHIGH)injoin[int](apply[intfHIGHg][intfHIGHg]fx)Thefunctionclientherecallsfunctionfwithx,wherefexpectsaparameteroftypeintfHIGHgwhilexhastypeintfLOWg.Forthecalltotypecheck,theprogramusessubtocoercex'stypetointflubLOWHIGHgwhichisconvert-ibletointfHIGHg.ThecalltoapplyreturnsavalueoftypeintfHIGHgfLOWg.Thecalltojoincollapsesthepairoflabelssothatclient'sreturntypeisintflubHIGHLOWg,whichconvertstointfHIGHg.WehaveprovedthatFABLEprogramsusingthispolicyenjoythestandardnoninterferenceproperty.WehavealsoshownthataFABLEstaticinformationowpolicyisatleastaspermissiveastheinformationowpolicyimplementedbythefunctionalsubsetofCore-ML,theformallanguageofFlowCaml[30].Finally,weshowhowthedynamicprove-nancetrackingandstaticinformationowpoliciescanbecombinedtoenforcedynamicinformationow.Alltheaforementionedproofsmaybefoundinourtechnicalre-port[38].10 Themainbenetofcompositionalityismodularity;whenmultiplecomposablepoliciesareappliedtoaprogram,onecanreasonaboutthesecurityoftheentiresystembycon-sideringeachpolicyinisolation.Policydesignersthatareabletoencapsulatetheirpolicieswithinanamespacecanpackagetheirpoliciesaslibrariestobereusedalongwithotherpolicylibraries.Ournotionofcompositionisanoninterference-likeproperty—apolicyisdeemedcomposableifitcanbeshownnottodependon,orinuencethefunctioningofanotherpolicy.Aswithnoninterferencepropertiesinothercontexts,thisconditionisoftentoorestrictiveformanyrealisticex-amplesinwhichpolicies,bydesign,mustinteractwitheachother.Wendthatpoliciesthatdonotcomposeaccordingtothisdenitionperformakindofdeclassication(oren-dorsement)byallowinglabeledtermstoexit(orunlabeledtermstoenter)thepolicy'snamespace.Weconjecturethatthevastbodyofresearchintodeclassication[33]canbebroughttobearhereinordertorecoveradegreeofmodu-larityforinteractingpolicies.Ourtechnicalreport[38]con-tainstheformalstatementandproofofthepolicynoninter-ferencetheoremandfurtherdiscussionoftheapplicabilityofthiscondition.Finally,althoughwehavefocusedonbisimulationprop-ertiesinthispaper,webelievethatourapproachisalsolikelytobeusefulinprovingotherkindsofsecurityprop-erties.Forinstance,wehaverecentlybeguninvestigatingtheenforcementofinformationreleaseprotocolsbyaddingafnetypestoFABLE[39].Weformulatetheseprotocolsintermsofsecurityautomatausedasakindoftypestate[36].Wehavebeenabletoprovethattype-correctprogramspro-duceexecutiontracesthatcontaineventsequencesincom-pliancewithspecicinformationreleaseprotocols.Wehavealsofoundotherformsofsubstructuraltypestobeuseful.Ourtechnicalreport[38]sketchestheuseofrele-vanttypestotrackside-effectsinprogramsthatmanipulatereferencestomutablestate.4SELINKS:FABLEforWebProgrammingWehaveimplementedFABLEasanextensiontotheLINKSfunctionalweb-programminglanguage[12];wecallourextensionSecurity-EnhancedLINKS,orSELINKS.ThissectionbrieydescribesourSELINKSimplementationandpresentsourexperienceusingittobuildtwoapplica-tions,awikiSEWIKIandanon-linestoreSEWINESTORE.4.1.SELINKSLINKSisanewprogramminglanguagewithwhichaprogrammercanwriteanentiremulti-tierwebapplicationasasingleprogram.Thecompilersplitsthatprogramintocomponentstorunontheclient(asJavaScript),server(asalocalfragmentofLINKScode),anddatabase(asSQL).ByextendingLINKSwithFABLE'slabel-basedsecuritypoli-cies,wecanbuildapplicationsthatpolicedatawithinandacrosstiers,uptotheleveloftrustwehaveinthosetiers.Inourtestapplicationsweassumetheserveranddatabasearetrustedbuttheclientisnot.LINKSisafunctionalprogramminglanguageequippedwithstandardfeaturessuchasrecursivevarianttypes,pat-ternmatching,parametricpolymorphism,andhigher-orderfunctions.Assuch,theFABLEpolicieswehavepresentedsofartransliteratenaturallyintoSELINKS.OnedifferenceisthatratherthandeneaspecialtypelabasinFABLE,inSELINKSweallowarbitraryexpressionstobetreatedaslabels.TheexamplesinthispapercanberepresentedinSELINKSusingexpressionswithavarianttypeasalabel.Ourapplicationsmakeuseofvariants,strings,integers,listsandrecordstomoreeasilyconstructandinspectlabels.SELINKSalsoprovidesnativesupportforthesyntac-ticshorthandsshowninFigure2.TypeabbreviationsinLINKShavebeenextendedinSELINKStosupportabbrevi-ationsofdependenttypes.Policyfunctionsaredesignatedbythequalierpolicy,asintheexamplesofthispaper.Wealsoprovidenativesupportfordependenttuplesintermsofexistentialpackagesratherthanrequiringtheprogram-mertoencodethemwithhigher-orderfunctions.Whilethismakesdependenttupleseasiertouse,existentialpackagesinSELINKSmuststillbecarefullymanipulatedusingex-plicitpackandunpackoperations.Finally,althoughLINKSmakesheavyuseoftypeinfer-ence,inSELINKSwerelyonannotationstocheckcodethatmanipulatessecuritylabelsandlabeledtypes.However,weprovidelimitedbutconvenientformsofinferencetosim-plifyprogrammingandcutdownonannotations.Forin-stance,instantiationsofphantomlabelvariablesarealwaysinferredand,inmanycommoncases,packandunpackop-erationscanalsobeinferred.Additionally,codethatdoesnotuseourtypeextensionscanstillbenetfromstandardLINKStypeinference.4.2.SEWIKIandSEWINESTORESEWIKIisanon-linedocumentmanagementsystemin-spiredbyIntellipedia,asetofwebapplicationsdesignedtopromoteinformationsharingthroughouttheUnitedStatesintelligencecommunity[31].SEWIKIconsistsofapprox-imately3500linesofSELINKScode.Itenforcesane-grainedcombinationofagroup-basedaccesscontrolpol-icyandaprovenancepolicyondocuments.Adocumentisrepresentedasan-arytreeaccordingtothefollowingtypedenition:typenameDoc=Nodeof[Doc]jLeafofStringjLabeledof(l:DocLabelDocflg)12 tionofstaticanddynamicpolicychecking,butatthecostofpotentiallyundecidabletypechecking.OurSELINKSimplementationusesheuristicstoensurethattype-checkingneverdiverges.Walker's“typesystemforexpressivesecuritypoli-cies”[42]isalsodependentlytyped.LabelsinWalker'slan-guageareuninterpretedpredicatesratherthanarbitraryex-pressions.Walker'ssystemcanenforcepoliciesexpressedassecurityautomata,whichcancaptureanysafetyproperty.ThiskindofpolicyisalsoenforceableinFABLEwhenex-tendedwithsubstructuraltypes.However,inWalker'ssys-tem,thepolicyisalwaysenforcedbymeansofaruntimecheck.Inordertorecoversomeamountofstaticchecking,Walkersuggeststhatausermightaddadditionalrulestothetypesystem,thoughheisnotspecicabouthowthiswouldbedone.Theseadditionalruleswouldhavetobeprovedcorrectwithrespecttoadesiredsecurityproperty.Ithasbeenobservedthatdependenttypescanbeusedtoexpressakindofcustomizedtypesystem[43],andFA-BLE'spolicyfunctionstthisdescription.Forexample,thesubfunctioninthepolicyofFigure7effectivelyintro-ducesasubsumptionruleintothetypesystem.Researchershaveexploredhowuser-denedtypesystemscanbesup-porteddirectlyviacustomizabletypequaliers.Shankaretal.[35]haveusedlattice-basedtypequaliersinCQual[13]totrackdataowpropertiesliketaintedness[35],andZhangetal.[45]andFraseretal.