This course aims to teach learners how to build secure systems in Haskell by leveraging language-level information flow control (IFC) to enforce security policies throughout the code. The course covers the LIO IFC-security language embedded in Haskell and introduces Hails, a secure Haskell web framework for building server-side web applications that protect user data privacy and integrity. The teaching method involves explaining key concepts, demonstrating implementation details, and discussing the benefits and challenges of using a secure sub-language. This course is intended for developers interested in enhancing the security of their web applications and protecting sensitive data from privacy breaches.
Overview
Syllabus
Intro
Facebook missed a single security check...
Putting user privacy at risk: a recipe
A blogging web app example
Change how we build software
Yes! At least for web apps...
Hails: secure Haskell web framework
Extend MVC with security policy
How do we specify policy? • Policy specified as function from row to label Label concisely encodes read/write restriction on data
Where to enforce label restrictions?
How do we enforce labels?
Two kinds of code: MPs and VCs
extensibility
Is the TCB actually smaller?
Implementation details
Why Haskell?
Thinking about secure sub-language
Review: the 10 monad
How can we do anything useful?
Tracking reads & restricting writes
The LIO secure sub-language
What do we get with this?
What's the catch?
Summary
Taught by
Strange Loop Conference
