Perspectivas en el abordaje de las CSC en la enseñanza de las ciencias

languages [Ben04], for languages with heaps [Yan07], and for languages with ob- jects [ABB06]. In comparison to type systems, the relations directly express equalities between related program states, thus the analyses do not necessarily depend on a given security lattice.

Alternatively, noninterference has been reformulated as a program property called self-composition [BDR04], which is based on asingleexecution of the programP;P0, whereP0_{is a modification ofPthat operates on copies of the original variables. The idea}

has been refined by Terauchi and Aiken [TA05], such that program modifications only have to be applied to subprograms ofP, which greatly simplifies the verification for au- tomatic analyses. The self-composition approach has been embedded into a dynamic logic for Java programs [DHS05] as well as into a VDM-style program logic [BH07].

An existing program logic can also increase the precision of a type system. Indeed, the pre- and post-predicates for constraint sets used in the type systems of this thesis are based on classic (unary) program logics: the axiomatic definition of constraint sets a derived from Hoare logic [Hoa69], while their algorithmic inference is a simplified form of the weakest precondition calculus [Dij75].

7.2 Static Analysis of Privacy-Aware Software

All the above works assume a fixed assignment of security levels to variables, fields, or other data objects, as well as a given information flow policy. The static analyses are then presented with respect to the previously defined levels and policies.

Prior to this thesis, several approaches have been proposed to account for dynamic security environments, and privacy-aware software. Among the most notable works is Jif (“Java with Information Flow”) by Andrew Myers [Mye99]. The Jif language is a superset of Java, where Java objects and variables can be annotated with “labels”, which are an extended version of security levels. The Jif project includes an extensive information flow type system, and a fully implemented type inference. To date, Jif constitutes the most comprehensive implementation of an information-flow–secure language.

Similar to DSD, the Jif language includes a runtime representation of labels and the security policy which can be queried by a conditional, as shown by the following example from the Jif reference manual [Cho+06]:

if ( L1 <= L2 ) { ... } e l s e { ... }

The typing rule for such anif-labelconditional resembles the corresponding label test rule in the DSD type system.

The development of the Jif language is steered by actual software examples, that is, the researchers aim to incorporate high-level information flow requirements into the language and the type system. On the other hand, less focus is put on the semantic

formalization of the security property that the type system is intended to verify. Conse- quently, there is no proof of correctness for the type system yet, although it should be added that the typing rules look reasonable and no obviously unintuitive behaviour has been found so far.

While there exists no soundness proof for the entire type system, the specific frag- ment of dynamic security labels and runtime inspections has been formalized by Lantian Zheng and Andrew Myers in a functional language calledλDSec[ZM07]. The

language features security labels as first-class values. Dependent pair and function types can be used to type arbitrary data and function arguments with a security label value. The authors give a precise security notion, and provide a soundness result for their type-based analysis.

TheλDSec language strongly influenced the development of DSD. Indeed, DSD

extends standard information flow concepts in object-oriented languages towards dynamic domains as featured inλDSec. A number of additional features such as higher-

order functions and heaps makeλDSeceven more expressive than my language.

I have not fully followed the Jif andλDSecapproaches in this thesis for two reasons:

first, I wanted to formalize a soundness result for a Java-like language. As there does not exist a formal connection between the functional languageλDSecto the Java-like

language Jif, the soundness results forλDSeccannot be readily applied to Jif. Second,

and more important, the translation to bytecode has neither been examined for Jif norλDSec, and it would be very hard to do so. The Jif compiler is implemented by a

transformation of Jif code to plain Java source code. This code may include calls to the Jif runtime library to handle dynamic flow checks, runtime representations of security labels, and others. The Java code is in turn compiled to JVM bytecode by a standard Java compiler. It is difficult to precisely pinpoint the end-to-end guarantee of compiled code, that is, the exact effect of the two compilers and the runtime system on the user-specified security policy.

Bandhakavi, Winsborough, and Winslett have developed the imperative language RTI [BWW08], which stands for Role-based Trust management for Information flow. In the RTI language, data are statically associated with roles (sets of principals), which may be queried at runtime to ensure that data flow securely. More recently, Broberg and Sands have proposed Paralocks [BS10], a mechanism where the security roles of data may depend on the state of parametrized flow locks, which are boolean values that are part of the program state. They have presented a functional language with a construct to inspect these locks at runtime. Both works include a type-based information flow analysis, with rules for the role or lock inspection that are similar to the T-IFLABELrule of DSD.

Nevertheless, there are a number of conceptional differences to the DSD approach. Roles in RTI and locks in Paralocks allow for more expressive security policies. However, they cannot be passed around in the language; instead, RTI and Paralocks extend a standard language with special language syntax and semantics for role and lock