Testing noninterference, quickly
Proceedings of the 18th ACM SIGPLAN international conference on Functional programming
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
| Hi-index | 0.00 |
Existing designs for fine-grained, dynamic information-flow control assume that it is acceptable to terminate the entire system when an incorrect flow is detected -- i.e, they give up availability for the sake of confidentiality and integrity. This is an unrealistic limitation for systems such as long-running servers. We identify _public labels_ and _delayed exceptions_ as crucial ingredients for making information-flow errors recoverable in a sound and usable language, and we propose two new error-handling mechanisms that make all errors recoverable. The first mechanism builds directly on these basic ingredients, using _not-a-values (NaVs)_ and data flow to propagate errors. The second mechanism adapts the standard exception model to satisfy the extra constraints arising from information flow control, converting thrown exceptions to delayed ones at certain points. We prove that both mechanisms enjoy the fundamental soundness property of non-interference. Finally, we describe a prototype implementation of a full-scale language with NaVs and report on our experience building robust software components in this setting.