Andrew C. Myers
ABSTRACT
A promising technique for protecting privacy and integrity of sensitive data is to statically check information flow within programs that manipulate the data. While previous work has proposed programming language extensions to allow this static checking, the resulting languages are too restrictive for practical use and have not been implemented. In this paper, we describe the new language JFlow, an extension to the Java language that adds statically-checked information flow annotations. JFlow provides several new features that make information flow checking more flexible and convenient than in previous models: a decentralized label model, label polymorphism, run-time label checking, and automatic label inference. JFlow also supports many language features that have never been integrated successfully with static information flow control, including objects, subclassing, dynamic type tests, access control, and exceptions. This paper defines the JFlow language and presents formal rules that are used to check JFlow programs for correctness. Because most checking is static, there is little code space, data space, or run-time overhead in the JFlow implementation.
- Aba97.Martin Abadi. Secrecy by typing in security protocols. In Proc. Theoretical Aspects of Computer Software: Third International Conference, September 1997. Google Scholar
Digital Library
- ACPP91.Martfn Abadi, Luca Cardelli, Benjamin C. Pierce, and Gordon D. Plotkin. Dynamic typing in a statically typed language. ACM Transactions on Programming Languages and Systems (TOPLAS), 13(2):237-268, April 1991. Also appeared as SRC Research Report 47. Google ScholarDigital Library
- AR80.Gregory R. Andrews and Richard E Reitman. An axiomatic approach to information flow in programs. ACM Transactions on Programming Languages and Systems, 2(1):56-76, 1980. Google ScholarDigital Library
- BL75.D.E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, MITRE Corp. MTR-2997, Bedford, MA, 1975. Available as NTIS AD-A023 588.Google Scholar
- Car91.Luca Cardelli. Typeful programming. In E. J. Neuhold and M. Paul, editors, Formal Description of Programming Concepts. Springer-Verlag, 1991. An earlier version appeared as DEC Systems Research Center Research Report #45, February 1989.Google Scholar
- DD77.Dorothy E. Denning and Peter J. Denning. Certification of programs for secure information flow. Comm. of the ACM, 20(7):504-513, 1977. Google ScholarDigital Library
- Den76.Dorothy E. Denning. A lattice model of secure information flow. Comm. of the ACM, 19(5):236-243, 1976. Google ScholarDigital Library
- Den82.Dorothy E. Denning. Cryptography and Data Security. Addison-Wesley, Reading, Massachusetts, 1982. Google ScholarDigital Library
- GJS96.James Gosling, Bill Joy, and Guy Steele. The Java Language Specification. Addison-Wesley, August 1996. ISBN 0-201-63451-1. Google ScholarDigital Library
- HDT87.Susan Horwitz, Alan Demers, and Tim Teitelbaum. An efficient general iterative algorithm for dataflow analysis. Acta Informatica, 24:679-694, 1987. Google ScholarDigital Library
- HR98.Nevin Heintze and Jon G. Riecke. The SLam calculus: Programming with secrecy and integrity, in Proc. 25th ACM Symp. on Principles of Programming Languages (POPL), San Diego, California, January 1998. Google ScholarDigital Library
- JL78.Anita K. Jones and Barbara Liskov. A language extension for expressing constraints on data access. Comm. ofthe ACM, 21(5):358-367, May 1978. Google ScholarDigital Library
- KW94.Atsushi Kanamori and Daniel Weise. Worklist management strategies for dataflow analysis. Technical Report MSR-TR-94-12, Microsoft Research, May 1994.Google Scholar
- Lam73.Butler W. Lampson. A note on the confinement problem. Comm. of the ACM, 16(10):613-615, October 1973. Google ScholarDigital Library
- LMM98.Barbara Liskov, Nicholas Mathewson, and Andrew C. Myers. PolyJ: Parameterized types for Java. Software release. Located at http://www.pmg.lcs.mit.edu/polyj, July 1998.Google Scholar
- MBL97.Andrew C. Myers, Joseph A. Bank, and Barbara Liskov. Parameterized types for Java. In Proc. 24th ACM Symp. on Principles of Programming Languages (POPL), pages 132-145, Paris, France, January 1997. Google ScholarDigital Library
- ML97.Andrew C. Myers and Barbara Liskov. A decentralized model for information flow control. In Proc. 17th ACM Syrup. on Operating System Principles (SOSP), pages 129-142, Saint-Malo, France, 1997. Google ScholarDigital Library
- ML98.Andrew C. Myers and Barbara Liskov. Complete, safe information flow with decentralized labels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998.Google Scholar
- MMN90.Catherine J. McCollum, Judith R. Messing, and LouAnna Notargiacomo. Beyond the pale of MAC and DAC -- defining new forms of access control. In Proc. IEEE Symposium on Security and Privacy, pages 190- 200, 1990.Google ScholarCross Ref
- Mye99.Andrew C. Myers. Mostly-Static Decentralized Information Flow Control. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, 1999. in progress. Google ScholarDigital Library
- PO95.Jens Palsberg and Peter Orb~ek. Trust in the )~-calculus. In Proc. 2nd International Symposium on Static Analysis, number 983 in Lecture Notes in Computer Science, pages 314-329. Springer, September 1995. Google ScholarDigital Library
- RM96.Jakob Rehof and Torben ~. Mogensen. Tractable constraints in finite semilattices. In Proc. 3rd International Symposium on Static Analysis, number 1145 in Lecture Notes in Computer Science, pages 285-300. Springer- Verlag, September 1996. Google ScholarDigital Library
- RSC92.Joel Richardson, Peter Schwarz, and Luis-Felipe Cabrera. CACL: Efficient fine-grained protection for objects. In Proceedings of the 1992 A CM Conference on Object- Oriented Programming Systems, Languages, and Applications, pages 154-165, Vancouver, BC, Canada, October 1992. Google ScholarDigital Library
- Sto81.Allen Stoughton. Access flow: A protection model which integrates access control and information flow. In IEEE Symposium on Security and Privacy, pages 9-I 8. IEEE Computer Society Press, 1981.Google Scholar
- SV98.Geoffrey Smith and Dennis Volpano. Secure information flow in a multi-threaded imperative language. In Proc. 25th ACM Syrup. on Principles of Programming Languages (POPL), San Diego, California, January 1998. Google ScholarDigital Library
- Vol97.Dennis Volpano. Provably-secure programming languages for remote evaluation. ACM SIGPLAN Notices, 32(1):117-119, January 1997. Google ScholarDigital Library
- VSI96.Dennis Volpano, Geoffrey Smith, and Cynthia Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(3):167-187, 1996. Google ScholarDigital Library
Index Terms
- JFlow: practical mostly-static information flow control
Recommendations
JFlow: practical refactorings for flow-based parallelism
ASE '13: Proceedings of the 28th IEEE/ACM International Conference on Automated Software EngineeringEmerging applications in the domains of recognition, mining and synthesis (RMS); image and video processing; data warehousing; and automatic financial trading admit a particular style of parallelism termed flow-based parallelism. To help developers ...
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Formal verification of ASMs using MDGs
We present a framework for the formal verification of abstract state machine (ASM) designs using the multiway decision graphs (MDG) tool. ASM is a state based language for describing transition systems. MDG provides symbolic representation of transition ...
Comments