Affiliations: [a] Stanford University, 353 Serra Mall, Stanford, CA 94305, USA | [b] UC San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA | [c] Chalmers University of Technology, Rännvägen 6B, 41296 Gothenburg, Sweden
Note: [**] Part of this work was done while the author was at Stanford University and Intrinsic (formerly GitStar).
Abstract: Many modern web-platforms are no longer written by a single entity, such as a company or individual, but consist of a trusted core that can be extended by untrusted third-party authors. Examples of this approach include Facebook, Yammer, and Salesforce. Unfortunately, users running third-party “apps” have little control over what the apps can do with their private data. Today’s platforms offer only ad hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new framework, Hails, for building web platforms, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails by building several platforms, including GitStar, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
Keywords: Web security, confinement, information flow control, MAC, MPVC, functional programming, Haskell, LIO, COWL
