End-to-end Verification of Security Enforcement is Fine

Proving software free of security bugs is hard. Programming language support to ensure that programs correctly enforce their security policies would help, but, to date, no language has the ability to verify the enforcement of the kinds of policies used in practice— dynamic, stateful policies which address a broad range of concerns including forms of access control and information flow tracking. This paper makes two main contributions. First, we present FINE, a new source-level security-typed language that, through the use of a simple module system and dependent, refinement, and affine types, can be used to check the enforcement of dynamic security policies applied to real software. Second, we define DCIL, a small extension to the type system of the .NET Common Intermediate Language, and show how to compile FINE in a type-preserving manner to DCIL. Our approach allows FINE programs to run on stock .NET virtual machines and to interface with .NET libraries. Additionally, our type-preserving compiler allows code consumers to download DCIL programs and check them for security while relying on a small trusted computing base. We have proved our source and target languages sound, our compilation type-preserving, and have made a prototype implementation of our compiler and several example programs available.