JRIF: Reactive Information Flow Control for Java∗ Technical Report

Classic information flow systems conservatively define the security label associated with a derived value to be at least as restrictive as the security label on any input to that derivation. Because restrictions on information flow do not necessarily change monotonically over time, this definition requires programmers to invoke downgrading operations. A reactive information flow (RIF) specification for a value v gives (i) allowed uses for v and (ii) the RIF specification for any value that might be directly or indirectly derived from v. RIF specifications thus specify how transforming a value might alter how the result may be used, and that is more expressive than existing approaches for controlling downgrading. We implement a type system for RIF specifications by extending Jif, a dialect of Java that supports a form of classic information flow. By implementing the JRIF language and compiler, we show how a classic information-flow type system can be easily replaced with a more expressive RIF type system. We built example applications with JRIF, and we provide insights into the benefits of RIF-based security labels.