Fri 17 Jun 2016 10:30 - 11:00 at Grand Ballroom Santa Ynez - Security Chair(s): Andrew Myers

We present an approach for dynamic information flow control across the application and database. Our approach reduces the amount of policy code required, yields formal guarantees across the application and database, works with existing relational database implementations, and scales for realistic applications. In this paper, we present a programming model that factors out information flow policies from application code and database queries, a dynamic semantics for the underlying $\lambda^JDB$ core language, and proofs of termination-insensitive non-interference and policy compliance for the semantics. We implement these ideas in Jacqueline, a Python web framework, and demonstrate feasibility through three application case studies: a course manager, a health record system, and a conference management system used to run an academic workshop. We show that in comparison to traditional applications with hand-coded policy checks, Jacqueline applications have 1) a smaller trusted computing base, 2) fewer lines of policy code, and 2) reasonable, often negligible, additional overheads.

Fri 17 Jun

10:30 - 12:00: Research Papers - Security at Grand Ballroom Santa Ynez
Chair(s): Andrew MyersCornell University
pldi-2016-papers10:30 - 11:00
Jean YangCarnegie Mellon University, Travis HanceDropbox, Thomas H. Austin, Armando Solar-LezamaMIT, Cormac FlanaganUC Santa Cruz, Stephen ChongHarvard University
Link to publication Media Attached
pldi-2016-papers11:00 - 11:30
David CostanzoYale University, Zhong ShaoYale University, Ronghui GuYale University
Pre-print Media Attached
pldi-2016-papers11:30 - 12:00
Rohit SinhaUniversity of California, Berkeley, Manuel CostaMicrosoft Research, Akash LalMicrosoft Research India, Nuno P. LopesMicrosoft Research, Sriram RajamaniMicrosoft Research, Sanjit SeshiaUC Berkeley, Kapil VaswaniMicrosoft Research
Media Attached