Many modern web-platforms are no longer written by a single entity, such as a company or individual, but consist of a trusted core that can be extended by untrusted third-party authors. Examples of this approach include Facebook, Yammer, and Salesforce. Unfortunately, users running third-party “apps” have little control over what the apps can do with their private data. Today’s platforms offer only ad hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new framework, Hails, for building web platforms, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails by building several platforms, including GitStar, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
M.Abadi, M.Burrows, B.Lampson and G.Plotkin, A calculus for access control in distributed systems, ACM Transactions on Programming Languages and Systems15(4) (1993), 706–734. doi:10.1145/155183.155225.
2.
T.H.Austin, K.Knowles and C.Flanagan, Typed faceted values for secure information flow in Haskell, Technical Report UCSC-SOE-14-07, 2014.
3.
L.Badger, D.F.Sterne, D.L.Sherman, K.M.Walker and S.A.Haghighat, Practical domain and type enforcement for UNIX, in: Security and Privacy, IEEE, 1995, pp. 66–77.
4.
A.Barth, The web origin concept, Technical report, IETF, 2011, https://tools.ietf.org/html/rfc6454.
5.
K.Bhargavan, A.Delignat-Lavaud and S.Maffeis, Language-based defenses against untrusted browser origins, in: USENIX Security, 2013, pp. 653–670.
6.
A.Blankstein and M.J.Freedman, Automating isolation and least privilege in web services, in: Security and Privacy, IEEE, 2014, pp. 133–148.
7.
M.Blaze, J.Feigenbaum, J.Ioannidis and A.Keromytis, The KeyNote Trust-Management System Version 2, RFC 2704 (Informational), 1999, http://www.ietf.org/rfc/rfc2704.txt.
8.
M.Blaze, J.Feigenbaum and J.Lacy, Decentralized trust management, in: Security and Privacy, IEEE, 1996, pp. 164–173.
9.
A.Bortz and D.Boneh, Exposing private information by timing web applications, in: World Wide Web, ACM, 2007.
10.
British Standards Institution, Ergonomic requirements for office work with visual display terminals (VDTs), 1998.
11.
P.Buiras and A.Russo, Lazy programs leak secrets, in: Nordic Conference on Secure IT Systems, Springer, 2013, pp. 116–122. doi:10.1007/978-3-642-41488-6_8.
12.
R.Chandra, P.Gupta and N.Zeldovich, Separating web applications from user data storage with BSTORE, in: USENIX Conference on Web Application Development, 2010.
13.
R.Cheng, W.Scott, P.Ellenbogen, J.Howell and T.Anderson, Radiatus: Strong user isolation for scalable web applications, Technical report, University of Washington, 2014.
14.
W.Cheng, D.Ports, D.Schultz, V.Popic, A.Blankstein, J.Cowling, D.Curtis, L.Shrira and B.Liskov, Abstractions for usable information flow control in Aeolus, in: USENIX Annual Technical Conference, 2012.
15.
A.Chlipala, Static checking of dynamically-varying security policies in database-backed applications, in: Operating Systems Design and Implementation, USENIX, 2010.
16.
K.Chodorow and M.Dirolf, MongoDB: The Definitive Guide, O’Reilly Media, Inc., 2010.
17.
S.Chong, J.Liu, A.C.Myers, X.Qi, K.Vikram, L.Zheng and X.Zheng, Secure web applications via automatic partitioning, in: SOSP ’07 Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, 2007, pp. 31–44. doi:10.1145/1294261.1294265.
18.
S.Chong, K.Vikram and A.C.Myers, SIF: Enforcing confidentiality and integrity in web applications, in: USENIX Security, 2007, pp. 1–16.
D.Crockford, Making JavaScript, safe for advertising, http://adsafe.org/.
22.
D.E.Denning, A lattice model of secure information flow, Communications of the ACM19(5) (1976), 236–243. doi:10.1145/360051.360056.
23.
J.DeTreville, Binder, a logic-based security language, in: Security and Privacy, IEEE, 2002, pp. 105–113.
