JFlow: practical mostly-static information flow control. A promising technique for protecting privacy and integrity of sensitive data is to statically check information flow within programs that manipulate the data. While previous work has proposed programming language extensions to allow this static checking, the resulting languages are too restrictive for practical use and have not been implemented. In this paper, we describe the new language JFlow, an extension to the Java language that adds statically-checked information flow annotations. JFlow provides several new features that make information flow checking more flexible and convenient than in previous models: a decentralized label model, label polymorphism, run-time label checking, and automatic label inference. JFlow also supports many language features that have never been integrated successfully with static information flow control, including objects, subclassing, dynamic type tests, access control, and exceptions. This paper defines the JFlow language and presents formal rules that are used to check JFlow programs for correctness. Because most checking is static, there is little code space, data space, or run-time overhead in the JFlow implementation.

References in zbMATH (referenced in 26 articles )

Showing results 21 to 26 of 26.
Sorted by year (citations)
  1. De Francesco, Nicoletta; Martini, Luca: Instruction-level security analysis for information flow in stack-based assembly languages (2007)
  2. De Francesco, Nicoletta; Martini, Luca: Instruction-level security typing by abstract interpretation (2007) ioport
  3. Zheng, Lantian; Myers, Andrew C.: Dynamic security labels and static information flow control (2007) ioport
  4. Shibayama, Etsuya; Yonezawa, Akinori: Secure software infrastructure in the Internet age (2003) ioport
  5. Boudol, GĂ©rard; Castellani, Ilaria: Noninterference for concurrent programs and thread systems (2002)
  6. Chang, Bor-Yuh Evan; Crary, Karl; DeLap, Margaret; Harper, Robert; Liszka, Jason; Murphy, Tom VII; Pfenning, Frank: Trustless grid computing in concert (2002)