English

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control (Extended Version)

Programming Languages 2015-01-20 v1 Cryptography and Security

Abstract

Many important security problems in JavaScript, such as browser extension security, untrusted JavaScript libraries and safe integration of mutually distrustful websites (mash-ups), may be effectively addressed using an efficient implementation of information flow control (IFC). Unfortunately existing fine-grained approaches to JavaScript IFC require modifications to the language semantics and its engine, a non-goal for browser applications. In this work, we take the ideas of coarse-grained dynamic IFC and provide the theoretical foundation for a language-based approach that can be applied to any programming language for which external effects can be controlled. We then apply this formalism to server- and client-side JavaScript, show how it generalizes to the C programming language, and connect it to the Haskell LIO system. Our methodology offers design principles for the construction of information flow control systems when isolation can easily be achieved, as well as compositional proofs for optimized concrete implementations of these systems, by relating them to their isolated variants.

Keywords

Cite

@article{arxiv.1501.04132,
  title  = {IFC Inside: Retrofitting Languages with Dynamic Information Flow Control (Extended Version)},
  author = {Stefan Heule and Deian Stefan and Edward Z. Yang and John C. Mitchell and Alejandro Russo},
  journal= {arXiv preprint arXiv:1501.04132},
  year   = {2015}
}

Comments

Extended version of POST'15 paper; 31 pages

R2 v1 2026-06-22T08:04:13.795Z