RSS

CONTACT

GROUP PAGE

PREVIOUS POSTS

• LLMs ⭢ Regular Expressions, Responsibly!
• Sharing is Scaring: Why is Cloud File-Sharing Hard?
• Practical Static Analysis for Privacy Bugs
• Lightweight Diagramming for Lightweight Formal Methods
• Argus: Interactively Debugging Rust trait Errors
• LTL Tutor
• Misconceptions In Finite-Trace and Infinite-Trace Linear Temporal Logic
• Iterative Student Program Planning using Transformer-Driven Feedback
• Differential Analysis: A Summary
• Forge: A Tool to Teach Formal Methods
• Finding and Fixing Standard Misconceptions About Program Behavior
• Privacy-Respecting Type Error Telemetry at Scale
• Profiling Programming Language Learning
• The Examplar Project: A Summary
• A Core Calculus for Documents
• Observations on the Design of Program Planning Notations for Students
• Conceptual Mutation Testing
• Generating Programs Trivially: Student Use of Large Language Models
• A Grounded Conceptual Model for Ownership Types in Rust
• What Happens When Students Switch (Functional) Languages
• Typed-Untyped Interactions: A Comparative Analysis
• Little Tricky Logics
• Identifying Problem Misconceptions
• Performance Preconceptions
• Structural Versus Pipeline Composition of Higher-Order Functions
• Plan Composition Using Higher-Order Functions
• Towards a Notional Machine for Runtime Stacks and Scope
• Gradual Soundness: Lessons from Static Python
• Applying Cognitive Principles to Model-Finding Output
• Automated, Targeted Testing of Property-Based Testing Predicates
• A Benchmark for Tabular Types
• Student Help-Seeking for (Un)Specified Behaviors
• Adding Function Transformers to CODAP
• Developing Behavioral Concepts of Higher-Order Functions
• Adversarial Thinking Early in Post-Secondary Education
• Teaching and Assessing Property-Based Testing
• Students Testing Without Coercion
• Using Design Alternatives to Learn About Data Organizations
• What Help Do Students Seek in TA Office Hours?
• Combating Misconceptions by Encouraging Example-Writing
• The Hidden Perils of Automated Assessment
• Mystery Languages
• Resugaring Type Rules
• Picking Colors for Pyret Error Messages
• Can We Crowdsource Language Design?
• Crowdsourcing User Studies for Formal Methods
• User Studies of Principled Model Finder Output
• A Third Perspective on Hygiene
• Scope Inference, a.k.a. Resugaring Scope Rules
• The PerMission Store
• Examining the Privacy Decisions Facing Users
• The Pyret Programming Language: Why Pyret?
• Resugaring Evaluation Sequences
• Slimming Languages by Reducing Sugar
• In-flow Peer Review: An Overview
• Tierless Programming for SDNs: Differential Analysis
• Tierless Programming for SDNs: Verification
• Tierless Programming for SDNs: Optimality
• Tierless Programming for SDNs: Events
• Tierless Programming for Software-Defined Networks
• CS Student Work/Sleep Habits Revealed As Possibly Dangerously Normal
• Parley: User Studies for Syntax Design
• Typechecking Uses of the jQuery Language
• Verifying Extensions' Compliance with Firefox's Private Browsing Mode
• From MOOC Students to Researchers
• Social Ratings of Application Permissions (Part 4: The Goal)
• Social Ratings of Application Permissions (Part 3: Permissions Within a Domain)
• Social Ratings of Application Permissions (Part 2: The Effect of Branding)
• Social Ratings of Application Permissions (Part 1: Some Basic Conditions)
• Aluminum: Principled Scenario Exploration Through Minimality
• A Privacy-Affecting Change in Firefox 20
• The New MOOR's Law
• Essentials of Garbage Collection
• (Sub)Typing First Class Field Names
• Typing First Class Field Names
• S5: Engineering Eval
• Progressive Types
• Modeling DOM Events
• Mechanized LambdaJS
• ECMA Announces Official λJS Adoption
• Objects in Scripting Languages
• S5: Wat?
• Belay Lessons: Smarter Web Programming
• S5: Semantics for Accessors
• S5: A Semantics for Today's JavaScript
• The Essence of JavaScript
• ADsafety

Practical Static Analysis for Privacy Bugs
Privacy-Respecting Type Error Telemetry at Scale
The PerMission Store
Examining the Privacy Decisions Facing Users

---

Practical Static Analysis for Privacy Bugs

Tags: Privacy, Rust, Tools, Verification

Posted on 03 August 2025.

