Information Flow Control with Errors

Andreas Gampe and Jeffery Von Ronne

Abstract

Information Flow Control is concerned with the correct handling of data with respect to a security policy. A common enforcement technique is annotated type systems. For object-oriented languages, type systems have been developed for class-based languages. The reason for that is the simpler handling in the underlying type system, i.e., ensuring that there are no method-not-understood errors in well-typed programs.

In the case of dynamic languages, e.g., prototype-based ones like Javascript, currently no type system is powerful enough to handle common language idioms, which hinders the adoption of security-typing in practical settings. As a solution this paper proposes to handle method-not-understood errors in the security type system: the type system does not enforce regular soundness, so well-typed programs might fail, but even in case of such errors non-interference is ensured. This paper outlines this approach and provides an initial investigation of its feasibility. A security type system for a functional object calculus with extension is presented and shown to enforce non-interference.

Full paper

Slides

o

Presented at FOOL 2011; Sunday, 23 October 2011; Portland, Oregon, USA