Loading [MathJax]/extensions/MathMenu.js
Fable: A Language for Enforcing User-defined Security Policies | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2008 IEEE Symposium on Securi...

Fable: A Language for Enforcing User-defined Security Policies

PDF
Nikhil Swamy; Brian J. Corcoran; Michael Hicks
All Authors

Abstract:

This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enfo...Show More

Metadata

Abstract:

This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance.
Published in: 2008 IEEE Symposium on Security and Privacy (sp 2008)
Date of Conference: 18-22 May 2008
Date Added to IEEE Xplore: 28 May 2008
Print ISBN:978-0-7695-3168-7

ISSN Information:

DOI: 10.1109/SP.2008.29
Conference Location: Oakland, CA, USA
Contents

1 Introduction

For 35 years or more, computer security researchers have explored techniques for ensuring that a software system correctly enforces its security policy, and that, as a result, the software exhibits a desirable security property [22]. A notable success toward this goal has been work on defining programming language-based techniques for enforcing information flow security policies [32]. A common form of information flow policy defines a set of security levels that can be ordered as a lattice, where sensitive data within a program is assigned a label derived from this lattice. Correct enforcement of this policy implies that a program exhibits some flavor of noninterference, which states that no information visible at level can be leaked onto a channel visible to level . By including the notion of a security label in a programming language's types, one can show that a correctly typed program is certain to enforce its security policy [41]. This approach has been implemented successfully in the Jif [10] and FlowCaml [30] languages.

Contact IEEE to Subscribe
More Like This
E-Government Information Security in the Web Environment Based on Role Based Access Control Technology

2008 International Seminar on Business and Information Management

Published: 2008

A CA-Based Security e-Government System

2006 10th International Conference on Computer Supported Cooperative Work in Design

Published: 2006

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.