Mostly-static decentralized information flow control

The growing use of mobile code in downloaded programs such as applets and servlets has increased interest in robust mechanisms for ensuring privacy and secrecy. Common security mechanisms such as sandboxing and access control are either too restrictive or too weak—they prevent applications from sharing data usefully, or allow private information to leak. For example, security mechanisms in Java prevent many useful applications while still permitting Trojan horse applets to leak private information. This thesis describes the decentralized label model, a new model of information flow control that protects private data while allowing applications to share data. Unlike previous approaches to privacy protection based on information flow, this label model is decentralized: it allows cooperative computation by mutually distrusting principals, without mediation by highly trusted agents. Cooperative computation is possible because individual principals can declassify their own data without infringing on other principals’ privacy. The decentralized label model permits programs using it to be checked statically, which is important for the precise detection of information leaks. This thesis also presents the new language JFlow, an extension to the Java programming language that incorporates the decentralized label model and permits static checking of information flows within programs. Variable declarations in JFlow programs are annotated with labels that allow the static checker to check programs for information leaks efficiently, in a manner similar to type checking. Often, these labels can be inferred automatically, so annotating programs is not onerous. Dynamic checks also may be used safely when static checks are insufficiently powerful. A compiler has been implemented for the JFlow language. Because most checking is performed statically at compile time, the impact on performance is usually small.