24.
Disqus, 2015, https://disqus.com/.
25.
Docker, Introduction to container security, 2015, https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf.
26.
C.Doctorow, United website breach let fliers see each others’, private data, 2015, https://boingboing.net/2015/01/28/united-website-breach-let-flie.html.
27.
L.Dusseault and J.M.Snell, PATCH method for HTTP, Technical report, IETF, 2010, https://tools.ietf.org/html/rfc5789.
A.P.Felt, M.Finifter, J.Weinberger and D.Wagner, Diesel: Applying privilege separation to database access, in: Symposium on Information, Computer and Communications Security, ACM, 2011, pp. 416–422.
30.
E.W.Felten and M.A.Schneider, Timing attacks on web privacy, in: Computer and Communications Security, ACM, 2000.
31.
FP Complete, School of Haskell, 2015, https://www.fpcomplete.com/school.
D.B.Giffin, A.Levy, D.Stefan, D.Terei, D.Mazières, J.Mitchell and A.Russo, Hails: Protecting data privacy in untrusted web applications, in: Operating Systems Design and Implementation, USENIX, 2012.
34.
Google, Google code prettify, 2012, http://code.google.com/p/google-code-prettify/.
35.
Hails team, The hails [Haskell] package, http://hackage.haskell.org/package/hails.
36.
D.Hedin and A.Sabelfeld, A perspective on information-flow control, in: Software Safety and Security – Tools for Analysis and Verification, IOS Press, 2012, pp. 319–347.
37.
S.Heule, D.Stefan, E.Z.Yang, J.C.Mitchell and A.Russo, IFC inside: Retrofitting languages with dynamic information flow control, in: Principles of Security and Trust, Springer, 2015.
38.
C.Hriţcu, M.Greenberg, B.Karel, B.C.Pierce and G.Morrisett, All your IFCException are belong to us, in: Security and Privacy, IEEE, 2013, pp. 3–17.
39.
M.Huilgol, Facebook’s latest security vulnerability allows third party applications to delete Facebook pages permanently, 2015, http://techpp.com/2015/08/27/facebook-pages-security-vulnerability/.
40.
S.Isaacs, Microsoft web sandbox, http://www.websandbox.org/.
41.
R.Kainda, I.Flechais and A.Roscoe, Security and usability: Analysis and evaluation, in: Availability, Reliability, and Security, IEEE, 2010, pp. 275–282.
42.
S.Khandelwal, Facebook vulnerability allows hacker to delete any photo album, 2015, https://thehackernews.com/2015/02/hacking-facebook-photo-album.html.
43.
S.Kovach, Nearly 7 million Dropbox passwords have been hacked, 2014, http://www.businessinsider.com/dropbox-hacked-2014-10.
44.
M.Krohn, A.Yip, M.Brodsky, N.Cliffer, M.F.Kaashoek, E.Kohler and R.Morris, Information flow control for standard OS abstractions, in: Symposium on Operating Systems Principles, 2007.
45.
M.Krohn, A.Yip, M.Brodsky, R.Morris and M.Walfish, A World Wide Web without walls, in: Hot Topics in Networking, Atlanta, GA, 2007.
46.
M.N.Krohn, Building secure high-performance web services with OKWS, in: USENIX Annual Technical Conference, 2004, pp. 185–198.
L.Latif, Github suffers a Ruby on Rails public key vulnerability, 2012, http://www.theinquirer.net/inquirer/news/2157093/github-suffers-ruby-rails-public-key-vulnerability.
49.
N.Li and J.C.Mitchell, RT: A role-based trust-management framework, in: DARPA Information Survivability Conference and Exposition, IEEE Computer Society, 2003.
50.
N.Li, W.H.Winsborough and J.C.Mitchell, Distributed credential chain discovery in trust management, Journal of Computer Security11(1) (2003), 35–86. doi:10.3233/JCS-2003-11102.
51.
P.Li and S.Zdancewic, Practical information-flow control in web-based information systems, in: Computer Security Foundations, IEEE Computer Society, 2005.
