First-order Gradual Information Flow Types with Gradual Guarantees
share
Gradual type systems seamlessly integrate statically-typed programs with dynamically-typed programs. The runtime for gradual type systems can be viewed as a monitor which refines and enforces constraints to ensure type-preservation. Gradual typing has been applied to information flow types, where information flow monitors are derived from gradual information flow types. However, existing work gives up the dynamic gradual guarantee – the property that loosening the policies of a program should not cause more runtime errors – in favor of noninterference – the key security property for information flow control systems. In this paper, we re-examine the connection between gradual information flow types and information flow monitors, and identify the root cause for the tension between satisfying gradual guarantees and noninterference. We develop a runtime semantics for a simple imperative language with gradual information flow types that provides both noninterference and the dynamic gradual guarantee. We leverage a proof technique developed for FlowML, which reduces noninterference proofs to preservation proofs, to prove the key security property.
READ FULL TEXT