Jif presents an efficient model for data flow control based upon the Decentralized Label Model. In this second article, we look at how Jif can be used to prevent information leaks and introduce some of the core concepts of the language extension.
Read part one, The Decentralized Label Model.
This article was adapted from one originally written as an assignment in advances in programming languages and serves as an introduction to the topics discussed.
Download the original project report. Please note that to open this file you will need to have a PDF reader installed
While DLM forms the foundation of Jif, it is a technology model in itself. Jif takes the concepts and the language rules form DLM and expands them into a full language extension to Java. This section of the report explains some of the features of the language extension that will be covered in the example.
int{Alice->Bob; Alice<-Frank} x = 0;
declassify(x, {Alice->Bob; Alice<-Frank} to
{Alice->Bob, Frank; Alice<-Frank});
endorse(x, {Alice->Bob, Frank; Alice<-Frank} to
{Alice->Bob, Frank; Alice<-Frank, Bob});
In the first article it was detailed how policies restrict information flow, however, this does not make for a usable programming language. Jif allows the security of information to be downgraded by explicitly specifying a new policy label for an expression. The method declassify(e, L1 to L2) downgrades the security of the read set by replacing label L1 with L2 for expression e. The writer set of L2 must be at least as restrictive as L1. To downgrade the writer set, the programmer must instead use endorse(e, L1 to L2). This time, the writer set is relaxed to the policies of L2,however, the reader set must remain at least as restrictive as L1. This is illustrated in Example 1, “Downgrading Policies” though it is worth noting that Jif 3.1.1 is inconsistent with this notation and instead only uses the expression and the new label in declassification and endorsements. By forcing these downgrades to be performed independently of one another there is never the chance that the programmer can accidentally relax the policy for the wrong reader or writer set.
So far the report has only discussed explicit assignments information flow, however, there are many ways that information can pass through an application without being explicitly transferred. Example 2, “Implicit Flow manjif” shows a simple program taken from the Jif reference manual [manjif] whereby private information stored in variable h could be propagated to public variable l. To combat this, Jif records the program counter during compilation to check that any reads or assignments are to variables with policies at least as restrictive as those associated with the branch variable, in this case h. If l were public, it would be less restrictive than the branch condition h and the program would not compile.
class Train authority(driver) {
void start() where authority(driver) {...}
void stop() where caller(driver, emergencyBrake){...}
void {driver<-* meet waitstaff<-*}doTeaService(){...}
}
To explicitly state that an application runs as a particular principal, the class can be marked with the authority of that principle. Principals can also be specified in the method signature to limit the principals that can call a particular method. The caller condition only allows principals listed in parenthesis to execute the method. More flexibly, a policy label can be specified before the method name as a precondition to running the method. These are illustrated in Example 3, “Class Authority”.
While Jif provides a comprehensive way to improve the security of information in Java programs, there are limitations to the solution. Several Java programming features are not supported by the language including nested classes, initialiser blocks and threads [manjif]. Since it is possible to use these features as covert channels for data propagation they cannot be ignored by Jif and due to their complex nature are difficult to provide solutions for.
By their very nature, data policies must be verbose to ensure that they correctly define the restrictions on data, however, from the view of the programmer they require a significant amount of typing and repetition to perform the simplest of tasks.
System.out.println()Most notably, Jif is not part of the Java programming language and as such, Jif programs must be pre-compiled to Java before they can be compiled and run. This is taken care of in one step by the Jif compiler, however, it means that Jif classes are notably distinct from regular Java classes. Jif can make use of regular Java classes and be inter-operable but it isn't seamless.
Since Jif statically checks the information flow in programs it is difficult to provide a full example which displays all the features of the programming language. Instead, small examples have been provided which include deliberate errors in the program to show how Jif detects and reports them.
The principal files Alice.jif and Bob.jif are taken from the Jif package test directory at $JIF/tests/jif/principals/. To avoid changing your classpath they should be copied to the same directory as the example files.
import jif.principals.*;
public class Example1
{
public static void main{}(principal{} p, String[]{} args) {
// Construct the principals
final principal Alice = new Alice();
final principal Bob = new Bob();
// Set up private data, notice the fields only
// have owners
String{Alice:} aliceCarReg = "XYZ";
String{Bob:} bobCarReg = "ABC";
String{} publicReg = "";
// attempt to set the public field with alice's
// private car registration
publicReg = aliceCarReg;
}
}
This example does not compile. Alice's car registration can only be read by Alice and therefore cannot be copied to the publicRef variable. One way around this would be to add a reader for aliceCarReg.
However, this would allow the variable to be read across the program. More preferable would be to allow the car number-plate only to be made public when absolutely necessary. In order to do this, the program must declassify aliceCarReg before it is used.
Jif presents an approach to securely typed languages that claims to be usable, flexible and with significantly lower overhead than other proposed models for access control. It manages something unique in that it enforces control over the flow of information throughout the life-cycle of a program. Unlike the existing access controls in mainstream languages the mediation does not begin and end when the information is retrieved. However, there are several caveats to using the language for real-world development. Perhaps most importantly, Jif does not support threads. This to many is a crucial feature of the Java language and one that cannot be discarded lightly. Another point is that Jif is a Java language extension and requires its own compiler to develop applications. This limits its use in existing IDEs and forces the developer into using a jif-specific plug-in.
While there are clear benefits to using a securely typed language, many of which Jif implements, there is currently a lack of documentation to explain these concepts in practice and without support for threading Jif just isn't ready for the mainstream.
[myers99jflow] 1999. Symposium on Principles of Programming Languages. . “{JFlow}: Practical Mostly-Static Information Flow Control”. Symposium on Principles of Programming Languages. 228-241. citeseer.ist.psu.edu/myers99jflow.html.
[1255332] 2007. PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security. . “Improving usability of information flow security in java”. PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security. 978-1-59593-711-7. 11-20. http://doi.acm.org/10.1145/1255329.1255332. ACM. New York, NY, USA.
[1255331] 2007. PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security. . “Jifclipse: development tools for security-typed languages”. PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security. 978-1-59593-711-7. 1-10. http://doi.acm.org/10.1145/1255329.1255331. ACM. New York, NY, USA.
[363526] “Protecting privacy using the decentralized label model”. 410-442. ACM Trans. Softw. Eng. Methodol.. 4. 1049-331X. 410-442. http://doi.acm.org/10.1145/363516.363526. ACM. New York, NY, USA.
[1134757] 2006. PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security. . “Trusted declassification:: high-level policy for a security-typed language”. PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security. 1-59593-374-3. 65-74. http://doi.acm.org/10.1145/1134744.1134757. ACM. New York, NY, USA.
[manjif] “Jif Reference Manual”. . Cornell University, Ithaca, NY, USA. http://www.cs.cornell.edu/jif/doc/jif-3.1.1/manual.html [last checked 10th March 2008].
[artmanaccess] “Mandatory Access Control”. . Wikimedia Foundation, Inc. http://en.wikipedia.org/wiki/Mandatory_access_control [last checked 13th March 2008].
View the whole tag cloud
Blog | Projects | Photos | About
Designed and maintained by Niall Napier (Napes)
This work is licensed under a Creative Commons License | Terms of Use
That was inspiring,
Some very helpful advice on Information Flow in Java with JIF
Keep up the good work
29 Oct 2009