A Library for Light-Weight Information-Flow Security in Haskell
Paper i proceeding, 2008
Protecting confidentiality of data has become increasingly important for
computing systems. Information-flow techniques have been developed over the years to achieve that purpose, leading to special-purpose languages that
guarantee information-flow security in programs.
However, rather than producing a new language from scratch,
information-flow security can also be provided as a library.
This has been done previously in Haskell using the arrow framework.
In this paper, we show that
arrows are not necessary to design
such libraries and that a less general notion, namely monads, is
sufficient to achieve the same goals. We present
a monadic library to provide information-flow
security for Haskell programs. The library introduces
mechanisms to protect confidentiality
of data for pure computations, that we then easily, and modularly,
extend to include dealing with side-effects. We also
present combinators to dynamically enforce different declassification
policies when release of information is required in a
controlled manner. It is possible to enforce policies related
to what, by whom, when information is
released or a combination of them.
The well-known concept of monads
together with the light-weight characteristic
of our approach makes the library suitable to
build applications where
confidentiality of data is an issue.
Declassification
Monad
Library
Information-flow
Security