J.Liu, M.D.George, K.Vikram, X.Qi, L.Waye and A.C.Myers, Fabric: A platform for secure distributed computation and storage, in: Symposium on Operating Systems Principles, ACM, 2009.
54.
L.Lourenço and L.Caires, Information flow analysis for valued-indexed data security compartments, in: Trustworthy Global Computing, Springer, 2014, pp. 180–198. doi:10.1007/978-3-319-14128-2_11.
55.
L.Lourenço and L.Caires, Dependent information flow types, in: Principles of Programming Languages, ACM, 2015, pp. 317–328.
56.
J.MacFarlane, Pandoc: A universal document converter, http://johnmacfarlane.net/pandoc/.
57.
S.Maffeis and A.Taly, Language-based isolation of untrusted JavaScript, in: Computer Security Foundations, IEEE Computer Society, 2009, pp. 77–91.
58.
J.Mayer and J.Mitchell, Third-party web tracking: Policy and technology, in: Security and Privacy, IEEE, 2012, pp. 413–427.
59.
M.Miller, M.Samuel, B.Laurie, I.Awad and M.Stay, Caja: Safe active content in sanitized javascript, 2008, http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.
E.Moggi, Notions of computation and monads, Information and Computation93(1) (1991), 55–92. doi:10.1016/0890-5401(91)90052-4.
62.
B.Montagu, B.C.Pierce and R.Pollack, A theory of information-flow labels, in: Computer Security Foundations, IEEE Computer Society, 2013.
63.
D.Mosberger and T.Jin, httperf – A tool for measuring web server performance, ACM SIGMETRICS Performance Evaluation Review26(3) (1998), 31–37. doi:10.1145/306225.306235.
64.
A.C.Myers and B.Liskov, A decentralized model for information flow control, in: Symposium on Operating Systems Principles, ACM, 1997, pp. 129–142.
65.
A.C.Myers and B.Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Computer Systems9(4) (2000), 410–442.
66.
J.L.Parker, LMonad: Information flow control for Haskell web applications, Master’s thesis, University of Maryland, 2014.
R.A.Popa, C.Redfield, N.Zeldovich and H.Balakrishnan, CryptDB: Protecting confidentiality with encrypted query processing, in: Symposium on Operating Systems Principles, ACM, 2011, pp. 85–100.
69.
R.A.Popa, E.Stark, J.Helfer, S.Valdez, N.Zeldovich, M.F.Kaashoek and H.Balakrishnan, Building web applications on top of encrypted data using Mylar, in: Networked Systems Design and Implementation, 2014, pp. 157–172.
D.Recordon and D.Reed, OpenID 2.0: A platform for user-centric identity management, in: Workshop on Digital Identity Management, ACM, 2006, pp. 11–16.
72.
P.M.Rondon, M.Kawaguci and R.Jhala, Liquid types, SIGPLAN Notices43 (2008), 159–169.
73.
I.Roy, D.E.Porter, M.D.Bond, K.S.McKinley and E.Witchel, Laminar: Practical fine-grained decentralized information flow control, in: Programming Language Design and Implementation, ACM, 2009.
74.
J.H.Saltzer and M.D.Schroeder, The protection of information in computer systems, Proceedings of the IEEE63(9) (1975), 1278–1308. doi:10.1109/PROC.1975.9939.
75.
D.Schoepe, D.Hedin and A.Sabelfeld, SeLINQ: Tracking information across application-database boundaries, in: International Conference on Functional Programming, ACM, 2014, pp. 25–38.
76.
D.Schultz and B.Liskov, IFDB: Decentralized information flow control for databases, in: European Conference on Computer Systems, ACM, 2013, pp. 43–56.
77.
B.Shackel, Usability-context, framework, definition, design and evaluation, in: Human Factors for Informatics Usability, 1991, pp. 21–37.
E.Sirer, W.de Bruijn, P.Reynolds, A.Shieh, K.Walsh, D.Williams and F.Schneider, Logical attestation: An authorization architecture for trustworthy computing, in: Symposium on Operating Systems Principles, ACM, 2011, pp. 249–264.
