Abstract
In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSL Ref , a gradual security-typed higher-order language with references. As a gradual language, GSL Ref supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSL Ref lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSL Ref satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness , each of which constrains the design of the gradual language.
Highlights
Gradual typing is typically viewed as a means to combine the agility of dynamic languages, like Python and Ruby, with the reliability of static languages, like OCaml and Scala [Siek and Taha 2006]
We review the power of static security types and show what it means to preserve type-based reasoning power in a gradual language
We have shown that GSLRef does respect the static gradual guarantee; but GSLRef must sacrifice the dynamic gradual guarantee due to a modification of the runtime semantics that is necessary to enforce noninterference in the presence of mutable references
Summary
Gradual typing is typically viewed as a means to combine the agility of dynamic languages, like Python and Ruby, with the reliability of static languages, like OCaml and Scala [Siek and Taha 2006]. Consider the function: let mix : IntL →L IntH →L IntL = fun pub priv = > if pub < (IntL)priv 1L else 2L This program is statically accepted by languages that only check for compatibility of base types [Disney and Flanagan 2011; Fennell and Thiemann 2013]. This highlights the fact that types alone do not denote noninterference properties: the two versions of the mix function behave differently they have the same type This phenomenon, that adding dynamic checking to a static system may weaken type-based reasoning principles, is not unique to security typing. GSLRef’s type system supports reasoning about termination-insensitive noninterference because it is sound with respect to a security logical relation defined directly in terms of type structure This result is standard for a purely-static security language [Heintze and Riecke 1998], but novel for a gradual security language with imprecise types supported by dynamic checks. An interactive executable model of GSLRef is available online at https://pleiad.cl/gradual-security/
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
