Controlling Data Flow with a Policy-Based Programming Language for - - PowerPoint PPT Presentation

Controlling Data Flow with a Policy-Based Programming Language for the Web

Thierry Sans Iliano Cervesato Soha Hussein

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

85GA7

Privacy from the user’s perspective

Should I use this app? How does this app use my data?

85GA7

Privacy from the user’s perspective

Should I use this app? How does this app use my data?

85GA7

Privacy from the user’s perspective

Should I use this app? How does this app use my data? App’s Privacy Policy

85GA7

Privacy from the user’s perspective

Should I use this app? How does this app use my data? App’s Privacy Policy User’s Privacy Expectations

85GA7

Privacy from the user’s perspective

Should I use this app? How does this app use my data? App’s Privacy Policy User’s Privacy Expectations

85GA7

Privacy from the web developer’s perspective

Privacy from the web developer’s perspective

How to write my privacy policy?

Privacy from the web developer’s perspective

How to write my privacy policy?

Can we generate a privacy policy automatically?

Can we generate a privacy policy automatically?

Based on the privacy policies of third party service providers ...

Can we generate a privacy policy automatically?

Based on the privacy policies of third party service providers ... … and based on how the program combines these services ...

Can we generate a privacy policy automatically?

Based on the privacy policies of third party service providers ... … and based on how the program combines these services ... … can we infer how user’s data will be used? *

Can we generate a privacy policy automatically?

Based on the privacy policies of third party service providers ... … and based on how the program combines these services ... … can we infer how user’s data will be used? * * no adversary model, third parties are trustworthy

Two solutions

Two solutions

Solution 1 : Analyze the programs and infer the data flow

➡ Static analysis, abstract interpretation

Two solutions

Solution 1 : Analyze the programs and infer the data flow

➡ Static analysis, abstract interpretation

Solution 2 : Design a new programming language

➡ Qwel (Qatar Web Programming Language) with data flow

Qwel : lambda calculus + primitives for remote procedure call + . . .

Types τ :: = unit | τ × τʹ″ | τ → τ’ | τ ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2

Fragment of the language syntax

Qwel : lambda calculus + primitives for remote procedure call + . . .

Types τ :: = unit | τ × τʹ″ | τ → τ’ | τ ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2

Fragment of the language syntax Typing

Σ | Γ ⊢w e : τ “e has type τ at w w.r.t. Σ and Γ” Γ ::= · | Γ, x : τ Σ ::= · | Σ, w/u : τ ⇒ τ

Programming with Qwel

Programming with Qwel

@w1 publish x : τ . e

Programming with Qwel

w1/u1

@w1 publish x : τ . e

Programming with Qwel

w1/u1

@w1 publish x : τ . e @w0 call w1/u1 with input

Programming with Qwel

w1/u1

input

@w1 publish x : τ . e @w0 call w1/u1 with input

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5 Data Flow Services

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

publish x : unit. let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

Data Flow Services

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

publish x : unit let xʹ″ = call w1/u1 with x xʹ″ʹ″ = call w4/u4 with xʹ″ xʹ″ʹ″ʹ″ = call w5/u5 with xʹ″ in ⟨xʹ″ʹ″, xʹ″ʹ″ʹ″⟩ end publish x : unit. let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

Data Flow Services

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

λ input:unit.(call w0/u0 with input) publish x : unit let xʹ″ = call w1/u1 with x xʹ″ʹ″ = call w4/u4 with xʹ″ xʹ″ʹ″ʹ″ = call w5/u5 with xʹ″ in ⟨xʹ″ʹ″, xʹ″ʹ″ʹ″⟩ end publish x : unit. let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

Data Flow Services

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

λ input:unit.(call w0/u0 with input)

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

Where is input going to? How will it be used?

λ input:unit.(call w0/u0 with input)

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

Where is input going to? How will it be used?

λ input:unit.(call w0/u0 with input)

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

Can we get a symbolic expression that represents how input is used?

➡ The data flow of input

Where is input going to? How will it be used?

