In this paper, we present an approach for verifying that trusted programs correctly enforce system security goals when deployed. A trusted program is trusted to only perform safe operations despite have the authority to perform unsafe operations; for example, initialization programs, administrative programs, root network daemons, etc. Currently, these programs are trusted without concrete justification. The emergence of tools for building programs that guarantee policy enforcement, such as security-typed languages (STLs), and mandatory access control systems, such as user-level policy servers, finally offers a basis for justifying trust in such programs: we can determine whether these programs can be deployed in compliance with the reference monitor concept. Since program and system policies are defined independently, often using different access control models, compliance for all program deployments may be difficult to achieve in practice, however. We observe that the integrity of trusted programs must dominate the integrity of system data, and use this insight, which we call the PIDSI approach, to infer the relationship between program and system policies, enabling automated compliance verification. We find that the PIDSI approach is consistent with the SELinux reference policy for its trusted programs. As a result, trusted program policies can be designed independently of their target systems, yet still be deployed in a manner that ensures enforcement of system security goals.

Web sites fail in the worst ways. They can reveal private data that can never be retracted [60, 72, 78, 79]. Or they can succumb to vandalism, and subsequently show corrupt data to users [27]. Blame can fall on the off-the-shelf software that runs the site (e.g., the operating system, the application libraries, the Web server, etc.), but more frequently (as in the above references), the custom application code is the guilty party. Unfortunately, the custom code behind many Web sites is difficult to secure and audit, due to large and rapidly-changing trusted computing bases (TCBs). A promising approach to reducing TCBs for Web sites is decentralized information flow

In fond remembrance of my thatha Shri. V. Lakshminarayanan, my paati Smt. Sharada Seshan, kollu paati, and Bruno. ii ACKNOWLEDGMENTS I would like to express my heartfelt gratitude to: • my teachers and peers from IIT Bombay, for being a never-ending source of inspiration and for giving my career the best start that I could have hoped for. • Somesh Jha, for six years of patient advice and support, for ensuring me a productive research environment, and for shaping me as a researcher. • Trent Jaeger, for being a wonderful mentor and for being unconditionally supportive of all my efforts. • Trishul Chilimbi, Thomas Reps, Sanjit Seshia, Michael Swift, and all my collaborators over the years for giving me the opportunity to work with and learn from them. • Trent Jaeger, Susan Horwitz, Marvin Solomon, Michael Swift and Parameswaran Ramanathan, for serving on my thesis committee. • my academic siblings and other members of the security research group at UW-Madison, for making the group a productive and enjoyable one to do research in. • all my friends over the years, both at UW-Madison and at IIT Bombay, for support, encouragement, and for keeping me sane. Thank you very much! My biggest source of advice, encouragement, motivation and support are undoubtedly Amma and Appa, and mere words will do injustice to express my gratitude to them. Their guidance and sacrifice made this possible, and their affection and belief in me made it all worthwhile. My success is also theirs. To them, I dedicate this work. iii

Abstract: The Lack of security policy enforcement in web development languages is one of the most important challenges in web application systems development, as there is no formal check for security policy violation that may occur during web application system development. To check for policy compliance, the programmer must walk through all the code and check every line to make sure that there are no security violations. For example, a developer may develop a web application system connected to data base that seems to work properly, but it can make a certain security policy violation by permitting unauthorized users to access the data base system. This paper proposes a solution for the above problem by developing and application of a security typed Java servlet that can run on the web server side safely. This servlet is developed by embedding the Java code produced by compiling the Java information flow language (Jif) (a security-typed programming language that extends Java with support for information flow control and access control, both at compile time and at run time) into a servlet code format. The code produced by compiling Jif language is security typed and support servlet with means of flow control and access control. Hence we can guarantee that when we run this servlet into a web application system it will check input data trough the web application system for information flow security policy violation.