Type-Driven Gradual Security with References

Type-Driven Gradual Security with References

In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forc...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:ACM transactions on programming languages and systems 2018-12, Vol.40 (4), p.1-55, Article 16
Hauptverfasser: Toro, Matías, Garcia, Ronald, Tanter, Éric
Format: Artikel
Sprache:eng
Schlagworte:
Computer Science
Information flow control
Program constructs
Program semantics
Programming Languages
Security and privacy
Semantics and reasoning
Systems security
Theory of computation
Type structures
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 55
container_issue 4
container_start_page 1
container_title ACM transactions on programming languages and systems
container_volume 40
creator Toro, Matías
Garcia, Ronald
Tanter, Éric
description In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSLRef, a gradual security-typed higher-order language with references. As a gradual language, GSLRef supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSLRef lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSLRef satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness, each of which constrains the design of the gradual language.
doi_str_mv 10.1145/3229061
format Article
fullrecord <record><control><sourceid>hal_cross</sourceid><recordid>TN_cdi_hal_primary_oai_HAL_hal_01957581v2</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>oai_HAL_hal_01957581v2</sourcerecordid><originalsourceid>FETCH-LOGICAL-a311t-de8d4ceee41f1b2a345bfeb888f3f559762d0b91a3e3910be69db3738021bfc63</originalsourceid><addsrcrecordid>eNo90E1Lw0AQBuBFFIxVvHvKTQRXd_Yj2T2Wqq0QELSew24ySyPpB7tpJf_eltSeBmaedw4vIbfAngCkehacG5bBGUlAKU2lMuKcJAwySZnh6pJcxfjDGAOtdEIe5_0G6UtodrhKp8HWW9umX1htQ9P16W_TLdJP9BhwVWG8JhfethFvjnNEvt9e55MZLT6m75NxQa0A6GiNupYVIkrw4LgVUjmPTmvthVfK5BmvmTNgBQoDzGFmaidyoRkH56tMjMjD8Hdh23ITmqUNfbm2TTkbF-Vhx8CoXGnY8b29H2wV1jEG9KcAsPJQSHksZC_vBmmr5Qn9H_8A-YdY3A</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Type-Driven Gradual Security with References</title><source>Business Source Complete</source><source>ACM Digital Library Complete</source><creator>Toro, Matías ; Garcia, Ronald ; Tanter, Éric</creator><creatorcontrib>Toro, Matías ; Garcia, Ronald ; Tanter, Éric</creatorcontrib><description>In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSLRef, a gradual security-typed higher-order language with references. As a gradual language, GSLRef supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSLRef lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSLRef satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness, each of which constrains the design of the gradual language.</description><identifier>ISSN: 0164-0925</identifier><identifier>EISSN: 1558-4593</identifier><identifier>DOI: 10.1145/3229061</identifier><language>eng</language><publisher>New York, NY, USA: ACM</publisher><subject>Computer Science ; Information flow control ; Program constructs ; Program semantics ; Programming Languages ; Security and privacy ; Semantics and reasoning ; Systems security ; Theory of computation ; Type structures</subject><ispartof>ACM transactions on programming languages and systems, 2018-12, Vol.40 (4), p.1-55, Article 16</ispartof><rights>ACM</rights><rights>Distributed under a Creative Commons Attribution 4.0 International License</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-a311t-de8d4ceee41f1b2a345bfeb888f3f559762d0b91a3e3910be69db3738021bfc63</citedby><cites>FETCH-LOGICAL-a311t-de8d4ceee41f1b2a345bfeb888f3f559762d0b91a3e3910be69db3738021bfc63</cites><orcidid>0000-0002-7359-890X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://dl.acm.org/doi/pdf/10.1145/3229061$$EPDF$$P50$$Gacm$$Hfree_for_read</linktopdf><link.rule.ids>230,314,776,780,881,2275,27903,27904,40175,75974</link.rule.ids><backlink>$$Uhttps://hal.science/hal-01957581$$DView record in HAL$$Hfree_for_read</backlink></links><search><creatorcontrib>Toro, Matías</creatorcontrib><creatorcontrib>Garcia, Ronald</creatorcontrib><creatorcontrib>Tanter, Éric</creatorcontrib><title>Type-Driven Gradual Security with References</title><title>ACM transactions on programming languages and systems</title><addtitle>ACM TOPLAS</addtitle><description>In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSLRef, a gradual security-typed higher-order language with references. As a gradual language, GSLRef supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSLRef lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSLRef satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness, each of which constrains the design of the gradual language.