λ input:unit.(call w0/u0 with input)

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

no flow

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

service flow

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

sequential flow

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

parallel flow

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

Fragment of the language syntax

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

no

Fragment of the language syntax

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

no service

Fragment of the language syntax

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

no service composition

Fragment of the language syntax

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

no service composition parallel

Fragment of the language syntax

Qwel with Flow

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″

no service composition parallel

Fragment of the language syntax Typing

Σ | Γ ⊢w e : τ “e has type τ at w w.r.t. Σ and Γ” Γ ::= · | Γ, x : τ {μ} Σ ::= · | Σ, w/u : τ {μ} ⇒ τ

No Flow and Service flow

w1/u1 w2/u2 w0/u0

publish x : unit. call w1/u1 with x publish x : unit. call w2/u2 with x publish x : unit. x

No Flow and Service flow

w1/u1 w2/u2 w0/u0

publish x : unit. call w1/u1 with x publish x : unit. call w2/u2 with x publish x : unit. x

: unit {w2 ≻ •} ⇒ unit

No Flow and Service flow

w1/u1 w2/u2 w0/u0

publish x : unit. call w1/u1 with x publish x : unit. call w2/u2 with x publish x : unit. x

: unit {w2 ≻ •} ⇒ unit : unit {w0 ≻ (w1 ≻ (w2 ≻ •))} ⇒ unit

No Flow and Service flow

w1/u1 w2/u2 w0/u0

publish x : unit. call w1/u1 with x publish x : unit. call w2/u2 with x publish x : unit. x

: unit {w2 ≻ •} ⇒ unit : unit {w0 ≻ (w1 ≻ (w2 ≻ •))} ⇒ unit : unit {w1 ≻ (w2 ≻ •)} ⇒ unit

No Flow and Service flow

w1/u1 w2/u2 w0/u0

publish x : unit. call w1/u1 with x publish x : unit. call w2/u2 with x publish x : unit. x

: unit {w2 ≻ •} ⇒ unit : unit {w0 ≻ (w1 ≻ (w2 ≻ •))} ⇒ unit : unit {w1 ≻ (w2 ≻ •)} ⇒ unit Σ | Γ, x: τ {μ} ⊢w e : τ’ Σ | Γ ⊢w publish x:τ.e : τ {w ≻ μ} ⇒ τ

Parallel flow

x

w0/u0 w4/u4 w5/u5

publish x : unit let xʹ″ = call w4/u4 with x xʹ″ʹ″ = call w5/u5 with x in ⟨xʹ″, xʹ″ʹ″⟩ end

Parallel flow

x

w0/u0 w4/u4 w5/u5

publish x : unit let xʹ″ = call w4/u4 with x xʹ″ʹ″ = call w5/u5 with x in ⟨xʹ″, xʹ″ʹ″⟩ end

: unit {w0 ≻ ((w4 ≻ •) ∥ (w5 ≻ •))} ⇒ unit

Parallel flow

x

w0/u0 w4/u4 w5/u5

publish x : unit let xʹ″ = call w4/u4 with x xʹ″ʹ″ = call w5/u5 with x in ⟨xʹ″, xʹ″ʹ″⟩ end

: unit {w0 ≻ ((w4 ≻ •) ∥ (w5 ≻ •))} ⇒ unit Σ | Γ ⊢w e1 : τ Σ | Γʹ″ ⊢w e2 : τʹ″ Σ | (Γ ∥ Γʹ″) ⊢w ⟨e1,e2⟩ : τ × τʹ″

Sequential flow

x

w1/u1 w2,u2 w3,u3

publish x : unit let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

Sequential flow

x

w1/u1 w2,u2 w3,u3

publish x : unit let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

: unit {w1 ≻ ((w2 ≻ •) ; (w3 ≻ •))} ⇒ unit

Sequential flow

x

w1/u1 w2,u2 w3,u3

publish x : unit let xʹ″ = call w2/u2 with x in call w3/u3 with xʹ″ end

: unit {w1 ≻ ((w2 ≻ •) ; (w3 ≻ •))} ⇒ unit Σ | Γ ⊢w e1 : τ {μ} ⇒ τ‘ Σ | Γʹ″ ⊢w e2 : τ Σ | (Γ ∥ (Γʹ″ ; μ)) ⊢w call e1 with e2 : τ’

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

λ input:unit.(call w0/u0 with input)

Can we get a symbolic expression that represent how input is used?

➡ The data flow of input

Where is input going to? How will it be used?

w0/u0 w1/u1 w2/u2 w3/u3 w4/u4 w5/u5

λ input:unit.(call w0/u0 with input)

Can we get a symbolic expression that represent how input is used?

➡ The data flow of input

Where is input going to? How will it be used?

w0 ≻ ((w1 ≻ (w2 ; w3)) ; (w4 ∥ w5))

From data flow to flow policies

w1/u1

call w1/u1 with input publish x : unit. f(x)

From data flow to flow policies

w1/u1

call w1/u1 with input publish x : unit. f(x) App’s Privacy Policy

: τ {μ} ⇒ τ’

From data flow to flow policies

w1/u1

call w1/u1 with input publish x : unit. f(x) App’s Privacy Policy

: τ {μ} ⇒ τ’

User’s Privacy Expectations

[p]

From data flow to flow policies

w1/u1

call w1/u1 with input publish x : unit. f(x) App’s Privacy Policy

: τ {μ} ⇒ τ’

