Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Controlling Data Flow with a Policy-Based Programming Language for the Web

  • Conference paper
Secure IT Systems (NordSec 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8208))

Included in the following conference series:

  • 1458 Accesses

Abstract

It has become increasingly easy to write Web applications and other distributed programs by orchestrating invocations to remote third-party services. Increasingly, these third-party services themselves invoke other services and so on, making it difficult for the original application developer to anticipate where his/her data will end up. This may lead to privacy breaches or contractual violations. In this paper, we explore a simple distributed programming language that allows a web service provider to infer automatically where user data will travel to, and the developer to impose statically-checkable constraints on acceptable routes. For example, this may provide confidence that company data will not flow to a competitor, or that privacy-sensitive data goes through an anonymizer before being sent further out.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abadi, M., Fournet, C.: Access control based on execution history. In: The Internet Society, editor, Network and Distributed System Security Symposium, NDSS, San Diego, CA (2003)

    Google Scholar 

  2. Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Model checking usage policies. In: Kaklamanis, C., Nielson, F. (eds.) TGC 2008. LNCS, vol. 5474, pp. 19–35. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  3. Bartoletti, M., Degano, P., Ferrari, G.L.: History-based access control with local policies. In: Sassone, V. (ed.) FOSSACS 2005. LNCS, vol. 3441, pp. 316–332. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Collinson, M., Pym, D.J.: Algebra and logic for resource-based systems modelling. Mathematical Structures in Computer Science 19(5) (2009)

    Google Scholar 

  5. Collinson, M., Pym, D.J.: Algebra and logic for access control. Formal Aspects of Computing 22(2) (2010)

    Google Scholar 

  6. Cranor, L.F., Reagle, J.: The platform for privacy preferences. Communications of the ACM 42(2), 48–55 (1999)

    Article  Google Scholar 

  7. Murphy VII, T.: Modal Types for Mobile Code. PhD thesis, Carnegie Mellon University, Available as technical report CMU-CS-08-126 (January 2008)

    Google Scholar 

  8. Murphy VII, T., Crary, K., Harper, R.: Type-safe distributed programming with ML5. In: Barthe, G., Fournet, C. (eds.) TGC 2007. LNCS, vol. 4912, pp. 108–123. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Myers, A.C.: JFlow: practical mostly-static information flow control. In: POPL 1999: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 228–241. ACM, New York (1999)

    Chapter  Google Scholar 

  10. Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR (July 2002)

    Google Scholar 

  11. Pfenning, F., Schürmann, C.: System description: Twelf — a meta-logical framework for deductive systems. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 202–206. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  12. Ferrante, J., Cytron, R., Heights, Y., Rosen, B.K., Wegman Mark, N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, TOPLAS (1991)

    Google Scholar 

  13. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  14. Sans, T., Cervesato, I.: QWeSST for Type-Safe Web Programming. In: Farwer, B. (ed.) Third International Workshop on Logics, Agents, and Mobility — LAM 2010, Edinburgh, Scotland, UK (2010)

    Google Scholar 

  15. Sans, T., Cervesato, I.: Type-Safe Web Programming in QWeSST. Technical Report CMU-CS-10-125, Department of Computer Science, Carnegie Mellon University, Pittsburgh, PA (June 2010)

    Google Scholar 

  16. Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: IEEE Symposium on Security and Privacy, pp. 369–383 (2008)

    Google Scholar 

  17. Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. International Journal of Information Security 6(2), 67–84 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, USA

    Thierry Sans, Iliano Cervesato & Soha Hussein

Authors
  1. Thierry Sans
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iliano Cervesato
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Soha Hussein
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Applied Mathematics and Computer Science, DTU Compute, Technical University of Denmark, Richard Petersens Plades, Building 322, 2800, Lyngby, Denmark

    Hanne Riis Nielson

  2. Institut für Sicherheit in verteilten Anwendungen, Technische Universität Hamburg-Harburg, E-15, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sans, T., Cervesato, I., Hussein, S. (2013). Controlling Data Flow with a Policy-Based Programming Language for the Web. In: Riis Nielson, H., Gollmann, D. (eds) Secure IT Systems. NordSec 2013. Lecture Notes in Computer Science, vol 8208. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41488-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41488-6_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41487-9

  • Online ISBN: 978-3-642-41488-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation