It appears you don't have support to open PDFs in this web browser. To view this file, Open with your PDF reader
Abstract
Ensuring the security and privacy of personal data typically involves tracking and checking the flow of information, which can be performed either statically using a type system or dynamically using runtime monitoring. The dynamic approach of information-flow control (IFC) requires less effort from the programmer while the static approach provides stronger guarantees and less runtime overhead. Languages with gradual IFC combine static and dynamic techniques to prevent security leaks, so the programmer is free to choose when it is appropriate to increase the precision of type annotations and put in the effort to pass the static checks, versus when it is appropriate to reduce the precision of type annotations, thereby deferring the enforcement to runtime. Gradual programming languages should satisfy the gradual guarantee: programs that only differ in the precision of their type annotations should behave the same modulo cast errors. Unfortunately, Toro et al. [2018] identify a tension between the gradual guarantee and information security. They conjecture that it is not possible to enforce noninterference and satisfy the gradual guarantee.
In my PhD dissertation, I harmoniously combine static and dynamic enforcement of IFC in one programming language, λ*IFC, which satisfies both noninterference and the gradual guarantee at the same time without making any sacrifices. λ*IFC (1) enforces information flow security, (2) satisfies the gradual guarantee, (3) supports type-based reasoning, and (4) requires no extra static analysis prior to program execution. The key to the design of λ*IFC is to exclude the unknown label from runtime security labels. On the technical side, the semantics of λ*IFC is the first gradual information-flow control language to be specified using coercion calculi (a la Henglein). Casts in λ*IFC are represented by security coercions, which enforce the flow of information while satisfying the gradual guarantee.
I mechanize the proofs of type safety and the gradual guarantee for λ*IFC in the Agda proof assistant. I prove noninterference for λ*IFC by simulating λ*IFC with its dynamic extreme.
In summary, my thesis is that it is possible to design a gradual IFC programming language that satisfies noninterference and the gradual guarantee while supporting type-based reasoning, by excluding the unknown label from run-time security labels and using security coercions to represent casts.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Details
