Tracking Data-Flow with Open Closure Types

Type systems hide data that is captured by function closures in function types. In most cases this is a beneficial design that favors simplicity and compositionality. However, some applications require explicit information about the data that is captured in closures. This paper introduces open closure types, that is, function types that are decorated with type contexts. They are used to track data-flow from the environment into the function closure. A simply-typed lambda calculus is used to study the properties of the type theory of open closure types. A distinctive feature of this type theory is that an open closure type of a function can vary in different type contexts. To present an application of the type theory, it is shown that a type derivation establishes a simple non-interference property in the sense of information-flow theory. A publicly available prototype implementation of the system can be used to experiment with type derivations for example programs.Comment: Logic for Programming Artificial Intelligence and Reasoning (2013

Combining Effects and Coeffects via Grading

This is the author accepted manuscript. It is currently under an indefinite embargo pending publication by the Association for Computing Machinery.$\textit{Effects}$ and $\textit{coeffects}$ are two general, complementary aspects of program behaviour. They roughly correspond to computations which change the execution context (effects) versus computations which make demands on the context (coeffects). Effectful features include partiality, non-determinism, input-output, state, and exceptions. Coeffectful features include resource demands, variable access, notions of linearity, and data input requirements. The effectful or coeffectful behaviour of a program can be captured and described via type-based analyses, with fine grained information provided by monoidal effect annotations and semiring coeffects. Various recent work has proposed models for such typed calculi in terms of $\textit{graded (strong) monads}$ for effects and $\textit{graded (monoidal) comonads}$ for coeffects. Effects and coeffects have been studied separately so far, but in practice many computations are both effectful and coeffectful, e.g., possibly throwing exceptions but with resource requirements. To remedy this, we introduce a new general calculus with a combined $\textit{effect-coeffect system}$. This can describe both the $\textit{changes}$ and $\textit{requirements}$ that a program has on its context, as well as interactions between these effectful and coeffectful features of computation. The effect-coeffect system has a denotational model in terms of effect-graded monads and coeffect-graded comonads where interaction is expressed via the novel concept of $\textit{graded distributive laws}$. This graded semantics unifies the syntactic type theory with the denotational model. We show that our calculus can be instantiated to describe in a natural way various different kinds of interaction between a program and its evaluation context.Orchard was supported by EPSRC grant EP/M026124/1 and EP/K011715/1 (whilst previously at Imperial College London), Katsumata by JSPS KAKENHI grant JP15K00014, Uustalu by Estonian Min. of Educ. and Res. grant IUT33-13 and Estonian Sci. Found. grant 9475. Gaboardi’s work was done in part while at the University of Dundee, UK supported by EPSRC grant EP/M022358/1

Selective Java code transformation into AWS Lambda functions

Cloud platforms offer diverse evolving programming and deployment models which require not only application code adaptation, but also retraining and changing developer mindsets. Such change is costly and is better served by automated tools. Subject of the study are automated FaaSification processes which transform conventional annotated Java methods into executable Function-as-a-Service units. Given the novelty of the problem domain, a key concern is the demonstration of feasibility within arbitrary boundaries of FaaS offerings and the measurement of resulting technical and pricing metrics. We contribute a suitable tool design called Termite with corresponding implementation in Java. The design is aligned with a generic transformation pipeline in which each step from code analysis over compilation to deployment and testing can be observed and measured separately. Our results show that annotations are suitable means for fine-grained configuration despite ceding control to the build system. Smaller Java projects can be FaaS-enabled with little effort. We expect FaaSification tools to become part of build chains on a wide scale once their current engineering shortcomings in terms of tackling more complex code are solved

A Design for a Security-typed Language with Certificate-based Declassification

This paper presents a calculus that supports information-flow security policies and certificate-based declassification. The decentralized label model and its downgrading mechanisms are concisely expressed in the polymorphic lambda calculus with subtyping (System F≾). We prove a conditioned version of the noninterference theorem such that authorization for declassification is justified by digital certificates from public-key infrastructures

Foundations of Information-Flow Control and Effects

In programming language research, information-flow control (IFC) is a technique for enforcing a variety of security aspects, such as confidentiality of data,on programs. This Licenciate thesis makes novel contributions to the theory and foundations of IFC in the following ways: Chapter A presents a new proof method for showing the usual desired property of noninterference; Chapter B shows how to securely extend the concurrent IFC language MAC with asynchronous exceptions; and, Chapter C presents a new and simpler language for IFC with effects based on an explicit separation of pure and effectful computations

