MAC A verified static information-flow control library

“…As in MAC, the API contains a function plug that safely integrates sensitive computations into less sensitive ones. This avoids the need for nested computations and label creep, that is, the raising of the current label to a point where the computation can no longer perform useful tasks [33,46]. Finally, we also have functions run and lift that are only available to trusted code for unwrapping of the DIO ℓ monad and lifting of the IO monad into the DIO ℓ monad.…”

“…Notice that to implement this specific type signature, up-classification is necessary to assign the comment with type Labeled (A uid1 sid1) String to a field with type Labeled (PC uid sid1) String. This can be achieved soundly with the relabel primitive introduced by Vassena et al [46] as A uid1 sid1 ⊑ PC uid sid1. We include this primitive in Appendix C.…”

“…The library statically enforces information-flow control in the presence of advanced features like exceptions, concurrency, and mutable data structures by exploiting Haskell's type system to impose flow constraints. Vassena and Russo [45], Vassena et al [46] show progress-insensitive noninterference for MAC in a sequential setting and progress-sensitive noninterference in a concurrent setting, both using the two-steps erasure technique.…”

A Dependently Typed Library for Static Information-Flow Control in Idris

“…As in MAC, the API contains a function plug that safely integrates sensitive computations into less sensitive ones. This avoids the need for nested computations and label creep, that is, the raising of the current label to a point where the computation can no longer perform useful tasks [33,46]. Finally, we also have functions run and lift that are only available to trusted code for unwrapping of the DIO ℓ monad and lifting of the IO monad into the DIO ℓ monad.…”

“…Notice that to implement this specific type signature, up-classification is necessary to assign the comment with type Labeled (A uid1 sid1) String to a field with type Labeled (PC uid sid1) String. This can be achieved soundly with the relabel primitive introduced by Vassena et al [46] as A uid1 sid1 ⊑ PC uid sid1. We include this primitive in Appendix C.…”

“…The library statically enforces information-flow control in the presence of advanced features like exceptions, concurrency, and mutable data structures by exploiting Haskell's type system to impose flow constraints. Vassena and Russo [45], Vassena et al [46] show progress-insensitive noninterference for MAC in a sequential setting and progress-sensitive noninterference in a concurrent setting, both using the two-steps erasure technique.…”

A Dependently Typed Library for Static Information-Flow Control in Idris

“…To further illustrate this point, we can draw a parallel with the notion of an erasure function from the information-flow control literature [Russo et al 2008;Stefan et al 2011;Vassena et al 2018], whose role is to hide secrets from programs running under łunprivilegedž levels. In the meta-theory of secure-by-construction programming languages, one will typically show that secure programs commute with the erasure function: applying erasure before running the program yields the same result as applying it after running the program.…”

Simple noninterference from parametricity

“…For example, even exposing language features as simple as -statements can expose users to timing attacks [42,64]. Researchers have made significant strides towards addressing these challenges-many IFC systems now support real-world features and abstractions safely [10,15,20,34,43,50,51,54,55,59,60,62,67,68]. To the best of our knowledge, though, no existing language-level dynamic IFC supports parallelism.…”

Foundations for Parallel Information Flow Control Runtime Systems