Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: Verified information flow security
Guest editors: Toby Murray, Andrei Sabelfeld and Lujo Bauer
Article type: Research Article
Authors: Giffin, Daniela | Levy, Amita | Stefan, Deianb; *; ** | Terei, Davida | Mazières, Davida | Mitchell, Johna | Russo, Alejandroc
Affiliations: [a] Stanford University, 353 Serra Mall, Stanford, CA 94305, USA | [b] UC San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA | [c] Chalmers University of Technology, Rännvägen 6B, 41296 Gothenburg, Sweden
Correspondence: [*] Corresponding author. E-mail: [email protected].
Note: [**] Part of this work was done while the author was at Stanford University and Intrinsic (formerly GitStar).
Abstract: Many modern web-platforms are no longer written by a single entity, such as a company or individual, but consist of a trusted core that can be extended by untrusted third-party authors. Examples of this approach include Facebook, Yammer, and Salesforce. Unfortunately, users running third-party “apps” have little control over what the apps can do with their private data. Today’s platforms offer only ad hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new framework, Hails, for building web platforms, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails by building several platforms, including GitStar, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
Keywords: Web security, confinement, information flow control, MAC, MPVC, functional programming, Haskell, LIO, COWL
DOI: 10.3233/JCS-15801
Journal: Journal of Computer Security, vol. 25, no. 4-5, pp. 427-461, 2017
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]