Affiliation:
1. PLEIAD Laboratory, Computer Science Department (DCC), University of Chile, Beauchef, Santiago, Chile
2. Software Practices Laboratory, University of British Columbia, Vancouver, Canada
Abstract
In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks.
In this article, we present GSL
Ref
, a gradual security-typed higher-order language with references. As a gradual language, GSL
Ref
supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSL
Ref
lets programmers use types to reason statically about termination-insensitive noninterference in
all
programs, even those that enforce security dynamically. We prove that GSL
Ref
satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type
safety
and semantic type
soundness
, each of which constrains the design of the gradual language.
Funder
CONICYT FONDECYT Regular Project
Publisher
Association for Computing Machinery (ACM)
Reference59 articles.
1. A core calculus of dependency
2. Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph.D. Dissertation. Princeton University. Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph.D. Dissertation. Princeton University.
3. Blame for all
4. Theorems for free for free: parametricity, with and without types
5. Efficient purely-dynamic information flow analysis
Cited by
32 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Quest Complete: The Holy Grail of Gradual Security;Proceedings of the ACM on Programming Languages;2024-06-20
2. Extending the Object-Capability Model with Fine-Grained Type-Based Capabilities.;The Journal of Object Technology;2024
3. Data-Dependent Confidentiality in DCR Graphs;International Symposium on Principles and Practice of Declarative Programming;2023-10-22
4. A Gradual Probabilistic Lambda Calculus;Proceedings of the ACM on Programming Languages;2023-04-06
5. Gradual System F;Journal of the ACM;2022-10-28