Abstract
Information-Flow Control (IFC) is a well-established approach for allowing untrusted code to manipulate sensitive data without disclosing it. IFC is typically enforced via type systems and static analyses or via dynamic execution monitors. The LIO Haskell library, originating in operating systems research, implements a purely dynamic monitor of the sensitivity level of a computation, particularly suitable when data sensitivity levels are only known at runtime. In this paper, we show how to give programmers the flexibility of deferring IFC checks to runtime (as in LIO), while also providing static guarantees---and the absence of runtime checks---for parts of their programs that can be statically verified (unlike LIO). We present the design and implementation of our approach, HLIO (Hybrid LIO), as an embedding in Haskell that uses a novel technique for deferring IFC checks based on singleton types and constraint polymorphism. We formalize HLIO, prove non-interference, and show how interesting IFC examples can be programmed. Although our motivation is IFC, our technique for deferring constraints goes well beyond and offers a methodology for programmer-controlled hybrid type checking in Haskell.
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In Proceedings of the 22nd IEEE Computer Security Foundations Symposium. IEEE Computer Society, 2009. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS), June 2009. Google Scholar
Digital Library
- N. Broberg, B. van Delft, and D. Sands. Paragon for practical programming with information-flow control. In APLAS, volume 8301 of Lecture Notes in Computer Science, pages 217–232. Springer, 2013. Google Scholar
Digital Library
- P. Buiras and A. Russo. Lazy programs leak secrets. In Secure IT Systems - 18th Nordic Conference, NordSec 2013, Ilulissat, Greenland, October 18-21, 2013, Proceedings. Springer Verlag, 2013.Google Scholar
- P. Buiras, A. Levy, D. Stefan, A. Russo, and D. Mazières. A library for removing cache-based attacks in concurrent information flow systems. In Trustworthy Global Computing - 8th International Symposium, TGC 2013, 2013.Google Scholar
- P. Buiras, D. Stefan, and A. Russo. On flow-sensitive floating-label systems. In Proc. of 27th IEEE Computer Security Foundations Symp., July 2014. Google Scholar
Digital Library
- P. Buiras, D. Vytiniotis, and A. Russo. HLIO: Mixing Static and Dynamic Typing for Information-Flow Control in Haskell (Extended version), 2015. URL http://www.cse.chalmers.se/ ~buiras/hlio/. T. Disney and C. Flanagan. Gradual information flow typing. In Workshop on Script-to-Program Evolution (STOP), 2011.Google Scholar
- R. A. Eisenberg and S. Weirich. Dependently typed programming with singletons. In Proceedings of the 2012 Haskell Symposium, Haskell ’12, pages 117–130, New York, NY, USA, 2012. ACM. ISBN 978-1-4503- 1574-6.. URL http://doi.acm.org/10.1145/2364506.2364522. Google Scholar
Digital Library
- R. A. Eisenberg, D. Vytiniotis, S. Peyton Jones, and S. Weirich. Closed type families with overlapping equations. In Proc. of the 41st ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL ’14. ACM, 2014. Google Scholar
Digital Library
- L. Fennell and P. Thiemann. Gradual security typing with references. In Proceedings of the IEEE 26th Computer Security Foundations Symposium, CSF ’13. IEEE Computer Society, 2013. Google Scholar
Digital Library
- C. Flanagan. Hybrid type checking. In Proc. of the 33rd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL ’06. ACM, 2006. Google Scholar
Digital Library
- D. B. Giffin, A. Levy, D. Stefan, D. Terei, D. Mazières, J. Mitchell, and A. Russo. Hails: Protecting data privacy in untrusted web applications. In 10th Symposium on Operating Systems Design and Implementation (OSDI), pages 47–60. USENIX, 2012. Google Scholar
Digital Library
- S. T. Hochstadt and M. Felleisen. Interlanguage migration: from scripts to programs. In OOPSLA ’06: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications. ACM, 2006. Google Scholar
Digital Library
- J. Hughes. Generalising monads to arrows. Science of Computer Programming, 37(1–3):67–111, 2000. Google Scholar
Digital Library
- M. Jaskelioff and A. Russo. Secure multi-execution in Haskell. In Perspectives of Systems Informatics - 8th International Andrei Ershov Memorial Conference, PSI, 2011. Google Scholar
Digital Library
- G. Le Guernic. Automaton-based confidentiality monitoring of concurrent programs. In Computer Security Foundations Symposium, 2007. CSF ’07. 20th IEEE. IEEE Computer Society, 2007.Google Scholar
Digital Library
- G. Le Guernic, A. Banerjee, T. Jensen, and D. A. Schmidt. Automatabased confidentiality monitoring. In Proc. of the 11th Asian Computing Science Conference on Advances in Computer Science: Secure Software and Related Issues, ASIAN’06. Springer-Verlag, 2007. Google Scholar
Digital Library
- P. Li and S. Zdancewic. Encoding Information Flow in Haskell. In CSFW’06: Proc. of the 19th IEEE Workshop on Computer Security Foundations. IEEE Computer Society, 2006. Google Scholar
Digital Library
- E. Meijer and P. Drayton. Static Typing Where Possible, Dynamic Typing When Needed. Revival of Dynamic Languages, 2005. URL \url{http://research.microsoft.com/\~emeijer/ Papers/RDL04Meijer.pdf}. S. Moore and S. Chong. Static analysis for efficient hybrid informationflow control. In Proc. of the 24th IEEE Computer Security Foundations Symposium. IEEE Press, June 2011. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Trans. on Computer Systems, 9(4):410–442, October 2000. Google Scholar
Digital Library
- A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and Separation in Hoare Type Theory. In Proceedings of the Eleventh ACM SIGPLAN International Conference on Functional Programming, ICFP ’06, pages 62–73, New York, NY, USA, 2006. ACM. ISBN 1-59593-309-3.. URL http://doi.acm.org/10.1145/1159803.1159812. Google Scholar
