JFlow: practical mostly-static information flow control

A promising technique for protecting privacy and integrity of sensitive data is to statically check information flow within programs that manipulate the data. While previous work has proposed programming language extensions to allow this static checking, the resulting languages are too restrictive for practical use and have not been implemented. In this paper, we describe the new language JFlow, an extension to the Java language that adds statically-checked information flow annotations. JFlow provides several new features that make information flow checking more flexible and convenient than in previous models: a decentralized label model, label polymorphism, run-time label checking, and automatic label inference. JFlow also supports many language features that have never been integrated successfully with static information flow control, including objects, subclassing, dynamic type tests, access control, and exceptions. This paper defines the JFlow language and presents formal rules that are used to check JFlow programs for correctness. Because most checking is static, there is little code space, data space, or run-time overhead in the JFlow implementation.

[1]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[2]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[3]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[4]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[5]  Barbara Liskov,et al.  A language extension for expressing constraints on data access , 1978, CACM.

[6]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[7]  Alley Stoughton Access Flow: A Protection Model which Integrates Access Control and Information Flow , 1981, 1981 IEEE Symposium on Security and Privacy.

[8]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[9]  Luca Cardelli,et al.  Typeful Programming , 1989, Formal Description of Programming Concepts.

[10]  Martín Abadi,et al.  Dynamic typing in a statically-typed language , 1989, POPL '89.

[11]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Erich J. Neuhold,et al.  Formal description of programming concepts , 1991 .

[13]  Luis-Felipe Cabrera,et al.  CACL: efficient fine-grained protection for objects , 1992, OOPSLA.

[14]  Jens Palsberg,et al.  Trust in the λ-calculus , 1995, Journal of Functional Programming.

[15]  Torben Æ. Mogensen,et al.  Tractable Constraints in Finite Semilattices , 1996, Sci. Comput. Program..

[16]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[17]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[18]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[19]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[20]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[21]  Andrew C. Myers,et al.  Parameterized types for Java , 1997, POPL '97.

[22]  Jens Palsberg,et al.  Trust in the lambda-Calculus , 1997, J. Funct. Program..

[23]  Dennis M. Volpano,et al.  Provably-secure programming languages for remote evaluation , 1997, SIGP.

[24]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[25]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[26]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[27]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[28]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.