Information flow analysis using data-dependent logical propositions

Dissertação para obtenção do Grau de Mestre em Engenharia InformáticaA significant number of today’s software systems are designed around database systems that store business information, as well as data relevant to access control enforcement, such as user profiles and permissions. Thus, the code implementing security mechanisms is scattered across the application code, often replicated at different architectural layers, each one written in its own programming language and with its own data format. Several approaches address this problem by integrating the development of all application layers in a single programming language. For instance, languages like Ur/Web and LiveWeb/lDB provide static verification of security policies related to access control, ensuring that access control code is correctly placed. However, these approaches provide limited support to the task of ensuring that information is not indirectly leaked because of implementation errors. In this thesis, we present a type-based information-flow analysis for a core language based in lDB, whose security levels are logical propositions depending on actual data. This approach allows for an accurate tracking of information throughout a databasebacked software system, statically detecting the information leaks that may occur, with precision at the table-cell level. In order to validate our approach, we discuss the implementation of a proof of-concept extension to the LiveWeb framework and the concerns involved in the development of a medium-sized application in our language

Types for Information Flow Control: Labeling Granularity and Semantic Models

Language-based information flow control (IFC) tracks dependencies within a program using sensitivity labels and prohibits public outputs from depending on secret inputs. In particular, literature has proposed several type systems for tracking these dependencies. On one extreme, there are fine-grained type systems (like Flow Caml) that label all values individually and track dependence at the level of individual values. On the other extreme are coarse-grained type systems (like HLIO) that track dependence coarsely, by associating a single label with an entire computation context and not labeling all values individually. In this paper, we show that, despite their glaring differences, both these styles are, in fact, equally expressive. To do this, we show a semantics- and type-preserving translation from a coarse-grained type system to a fine-grained one and vice-versa. The forward translation isn't surprising, but the backward translation is: It requires a construct to arbitrarily limit the scope of a context label in the coarse-grained type system (e.g., HLIO's "toLabeled" construct). As a separate contribution, we show how to extend work on logical relation models of IFC types to higher-order state. We build such logical relations for both the fine-grained type system and the coarse-grained type system. We use these relations to prove the two type systems and our translations between them sound.Comment: 31st IEEE Symposium on Computer Security Foundations (CSF 2018

Physics, Topology, Logic and Computation: A Rosetta Stone

In physics, Feynman diagrams are used to reason about quantum processes. In the 1980s, it became clear that underlying these diagrams is a powerful analogy between quantum physics and topology: namely, a linear operator behaves very much like a "cobordism". Similar diagrams can be used to reason about logic, where they represent proofs, and computation, where they represent programs. With the rise of interest in quantum cryptography and quantum computation, it became clear that there is extensive network of analogies between physics, topology, logic and computation. In this expository paper, we make some of these analogies precise using the concept of "closed symmetric monoidal category". We assume no prior knowledge of category theory, proof theory or computer science.Comment: 73 pages, 8 encapsulated postscript figure

A type system for value-dependent information flow analysis

Information systems are widespread and used by anyone with computing devices as well as corporations and governments. It is often the case that security leaks are introduced during the development of an application. Reasons for these security bugs are multiple but among them one can easily identify that it is very hard to define and enforce relevant security policies in modern software. This is because modern applications often rely on container sharing and multi-tenancy where, for instance, data can be stored in the same physical space but is logically mapped into different security compartments or data structures. In turn, these security compartments, to which data is classified into in security policies, can also be dynamic and depend on runtime data. In this thesis we introduce and develop the novel notion of dependent information flow types, and focus on the problem of ensuring data confidentiality in data-centric software. Dependent information flow types fit within the standard framework of dependent type theory, but, unlike usual dependent types, crucially allow the security level of a type, rather than just the structural data type itself, to depend on runtime values. Our dependent function and dependent sum information flow types provide a direct, natural and elegant way to express and enforce fine grained security policies on programs. Namely programs that manipulate structured data types in which the security level of a structure field may depend on values dynamically stored in other fields The main contribution of this work is an efficient analysis that allows programmers to verify, during the development phase, whether programs have information leaks, that is, it verifies whether programs protect the confidentiality of the information they manipulate. As such, we also implemented a prototype typechecker that can be found at http://ctp.di.fct.unl.pt/DIFTprototype/