Privacy bugs are deeply problematic for software users (“once it’s out there you can’t take it back”), legally significant (due to laws like the GDPR), and difficult for programmers to find and to keep out. Static program analysis would therefore appear to be very helpful here.

Unfortunately, making an effective tool runs into several problems:

• Rules need to be expressed in a way that is auditable by legal and policy experts, which means they cannot be too close to the level of code.

• Policies need to then be mapped to the actual code.

• The analysis needs to be as precise as possible.

• The analysis needs to also be as quick as possible—ideally, fast enough to integrate into interactive development.

Our new system, Paralegal, checks off all these boxes:

• It supports policies expressed in a first-order logic, but written in a stylized English form. For instance, here is a policy stating that there is a way for all personal data to be deleted:

  Somewhere:
  1. For each "user data" type marked user_data:
  A. There is a "source" that produces "user data" where:
    a. There is a "deleter" marked deletes where:
      i) "source" goes to "deleter"
  

• It introduces markers as a key abstraction for mapping the policy onto the program. Several of the terms above — e.g., user_data — are designated in a lightweight way in the source program:

  #[paralegal::marker(user_data)]
  

• It deeply leverages Rust’s type system to obtain useful summaries of function behavior without having to traverse their bodies. In particular, this avoids the pain of writing mock versions of functions, which are time-consuming and error-prone, without sacrificing correctness or precision. It also has some additional optimizations, such as adaptive approximation.

As a result, Paralegal is able to efficiently and effectively analyze several third-party, real-world codebases.

For more details, see our paper!

Privacy-Respecting Type Error Telemetry at Scale

Tags: Privacy, Types, User Studies

Posted on 02 February 2024.

Thesis: Programming languages would benefit hugely from telemetry. It would be extremely useful to know what people write, how they edit, what problems they encounter, etc. Problem: Observing programmers is very problematic. For students, it may cause anxiety and thereby hurt their learning (and grades). For professionals too it may cause anxiety, but it can also leak trade secrets.

One very partial solution is to perform these observations in controlled settings, such as a lab study. The downside is that it is hard to get diverse populations of users, it’s hard to retain them for very long, it’s hard to pay for these studies, etc. Furthermore, the activities they perform in a lab study may be very different from what they would do in real use: i.e., lab studies especially lack ecological validity when compared against many real-world programming settings.

We decided to instead study a large number of programmers doing their normal work—but in a privacy-respecting way. We collaborated with the Roblox Studio team on this project. Roblox is a widely-used platform for programming and deploying games, and it has lots of users of all kinds of ages and qualifications. They range from people writing their first programs to developers working for game studios building professional games.

In particular, we wanted to study a specific phenomenon: the uptake of types in Luau. Luau is an extension of Lua that powers Roblox. It supports classic Lua programs, but also lets programmers gradually add types to detect bugs at compile time. We specifically wanted to see what kind of type errors people make when using Luau, with the goal of improving their experience and thereby hopefully increasing uptake of the language.

Privacy-respecting telemetry sounds wonderful in theory but is very thorny in practice. We want our telemetry to have several properties:

• It must not transmit any private information. This may be more subtle than it sounds. Error messages can, for instance, contain the names of functions. But these names may contain a trade secret.

• It must be fast on the client-side so that the programmer experience is not disrupted.

• It must transmit only small amount of data, so as not to overload the database servers.

(The latter two are not specific to privacy, but are necessary when working at scale.)

Our earlier, pioneering work on error message analysis was able to obtain a large amount of insight from logs. As a result of the above constraints, we cannot even pose many of the same questions in our setting.

Nevertheless, we were able to still learn several useful things about Luau. For more details, see the paper. But to us, this project is at least as interesting for the questions it inspires as for the particular solution or the insights gained from it. We hope to see many more languages incorporate privacy-respecting telemetry. (We’re pleased to see the Go team also thinking about these issues, as summarized in Russ Cox’s transparent telemetry notes. While there are some differences between our approaches, our overarching goals and constraints are very much in harmony.)

The PerMission Store

Tags: Android, Permissions, Privacy, Security, Tools, User Studies

Posted on 21 February 2017.

