Abstract
Information flow control (IFC) provides confidentiality by enforcing noninterference, which ensures that high-secrecy values cannot affect low-secrecy values. Prior work introduces fine-grained IFC approaches that modify the programming language and use non-standard compilation tools, impose run-time overhead, or report false secrecy leaks—all of which hinder adoption. This paper presents Cocoon, a Rust library for static type-based IFC that uses the unmodified Rust language and compiler. The key insight of Cocoon lies in leveraging Rust’s type system and procedural macros to establish an effect system that enforces noninterference. A performance evaluation shows that using Cocoon increases compile time but has no impact on application performance. To demonstrate Cocoon’s utility, we retrofitted two popular Rust programs, the Spotify TUI client and Mozilla’s Servo browser engine, to use Cocoon to enforce limited confidentiality policies
- Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. 1999. A Core Calculus of Dependency. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). Association for Computing Machinery, New York, NY, USA. 147–160. isbn:1581130953 https://doi.org/10.1145/292540.292555 Google ScholarDigital Library
- Coşku Acay, Rolph Recto, Joshua Gancher, Andrew C. Myers, and Elaine Shi. 2021. Viaduct: An Extensible, Optimizing Compiler for Secure Distributed Programs. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2021). Association for Computing Machinery, New York, NY, USA. 740–755. isbn:9781450383912 https://doi.org/10.1145/3453483.3454074 Google ScholarDigital Library
- Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-Insensitive Noninterference Leaks More Than Just a Bit. In Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security (ESORICS ’08). Springer-Verlag, Berlin, Heidelberg. 333–348. isbn:9783540883128 https://doi.org/10.1007/978-3-540-88313-5_22 Google ScholarDigital Library
- Thomas H. Austin and Cormac Flanagan. 2009. Efficient Purely-Dynamic Information Flow Analysis. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS ’09). Association for Computing Machinery, New York, NY, USA. 113–124. isbn:9781605586458 https://doi.org/10.1145/1554339.1554353 Google ScholarDigital Library
- Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. SIGOPS Oper. Syst. Rev., 51, 1 (2017), sep, 94–99. issn:0163-5980 https://doi.org/10.1145/3139645.3139660 Google ScholarDigital Library
- Edwin Brady. 2007. Idris. Archived from http://www-fp.cs.st-and.ac.uk/ eb/darcs/Idris/ Google Scholar
- Roderick Chapman and Adrian Hilton. 2004. Enforcing Security and Safety Models with an Information Flow Analysis Tool. In Proceedings of the 2004 Annual ACM SIGAda International Conference on Ada: The Engineering of Correct and Reliable Software for Real-Time & Distributed Systems Using Ada and Related Technologies (SIGAda ’04). Association for Computing Machinery, New York, NY, USA. 39–46. isbn:1581139063 https://doi.org/10.1145/1032297.1032305 Google ScholarDigital Library
- Stephen Nathaniel Chong. 2008. Expressive and Enforceable Information Security Policies. Ph. D. Dissertation. Cornell University. "http://people.seas.harvard.edu/~chong/pubs/chong_dissertation.pdf" Google Scholar
- Will Crichton, Marco Patrignani, Maneesh Agrawala, and Pat Hanrahan. 2022. Modular Information Flow through Ownership. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022). Association for Computing Machinery, New York, NY, USA. 1–14. isbn:9781450392655 https://doi.org/10.1145/3519939.3523445 Google ScholarDigital Library
- Debian benchmarksgame-team. 2022. The Computer Language 22.05 Benchmarks Game. https://benchmarksgame-team.pages.debian.net/benchmarksgame/index.html Accessed 2 November 2022 Google Scholar
- Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM, 19, 5 (1976), may, 236–243. issn:0001-0782 https://doi.org/10.1145/360051.360056 Google ScholarDigital Library
- Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM, 20, 7 (1977), jul, 504–513. issn:0001-0782 https://doi.org/10.1145/359636.359712 Google ScholarDigital Library
- Simon Gregersen, Søren Eller Thomsen, and Aslan Askarov. 2019. A Dependently Typed Library for Static Information-Flow Control in Idris. In Principles of Security and Trust, Flemming Nielson and David Sands (Eds.). Springer International Publishing, Prague, Czech Republic. 51–75. isbn:978-3-030-17138-4 https://doi.org/10.1007/978-3-030-17138-4_3 Google ScholarCross Ref
- Christian Hammer, Jens Krinke, and Gregor Snelting. 2006. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In Proceedings IEEE International Symposium on Secure Software Engineering. IEEE, Arlington, Virginia, USA. 10 pages. Google Scholar
- Daniel Hedin and Andrei Sabelfeld. 2012. A Perspective on Information-Flow Control. In Software Safety and Security - Tools for Analysis and Verification, Tobias Nipkow, Orna Grumberg, and Benedikt Hauptmann (Eds.) (NATO Science for Peace and Security Series - D: Information and Communication Security, Vol. 33). IOS Press, Amsterdam. 319–347. https://doi.org/10.3233/978-1-61499-028-4-319 Google ScholarCross Ref
- Elisavet Kozyri, Owen Arden, Andrew C. Myers, and Fred B. Schneider. 2016. JRIF: reactive information flow control for Java. Cornell University Computing and Information Science. https://ecommons.cornell.edu/handle/1813/41194 Google Scholar
- Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information Flow Control for Standard OS Abstractions. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (SOSP ’07). Association for Computing Machinery, New York, NY, USA. 321–334. isbn:9781595935915 https://doi.org/10.1145/1294261.1294293 Google ScholarDigital Library
- Ada Lamba, Max Taylor, Vincent Beardsley, Jacob Bambeck, Michael D. Bond, and Zhiqiang Lin. 2024. Cocoon artifact. https://doi.org/10.5281/zenodo.10798978 Google ScholarCross Ref
- Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM, 16, 10 (1973), oct, 613–615. issn:0001-0782 https://doi.org/10.1145/362375.362389 Google ScholarDigital Library
- Linux Foundation. 2022. Servo. https://servo.org Google Scholar
- Mozilla Research. 2020. The Rust Language. Archived from https://research.mozilla.org/rust/ Google Scholar
- A.C. Myers, A. Sabelfeld, and S. Zdancewic. 2004. Enforcing robust declassification. In Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004.. IEEE, New York City, NY, USA. 172–186. https://doi.org/10.1109/CSFW.2004.1310740 Google ScholarCross Ref
- Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). Association for Computing Machinery, New York, NY, USA. 228–241. isbn:1581130953 https://doi.org/10.1145/292540.292561 Google ScholarDigital Library
- Andrew C. Myers and Barbara Liskov. 1997. A Decentralized Model for Information Flow Control. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP ’97). Association for Computing Machinery, New York, NY, USA. 129–142. isbn:0897919165 https://doi.org/10.1145/268998.266669 Google ScholarDigital Library
- Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. 2006. Jif 3.0: Java information flow. http://www.cs.cornell.edu/jif Google Scholar
- Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA. Article 40, 18 pages. isbn:978-1-939133-17-5 Google ScholarDigital Library
- Flemming Nielson and Hanne Riis Nielson. 1999. Type and Effect Systems. Springer Berlin Heidelberg, Berlin, Heidelberg. 114–136. isbn:978-3-540-48092-1 https://doi.org/10.1007/3-540-48092-7_6 Google ScholarCross Ref
- Noel. 2010. The Rust Language. http://lambda-the-ultimate.org/node/4009 Google Scholar
- Leo J. Rotenberg. 1973. Making Computers Keep Secrets. Ph. D. Dissertation. Massachusetts Institute of Technology. Boston, MA. Google Scholar
- Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, and Emmett Witchel. 2009. Laminar: practical fine-grained decentralized information flow control. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, Michael Hind and Amer Diwan (Eds.). ACM, Dublin, Ireland. 63–74. https://doi.org/10.1145/1542476.1542484 Google ScholarDigital Library
