← Back to papers
2021 OSDI OSDI 2021

STORM: Refinement Types for Secure Web Applications

Abstract

We present Storm, a web framework that allows developers to build MVC applications with compile-time enforcement of centrally specified data-dependent security policies. Storm ensures security using a Security Typed ORM that refines the (type) abstractions of each layer of the MVC API with logical assertions that describe the data produced and consumed by the underlying operation and the users allowed access to that data. To evaluate the security guarantees of Storm, we build a formally verified reference implementation using the Labeled IO (LIO) IFC framework. We present case studies and end-to-end applications that show how Storm lets developers specify diverse policies while centralizing the trusted code to under 1% of the application, and statically enforces security with modest type annotation overhead, and no run-time cost.

๐Ÿงญ Keyword Pioneer โ€” security policy
๐Ÿ Cross-Pollinator โ€” Artificial Intelligence, Computer Science, Deep Learning, Interdisciplinary, Knowledge & Reasoning, Machine Learning, Natural Language Processing, Reinforcement Learning, Security & Privacy

Authors

Nico Lehmann , Rose Kunkel , Jordan Brown , Jean Yang , Niki Vazou , Nadia Polikarpova , Deian Stefan , Ranjit Jhala

Topics

Computer Science > Foundations > Programming Languages Computer Science > Applications > Software Engineering

Keywords

information flow control type system security policy refinement type web application security
Download PDF

Related papers

Zeph: Cryptographic Enforcement of End-to-End Data Privacy 2021
Horcrux: Automatic JavaScript Parallelism for Resource-Efficient Web Computation 2021
Rearchitecting Linux Storage Stack for ยตs Latency and High Throughput 2021
Polyjuice: High-Performance Transactions via Learned Concurrency Control 2021
MAGE: Nearly Zero-Cost Virtual Memory for Secure Computation 2021