This is Part 2 of our series on helping users manage app permissions. Click here to read Part 1.

As discussed in Part 1 of this series, one type of privacy decision users have to make is which app to install. Typically, when choosing an app, users pick from the first few apps that come up when they search a keyword in their app store, so the app store plays a big roll in which apps users download.

Unfortunately, most major app stores don’t help users make this decision in a privacy-minded way. Because these stores don’t factor privacy into their ranking, the top few search results probably aren’t the most privacy-friendly, so users are already picking from a problematic pool. Furthermore, users rely on information in the app store to choose from within that limited pool, and most app stores offer very little in the way of privacy information.

We’ve built a marketplace, the PerMission Store, that tackles both the ranking and user information concerns by adding one key component: permission-specific ratings. These are user ratings, much like the star ratings in the Google Play store, but they are specifically about an app’s permissions.¹

To help users find more privacy friendly apps, the privacy ratings are incorporated into the PerMission Store’s ranking mechanism, so that apps with better privacy scores are more likely to appear in the top hits for a given search. (We also consider factors like the star rating in our ranking, so users are still getting useful apps.) So users are selecting from a more privacy-friendly pool of apps right off the bat.

Apps’ privacy ratings are also displayed in an easy-to-understand way, alongside other basic information like star rating and developer. This makes it straightforward for users to consider privacy along with other key factors when deciding which app to install.

Incorporating privacy into the store itself makes it so that choosing privacy-friendly apps is as a natural as choosing useful apps.

The PerMission Store is currently available as an Android app and can be found on Google Play.

A more detailed discussion of the PerMission Store can be found in Section 3.1 of our paper.

This is Part 2 of our series on helping users manage app permissions. Click here to read Part 1.

_{1: As a bootstrapping mechanism, we’ve collected rating for a couple thousand apps from Mechanical Turk. Ultimately, though, we expect the ratings to come from in-the-wild users.}

Examining the Privacy Decisions Facing Users

Tags: Android, Permissions, Privacy, Security, User Studies

Posted on 25 January 2017.

This is Part 1 of our series on helping users manage app permissions. Click here to read Part 2.

It probably comes as no surprise to you that users are taking their privacy in their hands every time they install or use apps on their smartphones (or tablets, or watches, or cars, or…). This begs the question, what kinds of privacy decisions are users actually making? And how can we help them with those decisions?

At first blush, users can manage privacy in two ways: by choosing which apps to install, and by managing their apps’ permissions once they’ve installed them. For the first type of decision, users could benefit from a privacy-conscious app store to help them find more privacy-respecting apps. For the second type of decision, users would be better served by an assistant that helps them decide which permissions to grant.

Users can only making installation decisions when they actually have a meaningful choice between different apps. If you’re looking for Facebook, there really aren’t any other apps that you could use instead. This left us wondering if users ever have a meaningful choice between different apps, or whether they are generally looking for a specific app.

To explore this question, we surveyed Mechanical turk workers about 66 different Android apps, asking whether they thought the app could be replaced by a different one. The apps covered a broad range of functionality, from weather apps, to games, to financial services.

It turns out that apps vary greatly in their “replaceability,” and, rather than falling cleanly into “replaceable” and “unique” groups, they run along a spectrum between the two. At one end of the spectrum you have apps like Instagram, which less than 20% of workers felt could be replaced. On the other end of the spectrum are apps like Waze, which 100% of workers felt was replaceable. In the middle are apps whose replaceability depends on which features you’re interested in. For example, take an app like Strava, which lets you track your physical activity and compete with friends. If you only want to track yourself, it could be replaced by something like MapMyRide, but if you’re competing with friends who all use Strava, you’re pretty much stuck with Strava.

Regardless of exactly which apps fall where on the spectrum, though, there are replaceable apps, so users are making real decisions about which apps to install. And, for irreplaceable apps, they are also having to decide how to manage those apps’ permissions. These two types of decisions require two approaches to assisting users. A privacy-aware marketplace would aid users with installation decisions by helping them find more privacy-respecting apps, while a privacy assistant could help users manage their apps’ permissions.

Click here to read about our privacy-aware marketplace, the PerMission Store, and stay tuned for our upcoming post on a privacy assistant!

A more detailed discussion of this study can be found in Section 2 of our paper.