Skip to content

Frequently Asked Questions

Jump to bottom
Ben edited this page Mar 11, 2014 · 1 revision

What makes Jeeves different from just setting the system up right?

  • Jeeves allows the programmer to separately implement privacy policies from the rest of the functionality while automatically enforcing the policies. This makes it so that the programmer only needs to write the policy correctly rather than implement the correct checks and filters anywhere that the program uses sensitive data. This reduces the possible points of failure and should make it easier for programmers to set things up correctly!

How is Jeeves different from connecting my language to Active Directoy/OpenLDAP/some other database and checking the permissions before every action?

  • This is a good question. What you're talking about is access control and what Jeeves helps enforce is information flow. (This is a repost of my comment on this Hacker News thread: https://news.ycombinator.com/i... )

  • Now here's the difference between access control and information flow--and why we need a language (or at least a DSL). When you only have access control, you're trusting the programmer to tell you correctly at one point where a piece of data is going. Even if a sensitive location value is used in a bunch of search queries, the result of which is shared as a status (that becomes visible to many people with different levels of access), the programmer is responsible for asking for the right level of access when accessing that location.

  • With the complex policies we're starting to see in modern applications, managing this is becoming increasingly burdensome for developers. That's why were looking at how to automatically handle information flow: the system tracks how sensitive values are used in order to make sure the values--and resulting computations--are flowing only to those with appropriate permissions. While it's relatively simple to hook access control into existing programming models, automatically handling information flow requires enhancing the language semantics (especially for conditions and function calls) to track additional information.

Are large companies implementing similar, proprietary frameworks?

  • It's my understanding that large companies will create proprietary frameworks that help manage privacy policies on data. Programmers will typically be required to follow certain coding discipline when working with sensitive values so that they're calling library functions to manage policies. To my knowledge, however, these libraries deal with access control (who can access a specific piece of information) rather than information flow (how information may flow through a system).
  • Now here's the difference between access control and information flow--and why we need a language (or at least a DSL). When you only have access control, you're trusting the programmer to tell you correctly at one point where a piece of data is going. Even if a sensitive location value is used in a bunch of search queries, the result of which is shared as a status (that becomes visible to many people with different levels of access), the programmer is responsible for asking for the right level of access when accessing that location. With the complex policies we're starting to see in modern applications, managing this is becoming increasingly burdensome for developers. That's why were looking at how to automatically handle information flow: the system tracks how sensitive values are used in order to make sure the values--and resulting computations--are flowing only to those with appropriate permissions. While it's relatively simple to hook access control into existing programming models, automatically handling information flow requires enhancing the language semantics (especially for conditions and function calls) to track additional information.
  • Automatically managing information flow the way Jeeves does significantly relieves programmer burden, but can be computationally expensive. Much of our research these days is about how to make this more efficient so that companies can one day put this sort of mechanism into their production systems.

Jeeves is implemented as "an embedded domain-specific language in Python." What's the difference between a DSL and programming language?

*A language exists on its own, with its own syntax and semantics. It may interoperate with other languages, but it usually takes some work to get a language written in one language to talk to a language executing in another language. (Examples include C/OCaml and all the languages that execute on the .NET runtime.)

  • An embedded domain-specific language is a language with its own semantics that has been grafted onto another language. For instance, Jeeves is embedded in Python. We can use Jeeves as a Python library, but when we're using Jeeves functions, the program behave like Jeeves programs rather than vanilla Python programs. (In this case, it means that the runtime tracks different possible views of sensitive values and computations done on them.) When programmers use the @jeeves decorator and the Jeeves API, the programs look like Python programs and can even use Python built-in functions and libraries, but the Jeeves library is doing work behind the scenes to make the programs behave differently.
Clone this wiki locally