User’s Privacy Expectations

[p]

μ p

The policy language

Types τ :: = unit | τ × τʹ″ | τ {μ} → τ’ | τ {μ} ⇒ τ’ Expressions e :: = x | λx:τ.e | (e1 e2) | ⟨e1,e2⟩ | fst e | snd e | () | w/u | publish x:τ.e | call e1 with e2 [p] Flow μ :: = • | w ≻ μ | μ ; μʹ″ | μ ∥ μʹ″ Policies p = ⊤ | ⊥ | ¬p | p1 ∧ p2 | p1 ∨ p2 | • | w≻p | p1 ; p2

Fragment of the language syntax Policy Evaluation

Derived Operators

ws ≻⋆ p

wi/ui

p wi ∈ ws

p1 ;? p2

p1 p2

• r

p1

p1 ;⋆ p2

p1 p2

Derived Operators

ws ≻ p

wi/ui

p wi ∈ ws

ws ≻⋆ p

wi/ui

p wi ∈ ws

p1 ;? p2

p1 p2

• r

p1

p1 ;⋆ p2

p1 p2

Derived Operators

ws ≻ p

wi/ui

p wi ∈ ws

ws ≻? p

wi/ui

p

wi/ui

wi ∈ ws

• r

ws ≻⋆ p

wi/ui

p wi ∈ ws

p1 ;? p2

p1 p2

• r

p1

p1 ;⋆ p2

p1 p2

Policy examples

Alice trusts w1 calling any services as needed, and w0 may send the result coming from w1 to w4 and/or w5 if needed

w0 ≻ ((w1 ≻ ((w2 ≻ ⊤) ; ⊤)) ; {w4,w5})

Alice trusts w0, w1, w2, w3, w4 and w5 only

({w0, w1, w2, w3, w4, w5} ≻⋆ ⊥) ;⋆ ⊥

Alice trusts trusts any node except w6

{w6} = ({w6} ≻⋆ ⊥) ;⋆ ⊥

Chinese Wall security policy

As the value is sent to w4 any nested service call or further composition should not involve w5 and vice versa

p4 = (w4 ≻ {w5}) ;? {w5} p5 = (w5 ≻ {w4}) ;? {w4} p = {w4,w5} ∨ (({w4,w5} ≻⋆ p4) ;⋆ {w5}) ∨ (({w4,w5} ≻⋆ p5) ;⋆ {w4})

The Qwel prototype

A web application

• Qwel interpreter written in

Javascript (browser/server)

• Remote procedure calls are

HTTP requests

• Services are stored locally in

a MongoDB database

Conclusion

• Qwel a type-safe language for web programming
• Types annotated with flow inferred statically
• Policy language to constraint flows

Future work

• Extend the data flow model to discriminate between services

from the same domain

• Support higher-order functions by dealing with hypothetical

flow (polymorphic flow types)

• Extend the data flow model with support for mobile code

(javascript code)

• Prove that executing the code generate a trace that matches

the data flow predicted statically

Thank You

On the problem with higher-order functions

publish (f, x): ((int → int) * int) = (f x)

@w0

On the problem with higher-order functions

publish (f, x): ((int → int) * int) = (f x) What is the flow of x?

@w0

On the problem with higher-order functions

publish (f, x): ((int → int) * int) = (f x) What is the flow of x?

@w0

It depends on f ! f : int {μ} → int

On the problem with higher-order functions

publish (f, x): ((int → int) * int) = (f x) What is the flow of x? : int {w0 ≻ μ} ⇒ int

@w0

It depends on f ! f : int {μ} → int

On the problem with higher-order functions

publish (f, x): ((int → int) * int) = (f x) What is the flow of x? : int {w0 ≻ μ} ⇒ int

@w0

It depends on f ! f : int {μ} → int

We need account for hypothetical flow with higher-order functions

➡ Polymorphic flow types

Related Work

Dependencies between program building blocks

• History-based type systems - Abadi and al [1]
• Data Flow Graph - Ferrante and al [12]

➡ In Qwel, services can be created dynamically as opposed to

having static libraries Acceptable composition of shared resources

• Algebra and logic for access control - Pym and al [4, 5]

➡ Qwel outlines the specific context of web programming

Related Work

Verifying policy constraints statically

• Fable - Swamy and al [16]
• Jif - Myers and al [17]

➡ Similar idea explored with Qwel but not based on labeling

Data flow vs non-interference

In non-interference models

• flow is controlled by the mean of type labels and a lattice
• but no explicit data flow representation

We want to understand better how they are related

• Are these two approaches orthogonal?
• Can we used them in conjunction to provide a robust

security model?