LMonad: Information Flow Control for Haskell Web Applications
Publication or External Link
Many web applications adhere to privacy policies for users and offer rich access control policies. It can be difficult to enforce these policies because applications can be complex, large, and involve multiple developers. Information Flow Control (IFC) can address this difficulty by guaranteeing that policies are enforced.
This thesis presents LMonad, an IFC system designed to enforce IFC policies in Haskell web applications. LMonad generalizes LIO, previous work that offers IFC for Haskell programs. Specifically, LMonad provides a monad transformer to enforce IFC, in LIO's style, over any existing computation. In addition, LMonad offers label annotations to specify policies, and it guarantees that database interactions adhere to the policies.
To evaluate LMonad, we developed an example website with various IFC policies and converted a large, existing web application to include LMonad policies. Results indicate that LMonad has low runtime overhead and is feasible to use in terms of programmer effort.