Abstract

It is increasingly important for applications to protect sensitive data. Security policies are difficult to manage because their global nature requires coordinated reasoning and enforcement. To mitigate this, we propose a policy-agnostic programming model in which the programmer implements information flow policies separately from the other functionality. The programmer may rely on the runtime to automatically produce outputs adhering to these policies. For my Ph.D. thesis, I have developed the Jeeves programming language to explore this model. Jeeves allows programmers to define multiple views of sensitive values along with policies for disclosing these views. The Jeeves semantics describe the dynamic enforcement of these policies. We have proven security guarantees about our semantics and implemented Jeeves as an embedded domain-specific language in Scala. We have used our implementation to build a small conference management system. The goal of my thesis is to demonstrate the feasibility of policy-agnostic programming in a web framework. Towards this, we are working on a Python implementation of Jeeves and also working on extending Jeeves’s guarantees across the database interface.