plsyssec / lio Goto Github PK

Labeled IO Library

Haskell 95.72% HTML 4.28%

lio's Introduction

About

The Labeled IO (LIO) library is an information flow control (IFC) library. IFC is a mechanism that enforces security policies by tracking and controlling the flow of information within a system. Different from discretionary access control (think UNIX file permissions), with IFC you can execute an untrusted computation on your secret data and be sure that it does not leak it or overwrite it.

LIO is an IFC library that can be used to implement such untrusted computations. LIO provides combinators similar to those of 'IO' for performing side-effecting computations (e.g., accessing the filesystem, modifying mutable references, throwing exceptions, etc.) To track and control the flow of information, LIO associates a security policy, usually called a label, with every piece of data. A label may, for example, impose a restriction on who can observe, propagate, or modify the data labeled as such. Different from standard IO operations, the LIO counterparts usually take an additional parameter for the label which they inspect before actually performing the (underlying IO) side-effecting computation. So, before writing to a file LIO asserts that the write will not violate any security policies associated with the file or the data to be written.

Most code should import module LIO and whichever label format the application is using (e.g., LIO.DCLabel). All untrusted code should have type LIO, which trusted code can safely execute with evalLIO. See Hackage for a description of the core library API.

The papers that describes the core of LIO, including motivation and formal modeling/proofs, are available here:

Deian Stefan. Principled and Practical Web Application Security. Ph.D. Thesis, Stanford University. December, 2015. PDF
Deian Stefan, Alejandro Russo, David Mazieres, and John C. Mitchell. Flexible Dynamic Information Flow Control in the Presence of Exceptions. Journal of Functional Programming, Cambridge University Press. Volume27, 2017. PDF
Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. Hails: Protecting Data Privacy in Untrusted Web Applications. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2012. PDF
Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, and Alejandro Russo. IFC Inside: Retrofitting Languages with Dynamic Information Flow Control. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2015. PDF
Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C. Mitchell, David Mazieres. Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems. In Proceedings of The 17th ACM SIGPLAN International Conference on Functional Programming (ICFP), ACM, 2012. PDF
Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazieres. Flexible Dynamic Information Flow Control in Haskell. In Proceedings of Haskell Symposium , ACM SIGPLAN . September 2011. PDF
Deian Stefan, Alejandro Russo, David Mazieres, and John C. Mitchell. Disjunction Category Labels. In Proceedings of 16th Nordic Conference on Security IT Systems, NordSec , Springer LNCS. October 2011. PDF

Structure of repository

This repository is divided into three packages:

lio: The main LIO library
lio-fs: Simple IFC filesystem library
quickcheck-lio-instances: QuickCheck2 instances for LIO
lio-eval: Tests and benchmarks. This is a package solely because it depends on both lio and quickcheck-lio-instances. Having the tests and benchmarks in lio leads to a circular dependency.
lio-http-server: Simple HTTP server implementation. Forked into its own project Frankie.
lio-simple: Slightly older simple HTTP server implementation atop Simple.

Acknowledgements

We thank Catalin Hritcu, Benjamin Pierce, and Jeremy Planul for insightful comments on both the design and implementation of LIO. This work was funded by the DARPA Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program, BAA-10-70. Deian Stefan was funded by The National Defense Science and Engineering Graduate (NDSEG) Fellowship while working on LIO.

lio's People

Contributors

Stargazers

Watchers

lio's Issues

Add test cases for all the `...P` functions

Question: Is the HLIO source code also available somewhere?

threadDelay & lFork

At some point we had lFork loop forever (until lWait is actually used to kill it) -- we should bring this back. This addresses the fork-bombing attack.
We should remove threadDelay from the API. (Not sure why we haven't until now, w'eve been aware of the cache-based internal timing attack for a while)

lio-http-server rewrite!

Finish up LIO.HTTP.Server. Mostly there, see: 0309ad
Define Show instances for Request and Response.
Expose Status, Query and anything else you might need to do basic things. 0309ad
Expose friendly response combinators See this and this
Build some example servers.
Controller monad. See this or this
Pattern-matching routes.
Port mustache to lio

add support for logging

add support for sessions

Fail to install

I'm trying to install LIO, but am running into some compiler errors:

$ cabal install lio
Resolving dependencies...
Configuring lio-0.11.4.1...
Building lio-0.11.4.1...
Preprocessing library lio-0.11.4.1...
[ 1 of 15] Compiling LIO.TCB          ( LIO/TCB.hs, dist/build/LIO/TCB.o )
[ 2 of 15] Compiling LIO.Label        ( LIO/Label.hs, dist/build/LIO/Label.o )
[ 3 of 15] Compiling LIO.Run          ( LIO/Run.hs, dist/build/LIO/Run.o )

LIO/Run.hs:29:13:
    Ambiguous occurrence `catch'
    It could refer to either `Prelude.catch',
                             imported from `Prelude' at LIO/Run.hs:12:8-14
                             (and originally defined in `System.IO.Error')
                          or `Control.Exception.catch',
                             imported from `Control.Exception' at LIO/Run.hs:14:1-29
                             (and originally defined in `Control.Exception.Base')
cabal: Error: some packages failed to install:
lio-0.11.4.1 failed during the building phase. The exception was:
ExitFailure 1

I'm running ghc 7.4.1, cabal 1.14.0 on Ubuntu.

Revised to `directory < 1.3.8` on hackage

Hello lio-fs maintainers! (I hope I got the right repo here, because the Hackage publication points at https://github.com/scslab/lio but nothing has happened there in 7 years...)

In my role as Hackage Trustee, added bound directory < 1.3.8 to the publications of lio-fs on Hackage, see e.g. https://hackage.haskell.org/package/lio-fs-0.0.1.2/revisions/.

Background is that in directory-1.3.8.0, the module System.Directory is on longer declared safe, thus import safe System.Directory errors out.

Discussion at:

haskell/directory#147

remove/rename tryLIO since it may give users the impression that it should be used with catchLIO as try and catch
fix doc for cathLIOP
fix doc for dcLabel to explain args
delegate priv should return mempty vs. nothing

Bugs/minor-changes

Labeled should only require lattice, not bounded lattice. No need to have top and bottom
readFile should close descriptor

Configuring lio-0.11.7.0...
Preprocessing library for lio-0.11.7.0..
Building library for lio-0.11.7.0..
[ 1 of 23] Compiling LIO.TCB          ( LIO/TCB.hs, dist/build/LIO/TCB.o )

LIO/TCB.hs:68:3: error:
    ‘fail’ is not a (visible) method of class ‘Monad’
   |
68 |   fail = LIOTCB . const . fail
   |   ^^^^