scslab / hails Goto Github PK

View Code? Open in Web Editor NEW

52.0 52.0 8.0 1.67 MB

The security-centric web platform framework

Home Page: http://hails.scs.stanford.edu

License: MIT License

Haskell 100.00%

hails's People

Contributors

Stargazers

Watchers

Forkers

deian alevy ashwins1 fullstackdistributedsystems jsarracino ramonkeypr

hails's Issues

MongoDB & automatic labeling

Complete structured DB interface including label-row policies & policylabeled cells.

Database/collection relationship is forgeable

In the structured branch, accessP will happily accept and run a query on any database regardless of whether the policy was written by that database's owner or not. Database should be a field of Policy rather than a parameter to accessP

time, rng: move into lio

Move the Hails.Data.Time etc. into LIO since they're not Hails specific.

cleanup and sanity check

clean up interface
check that exceptions in Iter/Inums cannot be used to leak information (should be a fix in lio)

Trusted External HTTP Library

A library for communicating with external HTTP libraries. The library should allow arbitrary external interactions while to sources above the caller's label:

Before caller has read any labeled data, this is arbitrary sources on the web
After caller has read labeled data, only allow if L_c leq L_domain. Therefore, data can be labeled "/ domain" to allow it to be sent to a particular external web source.

add headers that indicate ifc violation

Add headers to specify the principal on whose behalf the app is running and response header a la IFC violation.

Secrecy on user input

Allow annotations in HTML as to how the data will be labeled
Extend LBson to allow for Labeled (Labeled Bson.Document) types -- this will effectively allow for the insertion of data more secret than the clearance (but not really since the outer label will have to be below clearance). Interestingly, this will allow for the insertion of data that a policy specifier cannot declassify and thus exfiltrate

move findAll, from gitstar, to hails structured

allow $operators in selectable

Integrity on user input

Generics for converting to/from DCRecord

Cleanup auth methods in hails binary

We are using Maybe for the different authentication methods, while they are disjoint and we shoudl really be using a ADT.

Changing collection clearance

Suppose we have a collection with clearance L_C0. We insert a document D whose label is L_C0. Following the collection clearance is changed to L_C1 such that L_C0 does not flow to L_C1. Now we retrieve document D from the collection -- its label L_C0 is above the collection clearance L_C1 (which would violate the desired property: read>>= write ⇒ return ()). An approach is to serialize the clearance into the collection and make sure that it can only be lowered.

routeFileSys should be unsafe

routeFileSys in Hails.IterIO.HailsRoute should be unsafe. we can move the systemsMime map somewhere else and just make this module unsafe. The apps use the mime map, so we should fix them accordingly.

restrict names of Document fields

similar to how we restrict _hails_internal... field names, we need to make sure that the user cannot create "control" fields, i.e., keys that start with $

labeled values and searchable

When inserting a document we should check that the value of a searchable key is not of a labeled type. This asserts that we can't perform arbitrary aggregations on labeled values.
When retrieving a searchable value, we should make sure that it's not a labeled value, by sanitizing the retrieved document (i.e., remove all hails-internal)

Remove the instance:

instance Label l => Insert l (Labeled l (Document l)) where