Skip to main content
SpringerLink
Log in

Paragon for Practical Programming with Information-Flow Control

  • Conference paper
Programming Languages and Systems (APLAS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8301))

Included in the following conference series:

Abstract

Conventional security policies for software applications are adequate for managing concerns on the level of access control. But standard abstraction mechanisms of mainstream programming languages are not sufficient to express how information is allowed to flow between resources once access to them has been obtained. In practice we believe that such control - information flow control - is needed to manage the end-to-end security properties of applications.

In this paper we present Paragon, a Java-based language with first-class support for static checking of information flow control policies. Paragon policies are specified in a logic-based policy language. By virtue of their explicitly stateful nature, these policies appear to be more expressive and flexible than those used in previous languages with information-flow support.

Our contribution is to present the design and implementation of Paragon, which smoothly integrates the policy language with Java’s object-oriented setting, and reaps the benefits of the marriage with a fully fledged programming language.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Paragon website (July 2013), http://www.cse.chalmers.se/research/group/paragon

  2. Aldrich, J., Sunshine, J., Saini, D., Sparks, Z.: Typestate-oriented programming. In: OOPSLA Companion, pp. 1015–1022 (2009)

    Google Scholar 

  3. Askarov, A., Sabelfeld, A.: Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 197–221. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Becker, M.Y., Fournet, C., Gordon, A.D.: Design and semantics of a decentralized authorization language. In: Proc. IEEE Computer Security Foundations Symposium, pp. 3–15. IEEE Computer Society (2007)

    Google Scholar 

  5. Broberg, N., Sands, D.: Paralocks – role-based information flow control and beyond. In: POPL 2010, Proceedings of the 37th Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (2010)

    Google Scholar 

  6. Chapman, R., Hilton, A.: Enforcing security and safety models with an information flow analysis tool. ACM SIGAda Ada Letters 24(4), 39–46 (2004)

    Article  Google Scholar 

  7. Denning, D.E.: A lattice model of secure information flow. Comm. of the ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  8. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  9. Dougherty, D.J., Fisler, K., Adsul, B.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8(6), 399–422 (2009)

    Article  Google Scholar 

  11. Hicks, B., Ahmadizadeh, K., McDaniel, P.D.: From languages to systems: Understanding practical application development in security-typed languages. In: ACSAC. IEEE Computer Society (2006)

    Google Scholar 

  12. Jia, L., Zdancewic, S.: Encoding information flow in aura. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (2009)

    Google Scholar 

  13. Jim, T.: SD3: A trust management system with certified evaluation. In: Proc. IEEE Symp. on Security and Privacy (2001)

    Google Scholar 

  14. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE Symposium on Security and Privacy, pp. 114–130 (2002)

    Google Scholar 

  15. Li, P., Zdancewic, S.: Arrows for secure information flow. Theor. Comput. Sci. 411(19) (2010)

    Google Scholar 

  16. Morgenstern, J., Licata, D.R.: Security-typed programming within dependently-typed programming. In: Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (2010)

    Google Scholar 

  17. Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 228–241 (January 1999)

    Google Scholar 

  18. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. ACM Symp. on Operating System Principles, pp. 129–142 (October 1997)

    Google Scholar 

  19. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)

    Article  Google Scholar 

  20. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (2001–2013), http://www.cs.cornell.edu/jif

  21. Rehof, J., Mogensen, T.: Tractable constraints in finite semilattices. In: Cousot, R., Schmidt, D.A. (eds.) SAS 1996. LNCS, vol. 1145, pp. 285–300. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  22. Russo, A., Claessen, K., Hughes, J.: A library for light-weight information-flow security in haskell. In: Proceedings of the 1st ACM SIGPLAN Symposium on Haskell (2008)

    Google Scholar 

  23. Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 15(5), 517–548 (2009)

    Google Scholar 

  24. Simonet, V.: The Flow Caml system. Software release (July 2003), http://cristal.inria.fr/~simonet/soft/flowcaml

  25. Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in Haskell. In: Proceedings of the 4th ACM Symposium on Haskell (2011)

    Google Scholar 

  26. Strom, R.E., Yemini, S.: Typestate: A programming language concept for enhancing software reliability. IEEE Trans. Software Eng. 12(1), 157–171 (1986)

    Article  MATH  Google Scholar 

  27. Swamy, N., Chen, J., Fournet, C., Strub, P., Bharagavan, K., Yang, J.: Secure distributed programming with value-dependent types. In: The 16th ACM SIGPLAN International Conference on Functional Programming (2011)

    Google Scholar 

  28. Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A language for enforcing user-defined security policies. In: Proc. IEEE Symp. on Security and Privacy, pp. 369–383 (2008)

    Google Scholar 

  29. van Delft, B., Broberg, N., Sands, D.: A datalog semantics for paralocks. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 305–320. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  30. Whaley, J., Rinard, M.: Compositional pointer and escape analysis for Java programs. In: Proceedings of the 14th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA 1999, pp. 187–206. ACM (1999)

    Google Scholar 

  31. Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM (2012)

    Google Scholar 

  32. Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. International Journal of Information Security 6 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Sweden

    Niklas Broberg, Bart van Delft & David Sands

Authors
  1. Niklas Broberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bart van Delft
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Sands
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Indiana University, 150 S. Woodlawn Avenue, 47405-7104, Bloomington, IN, USA

    Chung-chieh Shan

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Broberg, N., van Delft, B., Sands, D. (2013). Paragon for Practical Programming with Information-Flow Control. In: Shan, Cc. (eds) Programming Languages and Systems. APLAS 2013. Lecture Notes in Computer Science, vol 8301. Springer, Cham. https://doi.org/10.1007/978-3-319-03542-0_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03542-0_16

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03541-3

  • Online ISBN: 978-3-319-03542-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation