A language for automatically enforcing privacy policies

Yang, Jean; Yessenov, Kuat; Solar-Lezama, Armando

doi:10.1145/2103621.2103669

Cited by 59 publications

(31 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…NICE-PySE [8] and Commuter [12] both implement library-based symbolic execution in Python, but only for particular domain-specific languages. Yang et al [36] and Köskal et al [21] use the same technique in Scala, but to enforce security policies and perform constraint programming, respectively. Rosette [35] uses a library to symbolically execute Racket for verification and program synthesis.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Finding security bugs in web applications using a catalog of access control patterns

Near

Jackson

2016

Proceedings of the 38th International Conference on Software Engineering

View full text Add to dashboard Cite

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bugs-23 previously unknown security bugs, and 10 false positives.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Resin [37] is a runtime system that enforces information flow policies attached to data objects; it has been successfully applied to web applications. Jeeves [36], a similar language for enforcing information flow policies, has also been applied to the web. Jif [23], an extension of Java, also supports checking policies at runtime.…”

Section: Related Workmentioning

confidence: 99%

Finding security bugs in web applications using a catalog of access control patterns

Near

Jackson

2016

Proceedings of the 38th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Finally, there are quite a few programming languages and tools aimed at supporting information-flow secure programming [2, 3,7,30], as well as information-flow tracking tools for the client side of web applications [6,8,14]. We foresee a future where such tools will cooperate with proof assistants to offer light-weight guarantees for free and stronger guarantees (like the ones we proved in this paper) on a need basis.…”

Section: Related Workmentioning

confidence: 93%

CoSMed: A Confidentiality-Verified Social Media Platform

Bauereiss

Gritti²,

Popescu

et al. 2017

J Autom Reasoning

View full text Add to dashboard Cite

Abstract. This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system's kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD security has to give way to a dynamic integration of the triggers as part of the bounds.

show abstract

“…Control of declassification is limited to where in the program declassification may occur. Jeeves [64] extends a core language for functionality with a language for flexible security policies. RF [11] uses a relational Hoare logic to reason about 2-safety properties of probabilistic programs, including language-based notions of information flow security.…”

Section: Related Workmentioning

confidence: 99%

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

BauereiB

Gritti²,

Popescu

et al. 2017

2017 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Abstract-We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system's kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis's sources of information: posts, friendship requests, and friendship status.

show abstract

A language for automatically enforcing privacy policies

Cited by 59 publications

References 24 publications

Finding security bugs in web applications using a catalog of access control patterns

Finding security bugs in web applications using a catalog of access control patterns

CoSMed: A Confidentiality-Verified Social Media Platform

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

Contact Info

Product

Resources

About