First-order Gradual Information Flow Types with Gradual Guarantees

Gradual type systems seamlessly integrate statically-typed programs with dynamically-typed programs. The runtime for gradual type systems can be viewed as a monitor which refines and enforces constraints to ensure type-preservation. Gradual typing has been applied to information flow types, where information flow monitors are derived from gradual information flow types. However, existing work gives up the dynamic gradual guarantee -- the property that loosening the policies of a program should not cause more runtime errors -- in favor of noninterference -- the key security property for information flow control systems. In this paper, we re-examine the connection between gradual information flow types and information flow monitors, and identify the root cause for the tension between satisfying gradual guarantees and noninterference. We develop a runtime semantics for a simple imperative language with gradual information flow types that provides both noninterference and the dynamic gradual guarantee. We leverage a proof technique developed for FlowML, which reduces noninterference proofs to preservation proofs, to prove the key security property.

[1]  Michael Franz,et al.  Fine-Grained Information Flow Analysis and Enforcement in a Java Virtual Machine , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[2]  Andrei Sabelfeld,et al.  Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[3]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[4]  Jeremy G. Siek Gradual Typing for Functional Languages , 2006 .

[5]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[6]  Éric Tanter,et al.  Abstracting gradual typing , 2016, POPL.

[7]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Dave Clarke,et al.  Gradual Ownership Types , 2012, ESOP.

[9]  Avik Chaudhuri,et al.  The ins and outs of gradual type inference , 2012, POPL '12.

[10]  Peter Thiemann,et al.  Gradual Security Typing with References , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[11]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[12]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[13]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[14]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[15]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[16]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[17]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[18]  Gavin M. Bierman,et al.  Safe & Efficient Gradual Typing for TypeScript , 2015, POPL.

[19]  Matías Toro,et al.  Type-Driven Gradual Security with References , 2018, ACM Trans. Program. Lang. Syst..

[20]  Alejandro Russo,et al.  HLIO: mixing static and dynamic typing for information-flow control in Haskell , 2015, ICFP.

[21]  Joshua Dunfield,et al.  Sums of uncertainty: refinements go gradual , 2017, POPL.

[22]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[23]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[24]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[25]  Walid Taha,et al.  Gradual Typing for Objects , 2007, ECOOP.

[26]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[27]  Éric Tanter,et al.  A theory of gradual effect systems , 2014, ICFP.

[28]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[29]  Max S. New,et al.  Graduality from embedding-projection pairs , 2018, Proc. ACM Program. Lang..

[30]  C. Flanagan,et al.  Gradual Information Flow Typing , 2011 .

[31]  Éric Tanter,et al.  Gradual refinement types , 2017, POPL.

[32]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[33]  Peter Thiemann,et al.  LJGS: Gradual Security Types for Object-Oriented Languages , 2016, ECOOP.

[34]  Éric Tanter,et al.  Gradual Typestate , 2011, ECOOP.

[35]  Peter Thiemann,et al.  Gradual Typing for Annotated Type Systems , 2015, Software Engineering & Management.

[36]  John Tang Boyland,et al.  Refined Criteria for Gradual Typing , 2015, SNAPL.

[37]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[38]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.