Information Flow Control with Errors

Information Flow Control is concerned with the correct handling of data with respect to a security policy. A common enforcement technique is annotated type systems. For object-oriented languages, type systems have been developed for class-based languages. The reason for this is that in a class-based language, it is simpler to design a type system that ensures well-typed programs do not result in method-not-found errors, and this property can be assumed in the information flow control mechanism. In the case of dynamic languages, for example, prototype-based ones like Javascript, no type system is currently powerful enough to handle common language idioms, which hinders the adoption of security-typing in practical settings. As a solution this paper proposes to make the handling of method-not-found errors explicit in the security type system: the type system does not enforce regular soundness, so well-typed programs might fail, but even in case of such errors non-interference is ensured. This paper outlines this approach and provides an initial investigation of its feasibility. A security type system for a functional object calculus with extension is presented and shown to enforce non-interference.