Strange Loop

Building Secure Systems in Haskell

Large-scale private user data theft has become a common occurrence. A huge factor in these privacy breaches we hear so much about is that developers specify and enforce data security policies by strewing checks throughout their application code. Overlooking even a single check can lead to vulnerabilities.

In this talk, I will describe a new approach to protecting sensitive data even when application code is buggy or malicious. The key ideas behind my approach are to separate the security and privacy concerns of an application from its functionality, and to use language-level information flow control (IFC) to enforce policies throughout the code.

This talk will cover LIO, an IFC-security language embedded in Haskell. LIO leverages Haskell's monads and strong type system to provide developers with a way to specify and enforce security policies on data. Building on LIO, I will then describe Hails, a server-side web framework that makes it easy to specify policies in a declarative way, alongside the application data model, and separate from the application functionality code. With Hails, developers can build server-side web applications that protect user date privacy and integrity, by construction.

Deian Stefan

Deian Stefan

UCSD and Intrinsic

Deian Stefan is an Assistant Professor of Computer Science and Engineering at the University of California, San Diego and the Chief (Mad) Scientist at Intrinsic (formerly GitStar). He is interested in building principled and practical secure systems that leverage advances in programming language techniques. Deian works on several systems, including COWL, a browser confinement system designed for modern web applications, Hails, a security-centric framework for building web platforms, LIO, a dynamic information flow control system, and ESpectro, a security architecture for Node.js. At Intrinsic, he is putting much of this research into practice by building systems, tools, and languages that will ultimately make it easier for developers to build and deploy web applications with minimal trust.