- Alejandro Russo. 2015. Functional Pearl: Two Can Keep a Secret, If One of Them Uses Haskell. In Proceedings of the 20th ACM SIGPLAN International Conference on Functional Programming (ICFP 2015). Association for Computing Machinery, New York, NY, USA. 280–288. isbn:9781450336697 https://doi.org/10.1145/2784731.2784756 Google ScholarDigital Library
- A. Sabelfeld and A.C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21, 1 (2003), 5–19. https://doi.org/10.1109/JSAC.2002.806121 Google ScholarDigital Library
- Vincent Simonet. 2003. The Flow Caml System: documentation and user’s manual. Institut National de Recherche en Informatique et en Automatique (INRIA). © INRIA Google Scholar
- Geoffrey Smith and Dennis Volpano. 1998. Secure Information Flow in a Multi-Threaded Imperative Language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’98). Association for Computing Machinery, New York, NY, USA. 355–364. isbn:0897919793 https://doi.org/10.1145/268946.268975 Google ScholarDigital Library
- Stack Overflow. 2022. Annual Developer Survey. https://survey.stackoverflow.co/2022/ Google Scholar
- Milijana Surbatovich, Naomi Spargo, Limin Jia, and Brandon Lucia. 2023. A Type System for Safe Intermittent Computing. Proc. ACM Program. Lang., 7, PLDI (2023), Article 136, jun, 25 pages. https://doi.org/10.1145/3591250 Google ScholarDigital Library
- The Rust Foundation. 2022. Prodution Users — Rust Programming Language. https://www.rust-lang.org/production/users Google Scholar
- Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A Sound Type System for Secure Flow Analysis. J. Comput. Secur., 4, 2–3 (1996), jan, 167–187. issn:0926-227X Google ScholarDigital Library
- Jian Xiang and Stephen Chong. 2021. Co-Inflow: Coarse-grained Information Flow Control for Java-like Languages. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA. 18–35. https://doi.org/10.1109/SP40001.2021.00002 Google ScholarCross Ref
- Matteo Zanioli, Pietro Ferrara, and Agostino Cortesi. 2012. SAILS: Static Analysis of Information Leakage with Sample. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC ’12). Association for Computing Machinery, New York, NY, USA. 1308–1313. isbn:9781450308571 https://doi.org/10.1145/2245276.2231983 Google ScholarDigital Library
- Steve Zdancewic and Andrew C. Myers. 2000. Confidentiality and Integrity with Untrusted Hosts: Technical Report. Cornell University. Google Scholar
- Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. 2008. Securing Distributed Systems with Information Flow Control. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI’08). USENIX Association, USA. 293–308. isbn:1119995555221 Google ScholarDigital Library
- Lantian Zheng and Andrew C. Myers. 2005. Dynamic Security Labels and Noninterference (Extended Abstract). In Formal Aspects in Security and Trust, Theo Dimitrakos and Fabio Martinelli (Eds.). Springer US, Boston, MA. 27–40. isbn:978-0-387-24098-5 Google Scholar
Index Terms
- Cocoon: Static Information Flow Control in Rust
Recommendations
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityNoninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
Encoding information flow in AURA
Two of the main ways to protect security-sensitive resources in computer systems are to enforce access-control policies and information-flow policies. In this paper, we show how to enforce information-flow policies in AURA, which is a programming ...
Rust-like borrowing with 2nd-class values (short paper)
SCALA 2017: Proceedings of the 8th ACM SIGPLAN International Symposium on ScalaThe Rust programming language demonstrates that memory safety can be achieved in a practical systems language, based on a sophisticated type system that controls object lifetimes and aliasing through notions of ownership and borrowing. While Scala has ...
Comments