</description><subject>Computer Science</subject><subject>Information flow control</subject><subject>Program constructs</subject><subject>Program semantics</subject><subject>Programming Languages</subject><subject>Security and privacy</subject><subject>Semantics and reasoning</subject><subject>Systems security</subject><subject>Theory of computation</subject><subject>Type structures</subject><issn>0164-0925</issn><issn>1558-4593</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><recordid>eNo90E1Lw0AQBuBFFIxVvHvKTQRXd_Yj2T2Wqq0QELSew24ySyPpB7tpJf_eltSeBmaedw4vIbfAngCkehacG5bBGUlAKU2lMuKcJAwySZnh6pJcxfjDGAOtdEIe5_0G6UtodrhKp8HWW9umX1htQ9P16W_TLdJP9BhwVWG8JhfethFvjnNEvt9e55MZLT6m75NxQa0A6GiNupYVIkrw4LgVUjmPTmvthVfK5BmvmTNgBQoDzGFmaidyoRkH56tMjMjD8Hdh23ITmqUNfbm2TTkbF-Vhx8CoXGnY8b29H2wV1jEG9KcAsPJQSHksZC_vBmmr5Qn9H_8A-YdY3A</recordid><startdate>20181213</startdate><enddate>20181213</enddate><creator>Toro, Matías</creator><creator>Garcia, Ronald</creator><creator>Tanter, Éric</creator><general>ACM</general><scope>AAYXX</scope><scope>CITATION</scope><scope>1XC</scope><scope>VOOES</scope><orcidid>https://orcid.org/0000-0002-7359-890X</orcidid></search><sort><creationdate>20181213</creationdate><title>Type-Driven Gradual Security with References</title><author>Toro, Matías ; Garcia, Ronald ; Tanter, Éric</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a311t-de8d4ceee41f1b2a345bfeb888f3f559762d0b91a3e3910be69db3738021bfc63</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Computer Science</topic><topic>Information flow control</topic><topic>Program constructs</topic><topic>Program semantics</topic><topic>Programming Languages</topic><topic>Security and privacy</topic><topic>Semantics and reasoning</topic><topic>Systems security</topic><topic>Theory of computation</topic><topic>Type structures</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Toro, Matías</creatorcontrib><creatorcontrib>Garcia, Ronald</creatorcontrib><creatorcontrib>Tanter, Éric</creatorcontrib><collection>CrossRef</collection><collection>Hyper Article en Ligne (HAL)</collection><collection>Hyper Article en Ligne (HAL) (Open Access)</collection><jtitle>ACM transactions on programming languages and systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Toro, Matías</au><au>Garcia, Ronald</au><au>Tanter, Éric</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Type-Driven Gradual Security with References</atitle><jtitle>ACM transactions on programming languages and systems</jtitle><stitle>ACM TOPLAS</stitle><date>2018-12-13</date><risdate>2018</risdate><volume>40</volume><issue>4</issue><spage>1</spage><epage>55</epage><pages>1-55</pages><artnum>16</artnum><issn>0164-0925</issn><eissn>1558-4593</eissn><abstract>In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSLRef, a gradual security-typed higher-order language with references. As a gradual language, GSLRef supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSLRef lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSLRef satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness, each of which constrains the design of the gradual language.</abstract><cop>New York, NY, USA</cop><pub>ACM</pub><doi>10.1145/3229061</doi><tpages>55</tpages><orcidid>https://orcid.org/0000-0002-7359-890X</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0164-0925
ispartof ACM transactions on programming languages and systems, 2018-12, Vol.40 (4), p.1-55, Article 16
issn 0164-0925
1558-4593
language eng
recordid cdi_hal_primary_oai_HAL_hal_01957581v2
source Business Source Complete; ACM Digital Library Complete
subjects Computer Science
Information flow control
Program constructs
Program semantics
Programming Languages
Security and privacy
Semantics and reasoning
Systems security
Theory of computation
Type structures
title Type-Driven Gradual Security with References
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-23T22%3A11%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-hal_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Type-Driven%20Gradual%20Security%20with%20References&rft.jtitle=ACM%20transactions%20on%20programming%20languages%20and%20systems&rft.au=Toro,%20Mat%C3%ADas&rft.date=2018-12-13&rft.volume=40&rft.issue=4&rft.spage=1&rft.epage=55&rft.pages=1-55&rft.artnum=16&rft.issn=0164-0925&rft.eissn=1558-4593&rft_id=info:doi/10.1145/3229061&rft_dat=%3Chal_cross%3Eoai_HAL_hal_01957581v2%3C/hal_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true