[e-lang] [Caja] SIF (Servlet Information Flow)

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Apr 10 17:39:42 CDT 2008 

David-Sarah Hopwood wrote:
> [cc:d and replies set to e-lang list, since this is a general
> language-based security question, not specific to Caja.]
> 
> Jed wrote:
>> Are others familiar with this work from Cornell, e.g.:
>>
>> http://www.cs.cornell.edu/jif/sif/
>> http://www.usenix.org/events/sec07/tech/full_papers/chong/chong.pdf
>>
>> Could anybody compare and contrast the Caja work
>> with this "SIF" work?  I don't see anything there about
>> "capabilities" (authority tokens) or any means of distributing
>> authority between "contained" running programs.  The focus/thrust
>> otherwise looks to me similar to that for the Caja work.
> 
> It's based on an information flow type system, so not really applicable
> to an untyped language like ES3 or Caja without a lot of effort. But
> information flow typing seems like an interesting thing to consider
> adding to Joe-E or Emily, or to E's auditing system.

I should clarify this: it is an interesting thing to consider as a research
project what Joe-E, etc. might look like with the addition of an information
(or authority) flow type system. I think the jury is still out on the
effectiveness of information flow typing as a security measure, so I am
not saying "please add this to (say) Joe-E right away". Its complexity
would need to be justified by some research results demonstrating that it
actually catches real security flaws that would not otherwise be caught, in
that particular language.

> You would probably want to generalize it to authority flow typing.
> I don't think this requires any fundamental changes: in an object
> capability system, the type system rules to enforce
>   "access to this information should be restricted to <...>"
> are the same as
>   "access to this authority should be restricted to <...>",
> and similarly, the rules for
>   "<...> needs to rely on the integrity of this information"
> are the same as
>   "<...> needs to rely on the integrity of this object abstraction".
> I think.

-- 
David-Sarah Hopwood

More information about the e-lang mailing list