{"id":20009777,"url":"https://github.com/plsyssec/lio","last_synced_at":"2025-09-10T12:36:07.757Z","repository":{"id":2211805,"uuid":"3161068","full_name":"PLSysSec/lio","owner":"PLSysSec","description":"Labeled IO Library","archived":false,"fork":false,"pushed_at":"2020-09-23T20:19:37.000Z","size":2431,"stargazers_count":57,"open_issues_count":8,"forks_count":22,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-08-25T02:11:59.726Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PLSysSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-01-12T09:33:06.000Z","updated_at":"2024-12-01T18:39:25.000Z","dependencies_parsed_at":"2022-09-08T07:41:46.296Z","dependency_job_id":null,"html_url":"https://github.com/PLSysSec/lio","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/PLSysSec/lio","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Flio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Flio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Flio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Flio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PLSysSec","download_url":"https://codeload.github.com/PLSysSec/lio/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PLSysSec%2Flio/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274463124,"owners_count":25290113,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-10T02:00:12.551Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T07:17:03.875Z","updated_at":"2025-09-10T12:36:07.732Z","avatar_url":"https://github.com/PLSysSec.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"About\n=============\n\nThe *Labeled IO* (LIO) library is an information flow control (IFC)\nlibrary. IFC is a mechanism that enforces security policies by\ntracking and controlling the flow of information within a system.\nDifferent from discretionary access control (think UNIX file\npermissions), with IFC you can execute an untrusted computation on\nyour secret data and be sure that it does not leak it or overwrite\nit.\n\nLIO is an IFC library that can be used to implement such untrusted\ncomputations. LIO provides combinators similar to those of 'IO' for\nperforming side-effecting computations (e.g., accessing the\nfilesystem, modifying mutable references, throwing exceptions, etc.)\nTo track and control the flow of information, LIO associates a\nsecurity policy, usually called a *label*, with every piece of data.\nA label may, for example, impose a restriction on who can observe,\npropagate, or modify the data labeled as such.  Different from\nstandard IO operations, the LIO counterparts usually take an\nadditional parameter for the label which they inspect before\nactually performing the (underlying IO) side-effecting computation.\nSo, before writing to a file LIO asserts that the write will not\nviolate any security policies associated with the file or the data\nto be written.\n\nMost code should import module `LIO` and whichever label format the\napplication is using (e.g., `LIO.DCLabel`). All untrusted code\nshould have type `LIO`, which trusted code can safely execute with\n`evalLIO`. See [Hackage](http://hackage.haskell.org/package/lio) for a\ndescription of the core library API.\n\nThe papers that describes the core of LIO, including motivation and\nformal modeling/proofs, are available here:\n\n*  Deian Stefan.\n   _Principled and Practical Web Application Security._\n   _Ph.D. Thesis, Stanford University. December, 2015._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2015:phdthesis.pdf)\n\n*  Deian Stefan, Alejandro Russo, David Mazieres, and John C. Mitchell.\n   _Flexible Dynamic Information Flow Control in the Presence of Exceptions._\n   _Journal of Functional Programming, Cambridge University Press. Volume27, 2017._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2017:flexible.pdf)\n\n* Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo.\n  _Hails: Protecting Data Privacy in Untrusted Web Applications._\n  _In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2012._\n  [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/giffin:2012:hails.pdf)\n\n*  Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, and Alejandro Russo.\n   _IFC Inside: Retrofitting Languages with Dynamic Information Flow Control._\n   _In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2015._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/heule:2015:ifc-inside.pdf)\n\n*  Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C. Mitchell, David Mazieres.\n   _Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems._\n   _In Proceedings of The 17th ACM SIGPLAN International Conference on Functional Programming (ICFP), ACM, 2012._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2012:addressing.pdf)\n\n*  Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazieres.\n   _Flexible Dynamic Information Flow Control in Haskell._\n   _In Proceedings of Haskell Symposium , ACM SIGPLAN . September 2011._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2011:flexible.pdf)\n\n*  Deian Stefan, Alejandro Russo, David Mazieres, and John C. Mitchell.\n   _Disjunction Category Labels._\n   _In Proceedings of 16th Nordic Conference on Security IT Systems, NordSec , Springer LNCS. October 2011._\n   [PDF](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2011:dclabels.pdf)\n\n\nStructure of repository\n=============\n\nThis repository is divided into three packages:\n\n- `lio`: The main LIO library\n\n- `lio-fs`: Simple IFC filesystem library\n\n- `quickcheck-lio-instances`: QuickCheck2 instances for LIO\n\n- `lio-eval`: Tests and benchmarks. This is a package solely because it\n  depends on both `lio` and `quickcheck-lio-instances`. Having the\n  tests and benchmarks in `lio` leads to a circular dependency.\n\n- `lio-http-server`: Simple HTTP server implementation. Forked into its own\n  project [Frankie](https://github.com/plsyssec/frankie/).\n\n- `lio-simple`: Slightly older simple HTTP server implementation atop\n  [Simple](https://hackage.haskell.org/package/simple).\n\nAcknowledgements\n=============\n\nWe thank  Catalin Hritcu, Benjamin Pierce, and Jeremy Planul for\ninsightful comments on both the design and implementation of LIO. This\nwork was funded by the DARPA Clean-Slate Design of Resilient,\nAdaptive, Secure Hosts (CRASH) program, BAA-10-70.  Deian Stefan was\nfunded by The National Defense Science and Engineering Graduate\n(NDSEG) Fellowship while working on LIO.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Flio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplsyssec%2Flio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplsyssec%2Flio/lists"}