A Library for Light-Weight Information-Flow Security in Haskell

    Abstract: Protecting confidentiality of data has become increasingly important for computing systems. Information-flow techniques have been developed over the years to achieve that purpose, leading to special-purpose languages that guarantee information-flow security in programs. However, rather than producing a new language from scratch, information-flow security can also be provided as a library. In previous work, this has been done using the arrow framework. In this work, we show that arrows are not necessary to design such libraries and that a less general notion, namely monads, is sufficient to achieve the same goals. We present a monadic library to provide information-flow security for Haskell programs. The library introduces mechanisms to protect confidentiality of data for pure computations, that we then easily, and modularly, extend to include dealing with side-effects. We also present combinators to dynamically enforce different declassification policies when released of information is required in a controlled manner. It is possible to enforce policies related to what, by whom, and when information is released or a combination of them. The well-known concept of monads together with the lightweight characteristic of our approach makes the library suitable to build applications where confidentiality of data is an issue.

  • Paper published at Haskell Symposium '08
  • Extended version of the paper
  • Download the library and examples, 28 July, 2008.
  • Download extended version of the library, 2009.