A Reusable, Secure Reference Monitor Based on the Aura Programming Language

Aura (Jia et al., 2008; Vaughan et al., 2008) is a dependently typed higher-order programming language. It was designed to facilitate the automation of institutional access control policy. Following the Curry-Howard isomorphism, Aura types correspond to logical propositions and its expressions correspond to proofs. At runtime, Aura programs manipulate evidence to construct these authorization proofs (which, thanks to the dependent type system, may reference live data). Aura’s typechecker is used to determine if proofs provided to support access to a restricted resource are properly formed in accordance to policy. In this way, a single reference monitor may be written that, when combined with application-specific rules, can be applied to many situations where securing a resource is required. This leads to a reduction in the size of the trusted computing base. We have extended Aura’s interpreter and typechecker to support transportation of proofs across the network, including support for cryptography and auditing as was originally imagined. In the process of doing so we have developed a method for describing RPC services in the Aura language and a configurable reference monitor that may host arbitrary Aura policies using .NET remoting. We have added an API that allows other .NET languages to make use of Aura code (either local or remote); this is a natural complement to the foreign function interface that already allowed Aura policies to access .NET objects. To demonstrate the applicability of the Aura platform to real-world problems, we have built a small Web service using C] that uses our API to communicate securely with its backend. Furthermore, this service allows decisions about login to be delegated (again within the Aura framework) to other trusted services.