Jif: Language-based Information-flow Security in Java
Kyle Pullicino
TL;DR
Jif extends Java with security labels to enable developers to specify and enforce confidentiality and integrity policies, addressing information flow security issues in real-world applications.
Contribution
The paper introduces Jif, a Java extension that integrates security labels into the type system to improve information flow security.
Findings
Jif effectively models confidentiality and integrity policies.
Jif can prevent information leaks in practical systems.
The implementation demonstrates Jif's practical usefulness.
Abstract
In this report, we examine Jif, a Java extension which augments the language with features related to security. Jif adds support for security labels to Java's type system such that the developer can specify confidentiality and integrity policies to the various variables used in their program. We list the main features of Jif and discuss the information flow problem that Jif helps to solve. We see how the information flow problem occurs in real-world systems by looking at two examples: Civitas, a ballot/voting system where voters do not necessarily trust voting agents, and SIF, a web application container implemented using Jif. Finally, we implement a small program that simulates information flow in a booking system containing sensitive data and discuss the usefulness of Jif based on this program.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Access Control and Trust · Advanced Malware Detection Techniques