Filament: Denning-Style Information Flow Control for Rust

TL;DR

Filament is a Rust library that implements Denning-style information flow control without compiler modifications, enabling fine-grained and implicit flow checking with minimal overhead and a permissive programming model.

Contribution

It introduces a Denning-style static IFC library for Rust that requires no compiler modifications and supports fine-grained explicit and implicit flow control.

Findings

Filament incurs negligible compile-time overhead.

Requires only modest annotations for effective security.

Offers a more permissive programming model than Cocoon.

Abstract

Existing language-based information-flow control (IFC) tools face a fundamental tension: Denning-style systems that track explicit and implicit flows at the variable level typically require compiler modifications, while more coarse-grained approaches, including recent work Cocoon, avoid compiler changes but impose more restrictive programming models. We present Filament, a Denning-style static IFC library for Rust that requires no compiler modifications. Filament addresses three key challenges in building a practical IFC library for Rust. First, it enables fine-grained explicit-flow checking with minimal annotation overhead by leveraging Rust's type inference. Second, it introduces pc_block!, a lightweight construct for enforcing implicit flows via a compile-time program counter label, without requiring compiler support. Third, it provides fcall! and mcall! macros to support seamless and safe interoperability with standard and third-party libraries. Our evaluation shows that Filament incurs negligible compile-time overhead and requires only modest annotations. Moreover, compared to Cocoon, Filament offers a more permissive programming model, reducing the need for frequent escape hatches that bypass security checks.