FriendStar: Extensible Web Applications with Information Flow Control

Web applications are increasingly becoming the primary curators of personal and corporate data. Social media applications like Facebook, LinkedIn and Twitter have transformed how users communicate with each other, while online document suites like Google Docs or Docs.com have made online collaboration the norm. Much of the success of such Web applications is due to the flexibility in allowing third-party vendors to extend user experiences. For example, Mint.com has been able to leverage the availability of banking data online to provide users with better ways of managing and visualizing their money. However, today’s web application APIs provide too little extensibility at too high a privacy cost for the next generation of web application extensions. Commonly, web application platforms find a middle ground between restricting access to data by third-party applications and requiring users to disclose private information: sacrificing both extensibility and privacy. This is a fundamental tradeoff in current architectures since third-party vendors must be trusted completely with data they have access to. For example, it is impossible for users to use an external photo editing application like Picnik while having the guarantee that their private Facebook photos won’t be misused. In the social web, data belonging to one user might be accessible to an application installed by another user, introducing even more complexity. In this paper we describe FriendStar, a web platform built in Haskell that uses information flow control [1] (IFC) to enforce policies on untrusted code. IFC allows users to specify policies in terms of where data can flow instead of what code is privileged to access it. For example, Alice can allow Bob to access her photo albums, while preventing any of Bob’s applications from leaking her photos to other users or external servers. To enforce these policies, every object is labeled, allowing the system to verify information flow is not being violated at the boundaries, e.g. the file system, network or database.