80.
M.Snoyman, Developing Web Applications with Haskell and Yesod, O’Reilly Media, Inc., 2012.
81.
E.Steel and G.Fowler, Facebook in privacy breach, The Wall Street Journal18 (2010).
82.
D.Stefan, Confinement with origin web labels, 2015, http://www.w3.org/TR/2015/WD-COWL-20151015/.
83.
D.Stefan, P.Buiras, E.Z.Yang, A.Levy, D.Terei, A.Russo and D.Mazières, Eliminating cache-based timing attacks with instruction-based scheduling, in: European Symposium on Research in Computer Security, Springer, 2013.
84.
D.Stefan, A.Russo, P.Buiras, A.Levy, J.C.Mitchell and D.Mazières, Addressing covert termination and timing channels in concurrent information flow systems, in: International Conference on Functional Programming, ACM, 2012.
85.
D.Stefan, A.Russo, D.Mazières and J.C.Mitchell, Disjunction category labels, in: Nordic Conference on Secure IT Systems, Springer, 2011.
86.
D.Stefan, A.Russo, D.Mazières and J.C.Mitchell, Flexible dynamic information flow control in the presence of exceptions, Journal of Functional Programming27 (2017). doi:10.1017/S0956796816000241.
87.
D.Stefan, A.Russo, J.C.Mitchell and D.Mazières, Flexible dynamic information flow control in Haskell, in: Symposium on Haskell, 2011, pp. 95–106.
88.
D.Stefan, E.Z.Yang, P.Marchenko, A.Russo, D.Herman, B.Karp and D.Mazières, Protecting users by confining JavaScript with COWL, in: Operating Systems Design and Implementation, USENIX, 2014.
89.
B.Sterne, Mozilla Corp., A.Barg and Google Inc., Content Security Policy, 2012, https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html.
90.
A.Taly, Ú.Erlingsson, J.C.Mitchell, M.S.Miller and J.Nagra, Automated analysis of security-critical javascript APIs, in: Security and Privacy, IEEE, 2011.
91.
D.Terei, S.Marlow, S.P.Jones and D.Mazières, Safe Haskell, in: Symposium on Haskell, 2012.
92.
M.Vassena, P.Buiras, L.Waye and A.Russo, Flexible manipulation of labeled values for information-flow control libraries, in: European Symposium on Research in Computer Security, Springer, 2016, pp. 538–557.
93.
E.Yang, D.Stefan, J.Mitchell, D.Mazières, P.Marchenko and B.Karp, Toward principled browser security, in: Hot Topics in Operating Systems, USENIX, 2013.
94.
J.Yang, T.Hance, T.H.Austin, A.Solar-Lezama, C.Flanagan and S.Chong, End-to-end policy-agnostic security for database-backed applications, CoRR, 2015, arXiv:1507.03513.
95.
J.Yang, K.Yessenov and A.Solar-Lezama, A language for automatically enforcing privacy policies, in: Principles of Programming Languages, ACM, 2012, pp. 85–96.
96.
A.Yip, X.Wang, N.Zeldovich and M.F.Kaashoek, Improving application security with data flow assertions, in: Symposium on Operating Systems Principles, ACM, 2009, pp. 291–304.
97.
S.Zdancewic, L.Zheng, N.Nystrom and A.C.Myers, Untrusted hosts and confidentiality: Secure program partitioning, in: Symposium on Operating Systems Principles, ACM, 2001.
98.
N.Zeldovich, S.Boyd-Wickizer, E.Kohler and D.Mazières, Making information flow explicit in HiStar, in: Operating Systems Design and Implementation, 2006, pp. 263–278.
99.
N.Zeldovich, S.Boyd-Wickizer and D.Mazières, Securing distributed systems with information flow control, in: Networked Systems Design and Implementation, 2008, pp. 293–308.
L.Zheng, S.Chong, A.C.Myers and S.Zdancewic, Using replication and partitioning to build secure distributed systems, in: Security and Privacy, IEEE, 2003.
