Liquid Information Flow Control

Sarah and Joyce at Projects to Know wrote a better description of this than I could:

In the past few years, policymakers have released new regulations like GDPR and CCPA, which impact how companies handle sensitive user data. Likewise, companies have designed new security strategies to protect their users. However, the technical implementation of these complex policies can be very challenging. To address this problem, some developers use web frameworks like Hails and Jacqueline to declaratively specify and automate data-dependent policies for information flow control (IFC). Unfortunately, these IFC frameworks may impose performance costs and do not catch errors early. In response to these limitations, Polikarpova et al. present Liquid Information Flow TYpes (LIFTY), a DSL for writing secure data centric applications, which encodes static IFC into an expressive yet decidable type system. With LIFTY, developers declare sources of sensitive data and specify policies. The language then statically and automatically verifies that the application conforms to the security policies.

I find this interesting because most companies I speak to are attempting to apply policies once the data leaves the local application and begins to be piped throughout the larger data engineering stack. This takes the viewpoint that data policies should be enacted and enforced by the data-generating application. There is certainly a lot to like about this approach.


Want to receive more content like this in your inbox?