research-article

Open Access

Type-Driven Gradual Security with References

Authors:
Matías Toro

PLEIAD Laboratory, Computer Science Department (DCC), University of Chile, Beauchef, Santiago, Chile

PLEIAD Laboratory, Computer Science Department (DCC), University of Chile, Beauchef, Santiago, Chile
View Profile

,
Ronald Garcia

Software Practices Laboratory, University of British Columbia, Vancouver, Canada

Software Practices Laboratory, University of British Columbia, Vancouver, Canada
View Profile

,
Éric Tanter

PLEIAD Laboratory, Computer Science Department (DCC), University of Chile, Beauchef, Santiago, Chile

PLEIAD Laboratory, Computer Science Department (DCC), University of Chile, Beauchef, Santiago, Chile
View Profile

ACM Transactions on Programming Languages and Systems Volume 40 Issue 4Article No.: 16pp 1–55https://doi.org/10.1145/3229061

Published:13 December 2018Publication History

ACM Transactions on Programming Languages and Systems

Editorial Notes

A corrigendum was issued for this article on September 19, 2019. You can download the corrigendum from the supplemental materials section of this citation page.

Abstract

In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks.

In this article, we present GSL_Ref, a gradual security-typed higher-order language with references. As a gradual language, GSL_Ref supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSL_Ref lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSL_Ref satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness, each of which constrains the design of the gradual language.

Supplemental Material

a16-toro.webm

webm

72.7 MB

Download

Available for Download

pdf

a16-toro-corrigendum.pdf (701.8 KB)

Corrigendum to "Type-Driven Gradual Security with References", by Toro et al., ACM Transactions on Programming Languages and Systems (TOPLAS) Volume 40, Issue 4, Article No. 16

References

Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. 1999. A core calculus of dependency. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’99). ACM, New York, NY, 147--160. Google ScholarDigital Library
Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph.D. Dissertation. Princeton University. Google ScholarDigital Library
Amal Ahmed, Robert Bruce Findler, Jeremy Siek, and Philip Wadler. 2011. Blame for all. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM Press, Austin, Texas, 201--214.Google ScholarDigital Library
Amal Ahmed, Dustin Jamner, Jeremy G. Siek, and Philip Wadler. 2017. Theorems for free for free: Parametricity, with and without types. In Proceedings of the 22th ACM SIGPLAN Conference on Functional Programming (ICFP’17). ACM Press, Oxford, UK, 39:1--39:28.Google ScholarDigital Library
Thomas H. Austin and Cormac Flanagan. 2009. Efficient purely dynamic information flow analysis. In Proceedings of the 2009 Workshop on Programming Languages and Analysis for Security (PLAS’09). 113--124. Google ScholarDigital Library
Thomas H. Austin and Cormac Flanagan. 2010. Permissive dynamic information flow analysis. In Proceedings of the 2010 Workshop on Programming Languages and Analysis for Security (PLAS’10). 3:1--3:12. Google ScholarDigital Library
Thomas H. Austin and Cormac Flanagan. 2012. Multiple facets for dynamic information flow. ACM SIGPLAN Notices 47, 1 (Jan. 2012), 165--178. Google ScholarDigital Library
Thomas H. Austin, Tommy Schmitz, and Cormac Flanagan. 2017. Multiple facets for dynamic information flow with exceptions. ACM Trans. Program. Lang. Syst. 39, 3 (July 2017), 10:1--10:56. Google ScholarDigital Library
Felipe Bañados Schwerter, Ronald Garcia, and Éric Tanter. 2014. A theory of gradual effect systems. In Proceedings of the 19th ACM SIGPLAN Conference on Functional Programming (ICFP’14). ACM Press, Gothenburg, Sweden, 283--295. Google ScholarDigital Library
Felipe Bañados Schwerter, Ronald Garcia, and Éric Tanter. 2016. Gradual type-and-effect systems. J. Funct. Program. 26 (Sept. 2016), 19:1--19:69.Google Scholar
Kenneth J. Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report ESD-TR-76-372. USAF Electronic Systems Division, Bedford, MA.Google Scholar
Pablo Buiras, Dimitrios Vytiniotis, and Alejandro Russo. 2015. HLIO: Mixing static and dynamic typing for information-flow control in Haskell. In Proceedings of the 20th ACM SIGPLAN Conference on Functional Programming (ICFP’15). ACM Press, Vancouver, Canada, 289--301. Google ScholarDigital Library
Giuseppe Castagna and Victor Lanvin. 2017. Gradual typing with union and intersection types. In Proceedings of the 22th ACM SIGPLAN Conference on Functional Programming (ICFP’17). ACM Press, Oxford, United Kingdom, 41:1--41:28.Google ScholarDigital Library
D. Chandra and M. Franz. 2007. Fine-grained information flow analysis and enforcement in a Java virtual machine. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). 463--475.Google Scholar
Alonzo Church. 1940. A formulation of the simple theory of types. J. Symbol. Logic 5, 2 (06 1940), 56--68.Google ScholarCross Ref
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM Symposium on Principles of Programming Languages (POPL’77). ACM Press, Los Angeles, CA, 238--252. Google ScholarDigital Library
Dorothy E. Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May 1976), 236--243. Google ScholarDigital Library
Tim Disney and Cormac Flanagan. 2011. Gradual information flow typing. In Proceedings of the International Workshop on Scripts to Programs.Google Scholar
Luminous Fennell and Peter Thiemann. 2013. Gradual security typing with references. In Proceedings of the Computer Security Foundations Symposium. 224--239. Google ScholarDigital Library
Luminous Fennell and Peter Thiemann. 2016. LJGS: Gradual security types for object-oriented languages. In Proceedings of the 30th European Conference on Object-oriented Programming (ECOOP’16) (LNCS). Springer-Verlag, Rome, Italy.Google Scholar
Ronald Garcia and Matteo Cimini. 2015. Principal type schemes for gradual programs. In Proceedings of the 42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). ACM Press, 303--315. Google ScholarDigital Library
Ronald Garcia, Alison M. Clark, and Éric Tanter. 2016. Abstracting gradual typing. In Proceedings of the 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’16). ACM Press, St Petersburg, FL, 429--442. Google ScholarDigital Library
Ronald Garcia and Éric Tanter. 2015. Deriving a Simple Gradual Security Language. Retrieved from http://arxiv.org/abs/1511.01399.Google Scholar
Ronald Garcia, Éric Tanter, Roger Wolff, and Jonathan Aldrich. 2014. Foundations of typestate-oriented programming. ACM Trans. Program. Lang. Syst. 36, 4, Article 12 (Oct. 2014), 12:1--12:44 pages. Google ScholarDigital Library
David K. Gifford and John M. Lucassen. 1986. Integrating functional and imperative programming. In Proceedings of the 1986 ACM Conference on Lisp and Functional Programming. ACM Press, Cambridge, MA, 28--38. Google ScholarDigital Library
Joseph A. Goguen and José Meseguer. 1982. Security policies and security models. In Proceedings of the 1982 IEEE Symposium on Security and Privacy. 11--20.Google Scholar
Daniel Hedin and Andrei Sabelfeld. 2012a. Information-flow security for a core of JavaScript. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12). 3--18. Google ScholarDigital Library
Daniel Hedin and Andrei Sabelfeld. 2012b. A perspective on information-flow control. In NATO Science for Peace and Security Series D: Information and Communication Security. IOS Press, 319--347.Google Scholar
Nevin Heintze and Jon G. Riecke. 1998. The SLam calculus: Programming with secrecy and integrity. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’98). ACM, New York, NY, 365--377. Google ScholarDigital Library
William A. Howard. 1980. The formulae-as-types notion of construction. In To H. B. Curry: Essays on Combinatory Logic, Lambda Calculus, and Formalism, J. P. Seldin and J. R. Hindley (Eds.). Academic Press, New York, 479--490. Reprint of 1969 article.Google Scholar
Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Proceedings of the 33th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’06). ACM Press, Charleston, SC, 79--90. Google ScholarDigital Library
Yuu Igarashi, Taro Sekiyama, and Atsushi Igarashi. 2017. On polymorphic gradual typing. In Proceedings of the 22th ACM SIGPLAN Conference on Functional Programming (ICFP’17). ACM Press, Oxford, UK, 40:1--40:29.Google ScholarDigital Library
Khurram A. Jafery and Joshua Dunfield. 2017. Sums of uncertainty: Refinements go gradual. In Proceedings of the 44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’17). ACM Press, Paris, France, 804--817. Google ScholarDigital Library
Kenneth Knowles and Cormac Flanagan. 2010. Hybrid type checking. ACM Trans. Program. Lang. Syst. 32, 2 (2010). Google ScholarDigital Library
Nico Lehmann and Éric Tanter. 2017. Gradual refinement types. In Proceedings of the 44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’17). ACM Press, Paris, France, 775--788. Google ScholarDigital Library
Scott Moore and Stephen Chong. 2011. Static analysis for efficient hybrid information-flow control. In Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF’11). Cernay-la-Ville, France, 146--160. Google ScholarDigital Library
Andrew C. Myers. 1999. JFlow: Practical mostly static information flow control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL’99). ACM Press, San Antonio, TX, 228--241. Google ScholarDigital Library
Andrew C. Myers and Barbara Liskov. 1997. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating System Principles (SOSP’97). 129--142. Google ScholarDigital Library
Andrew C. Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9 (Oct. 2000), 410--442. Issue 4. Google ScholarDigital Library
François Pottier and Vincent Simonet. 2003. Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 1 (Jan. 2003), 117--158. Google ScholarDigital Library
John C. Reynolds. 1983. Types, abstraction and parametric polymorphism. In Proceedings of the IFIP Congress. 513--523.Google Scholar
Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. static flow-sensitive security analysis. In Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium (CSF’10). IEEE Computer Society, Washington, DC, 186--199. Google ScholarDigital Library
Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. IEEE J. Select. Areas Commun. 21, 1 (Jan. 2003). Google ScholarDigital Library
Andrei Sabelfeld and David Sands. 2009. Declassification: Dimensions and principles. J. Comput. Secur. 17, 5 (2009), 517--548. Google ScholarDigital Library
Ilya Sergey and Dave Clarke. 2012. Gradual ownership types. In Proceedings of the 21st European Symposium on Programming Languages and Systems (ESOP’12) (LNCS), Helmut Seidl (Ed.), Vol. 7211. Springer-Verlag, Tallinn, Estonia, 579--599. Google ScholarDigital Library
Paritosh Shroff, Scott Smith, and Mark Thober. 2007. Dynamic dependency monitoring to secure information flow. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF’07). IEEE Computer Society, Washington, DC, 203--217. Google ScholarDigital Library
Jeremy Siek and Walid Taha. 2007. Gradual typing for objects. In Proceedings of the 21st European Conference on Object-oriented Programming (ECOOP’07) (LNCS), Erik Ernst (Ed.). Springer-Verlag, Berlin, 2--27. Google ScholarDigital Library
Jeremy Siek and Philip Wadler. 2010. Threesomes, with and without blame. In Proceedings of the 37th annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’10). ACM Press, 365--376. Google ScholarDigital Library
Jeremy G. Siek and Walid Taha. 2006. Gradual typing for functional languages. In Proceedings of the Scheme and Functional Programming Workshop. 81--92.Google Scholar
Jeremy G. Siek, Michael M. Vitousek, Matteo Cimini, and John Tang Boyland. 2015. Refined criteria for gradual typing. In Proceedings of the 1st Summit on Advances in Programming Languages (SNAPL’15). 274--293.Google Scholar
Deian Stefan, David Mazières, John C. Mitchell, and Alejandro Russo. 2017. Flexible dynamic information flow control in the presence of exceptions. J. Funct. Program. 27 (2017).Google Scholar
Peter Thiemann and Luminous Fennell. 2014. Gradual typing for annotated type systems. In Proceedings of the 23rd European Symposium on Programming Languages and Systems (ESOP’14) (LNCS), Zhong Shao (Ed.), Vol. 8410. Springer-Verlag, Grenoble, France, 47--66. Google ScholarDigital Library
Matías Toro, Ronald Garcia, and Éric Tanter. 2018. Type-Driven Gradual Security with References: Complete Definitions and Proofs. Technical Report TR/DCC-2018-4. University of Chile.Google Scholar
Matías Toro and Éric Tanter. 2015. Customizable gradual polymorphic effects for Scala. In Proceedings of the 30th ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA’15). ACM Press, Pittsburgh, PA, 935--953. Google ScholarDigital Library
Matías Toro and Éric Tanter. 2017. A gradual interpretation of union types. In Proceedings of the 24th Static Analysis Symposium (SAS’17) (Lecture Notes in Computer Science), Vol. 10422. Springer-Verlag, New York City, NY, 382--404.Google Scholar
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 2--3 (Jan. 1996), 167--187. Google ScholarDigital Library
Philip Wadler. 1989. Theorems for free&excl; In Proceedings of the 4th International Conference on Functional Programming Languages and Computer Architecture (FPCA’89). ACM, New York, NY, 347--359. Google ScholarDigital Library
Roger Wolff, Ronald Garcia, Éric Tanter, and Jonathan Aldrich. 2011. Gradual typestate. In Proceedings of the 25th European Conference on Object-oriented Programming (ECOOP’11) (LNCS), Mira Mezini (Ed.), Vol. 6813. Springer-Verlag, Lancaster, UK, 459--483. Google ScholarDigital Library
Steve Zdancewic. 2002. Programming Languages for Information Security. Ph.D. Dissertation. Cornell University. Google ScholarDigital Library
Steve Zdancewic and Andrew C. Myers. 2001. Secure information flow and CPS. In Proceedings of the 10th European Symposium on Programming, Vol. 2028. 46--61. Google ScholarDigital Library
Lantian Zheng and Andrew C. Myers. 2007. Dynamic security labels and noninterference. Int. J. Info. Secur. 6, 2 (Mar. 2007), 67--84.Google ScholarCross Ref

