Faceted Information Flow and Bi-Monadic Interpreters

When an application fails to ensure information flow security, it may leak sensitive data such as passwords, credit card numbers, or medical records. News stories of such failures abound. Austin and Flanagan [2012] introduce faceted values – values that present different behavior according to the privileges of the observer – as a dynamic approach to enforcing information flow policies for an untyped, imperative λ-calculus. We implement faceted values as a Haskell library, elucidating their relationship to types and monadic imperative programming. In contrast to previous work, our approach does not require modification to the language runtime. In addition to pure faceted values, our library supports faceted mutable reference cells and secure facet-aware socket-like communication. To illustrate a non-trivial use of the library, we present an interpreter for a small language whose information flow security is guaranteed by our library. This interpreter uses a monad in the traditional way for encapsulating effects, but it also uniquely uses a second monad to structure its values.