[15]haveusedqualierstocheckcompletemediationinaccesscontrolsystems.Millsteinetal[8,1]havedevelopedanapproachinwhichprogrammerscanindicatedatainvariantsthatcustomtypequaliersareintendedtosignify.Insomecases,theyareabletoauto-maticallyverifythattheseinvariantsarecorrectlyenforcedbythecustomtyperules.Whiletheirinvariantsarerela-tivelysimple,weultimatelywouldliketodevelopaframe-workinasimilarvein,inwhichcorrectnesspropertiesforFABLE'senforcementpoliciescanbeatleastpartiallyau-tomated.Marinoetal.[27]haveproposedusingproofas-sistantsforthispurpose,andweplantoexplorethisideainthecontextofFABLEpolicies.LiandZdancewicshowhowtoencodeinformationowpoliciesinHaskell[25].Theydeneameta-languagethatmakesthecontrol-owstructureofaprogramavailableforinspectionwithintheprogramitself.TheirenforcementmechanismreliesonthelazyevaluationstrategyofHaskellthatallowsthecontrolowgraphtobeinspectedforin-formationleakspriortoevaluation.Whiletheirencodingpermitstheuseofcustomlabelmodels,theyonlyshowanencodingofaninformationowpolicy.Itisnotcleartheirsystemcouldbeusedtoencodetherangeofpoliciesdis-cussedhere.Inotherwork,LiandZdancewic[24]haveproposedla-belingtypeswithfunctionsthatdescribeconditionsunderwhichatypeisallowedtoberelabeled.Theirgoalistocon-trolwhatinformationisdeclassiedbyaprogram,whereasweaimtoenforceavarietyofpolicies.OurtechniqueofseparatingtheenforcementpolicyfromtherestoftheprogramisbasedonGrossmanetal'scol-oredbrackets[18].Theyusethesebracketstomodeltypeabstraction,whereasweusethemtoensurethatthepriv-ilegeofunlabelingandrelabelingtermsisnotmistakenlygrantedtoapplicationcode.Asaresult,wedonotneedtospeciallydesignateapplicationcodethatmayarisewithinpolicyterms,keepingthingsabitsimpler.Weplantoin-vestigatetheuseofdifferentcoloredbracketstodistinguishdifferentenforcementpolicies,followingGrossmanetal.'ssupportformultipleagents.Finally,inasmuchaswehavetargetedtheLINKSweb-programminglanguage[12]astheplatformonwhichtobuildFABLE,ourworkisrelatedtoSwift[9]andSIF[11],twoJif-basedprojectsthataimtosecurewebapplications.TheformerisatechniquethatpermitsawebapplicationtobesplitaccordingtoapolicyintoJavaScriptcodethatrunsontheclientandJavacodeontheserver,whilethelatterisaframeworkinwhichtobuildsecureservlets.Asdis-cussedinSection4,LINKSprovidessimilarfunctionality,exceptitadditionallyintegratesdatabaseaccesscodeintotheframework.WithournewsecuritycheckingfeaturesinSELINKS,asinSwift,practical,veried,end-to-endsecu-rityformulti-tieredapplicationsiswithinreach.6ConclusionsThispaperhaspresentedFABLE,acoreformalismforaprogramminglanguageinwhichprogrammersmayspecifysecuritypoliciesandreasonthatthesepoliciesareproperlyenforced.WehaveshownthatFABLEisexibleenoughtoimplementawidevarietyofsecuritypolicies,includ-ingaccesscontrol,provenance,andstaticinformationow,amongotherpolicies.WehavealsoarguedthatFABLE'sdesignsimpliesproofsthatprogramsusingthesepoliciesdosocorrectly.WehaveimplementedFABLEaspartoftheLINKSwebprogramminglanguage,andwehaveusedtheresultinglanguage,whichwecallSELINKS,tobuildtwosubstantialapplications,asecurewikiandasecureon-linestore.WhilemoreworkremainstomakeSELINKSafullysatisfactoryplatform,toourknowledge,noexistingframeworkenablestheenforcementofsuchawidevarietyofsecuritypolicieswithanequallyhighlevelofassurance.Acknowledgements:WethankJeffFoster,BonifaceHicks,PolyviosPratikakis,PeterSewellandtheanonymousreviewersforhelpfulcommentsonadraftofthispaper.Theviewsandconclusionscontainedinthisdocumentarethoseoftheauthorsandshouldnotbeinterpretedasrepresent-ingtheofcialpolicies,eitherexpressedorimplied,oftheArmyResearchLaboratoryortheU.S.Government.14