Index Terms

Type-Driven Gradual Security with References
1. Security and privacy
  1. Systems security
    1. Information flow control
2. Theory of computation
  1. Semantics and reasoning
    1. Program constructs
      1. Type structures
    2. Program semantics

Recommendations

Gradual typing: a new perspective

We define a new, more semantic interpretation of gradual types and use it to ``gradualize'' two forms of polymorphism: subtyping polymorphism and implicit parametric polymorphism. In particular, we use the new interpretation to define three gradual type ...
Read More
Principal Type Schemes for Gradual Programs
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

Gradual typing is a discipline for integrating dynamic checking into a static type system. Since its introduction in functional languages, it has been adapted to a variety of type systems, including object-oriented, security, and substructural. This ...
Read More
Gradual Security Typing with References
CSF '13: Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium

Type systems for information-flow control (IFC) are often inflexible and too conservative. On the other hand, dynamic run-time monitoring of information flow is flexible and permissive but it is difficult to guarantee robust behavior of a program. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 40, Issue 4
December 2018
191 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/3292525
Editor:
Andrew Myers
Cornell University, USA
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 December 2018
- Accepted: 1 May 2018
- Revised: 1 March 2018
- Received: 1 April 2017
Published in toplas Volume 40, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Noninterference
gradual typing
language-based security
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 28
  Total Citations
  View Citations
- 434
  Total Downloads
- Downloads (Last 12 months)71
- Downloads (Last 6 weeks)18
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.