Digital Library
- D. Orchard and T. Schrijvers. Haskell type constraints unleashed. In Lecture Notes in Computer Science, pages 56–71. Springer, 2010. Google Scholar
Digital Library
- . URL https://lirias.kuleuven.be/handle/123456789/259608.Google Scholar
- A. Rastogi, N. Swamy, C. Fournet, G. Bierman, and P. Vekris. Safe and efficient gradual typing for typescript. In In Proc. of the ACM Conference on Principles of Programming Languages (POPL) 2015, Jan. 2015. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In Proc. of the 2010 23rd IEEE Computer Security Foundations Symp., CSF ’10, pages 186–199. IEEE Computer Society, 2010. Google Scholar
Digital Library
- A. Russo, K. Claessen, and J. Hughes. A library for light-weight information-flow security in Haskell. In Haskell ’08: Proc. of the first ACM SIGPLAN symposium on Haskell, pages 13–24, 2008. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1), January 2003. Google Scholar
Digital Library
- A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Proc. Andrei Ershov International Conference on Perspectives of System Informatics, Lecture Notes in Computer Science (LNCS). Springer Verlag, June 2009. Google Scholar
Digital Library
- P. Shroff, S. Smith, and M. Thober. Dynamic Dependency Monitoring to Secure Information Flow. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, CSF ’07. IEEE Computer Society, 2007. Google Scholar
Digital Library
- J. G. Siek and W. Taha. Gradual typing for functional languages. In Proc. of Scheme and functional programming workshop. Technical Report. University of Chicago, 2006.Google Scholar
- V. Simonet. The Flow Caml system. Software release. Located at http: //cristal.inria.fr/~simonet/soft/flowcaml/, July 2003.Google Scholar
- A. Takikawa, T. S. Strickland, C. Dimoulas, S. Tobin-Hochstadt, and M. Felleisen. Gradual typing for first-class classes. In Proc. of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’12. ACM, 2012. Google Scholar
Digital Library
- D. Terei, S. Marlow, S. P. Jones, and D. Mazières. Safe Haskell. In Proceedings of the 5th Symposium on Haskell, September 2012. Google Scholar
Digital Library
- T. Tsai, A. Russo, and J. Hughes. A library for secure multi-threaded information flow in Haskell. In Computer Security Foundations Symp., 2007. CSF ’07. 20th IEEE, pages 187–202, July 2007. Google Scholar
Digital Library
- S. VanDeBogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and event processes in the Asbestos operating system. ACM Trans. on Computer Systems, 25(4):11:1–43, December 2007. A version appeared in Proc. of the 20th ACM Symp. on Operating System Principles, 2005. Google Scholar
Digital Library
- M. M. Vitousek, A. M. Kent, J. G. Siek, and J. Baker. Design and Evaluation of Gradual Typing for Python. In Proc. of the 10th ACM Symposium on Dynamic Languages, DLS ’14. ACM, 2014. Google Scholar
Digital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167–187, Jan. 1996. Google Scholar
Digital Library
- D. Vytiniotis, S. Peyton Jones, and J. P. Magalh˜aes. Equality proofs and deferred type errors: A compiler pearl. In Proceedings of the 17th ACM SIGPLAN International Conference on Functional Programming, ICFP ’12, pages 341–352, New York, NY, USA, 2012. ACM. ISBN 978- 1-4503-1054-3.. URL http://doi.acm.org/10.1145/2364527. Google Scholar
Digital Library
- 2364554.Google Scholar
- P. Wadler and R. B. Findler. Well-typed programs can’t be blamed. In Proc. of the 18th European Symposium on Programming Languages and Systems: Held As Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, ESOP ’09. Springer-Verlag, 2009. Google Scholar
Digital Library
- B. A. Yorgey, S. Weirich, J. Cretin, S. Peyton Jones, D. Vytiniotis, and J. P. Magalh˜aes. Giving Haskell a Promotion. In Proceedings of the 8th ACM SIGPLAN Workshop on Types in Language Design and Implementation, TLDI ’12, pages 53–66, New York, NY, USA, 2012. ACM. ISBN 978- 1-4503-1120-5.. URL http://doi.acm.org/10.1145/2103786. Google Scholar
Digital Library
- 2103795.Google Scholar
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. of the 7th Symp. on Operating Systems Design and Implementation, pages 263–278, Seattle, WA, November 2006. Google Scholar
Digital Library
- L. Zheng and A. C. Myers. Dynamic security labels and static information flow. International Journal of Information Security, 6(2–3), 2007. Google Scholar
Digital Library
Index Terms
HLIO: mixing static and dynamic typing for information-flow control in Haskell
Recommendations
HLIO: mixing static and dynamic typing for information-flow control in Haskell
ICFP 2015: Proceedings of the 20th ACM SIGPLAN International Conference on Functional ProgrammingInformation-Flow Control (IFC) is a well-established approach for allowing untrusted code to manipulate sensitive data without disclosing it. IFC is typically enforced via type systems and static analyses or via dynamic execution monitors. The LIO ...
Challenges and progress toward efficient gradual typing (invited talk)
DLS '17Mixing static and dynamic type checking in the same language is catching on, with the TypeScript and Flow variants of JavaScript, the MyPy and Reticulated variants of Python, the Strongtalk and Gradualtalk variants of Smalltalk, as well as Typed Racket,...
Gradual typing with unification-based inference
DLS '08: Proceedings of the 2008 symposium on Dynamic languagesStatic and dynamic type systems have well-known strengths and weaknesses. Gradual typing provides the benefits of both in a single language by giving the programmer control over which portions of the program are statically checked based on the presence ...






Comments