research-article

Open access

Cocoon: Static Information Flow Control in Rust

Authors:

Vincent Beardsley,

Michael D. Bond,

Zhiqiang LinAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 8, Issue OOPSLA1

Article No.: 100, Pages 166 - 193

https://doi.org/10.1145/3649817

Published: 29 April 2024 Publication History

Abstract

Information flow control (IFC) provides confidentiality by enforcing noninterference, which ensures that high-secrecy values cannot affect low-secrecy values. Prior work introduces fine-grained IFC approaches that modify the programming language and use non-standard compilation tools, impose run-time overhead, or report false secrecy leaks—all of which hinder adoption. This paper presents Cocoon, a Rust library for static type-based IFC that uses the unmodified Rust language and compiler. The key insight of Cocoon lies in leveraging Rust’s type system and procedural macros to establish an effect system that enforces noninterference. A performance evaluation shows that using Cocoon increases compile time but has no impact on application performance. To demonstrate Cocoon’s utility, we retrofitted two popular Rust programs, the Spotify TUI client and Mozilla’s Servo browser engine, to use Cocoon to enforce limited confidentiality policies

References

[1]

Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. 1999. A Core Calculus of Dependency. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). Association for Computing Machinery, New York, NY, USA. 147–160. isbn:1581130953 https://doi.org/10.1145/292540.292555

Digital Library

[2]

Coşku Acay, Rolph Recto, Joshua Gancher, Andrew C. Myers, and Elaine Shi. 2021. Viaduct: An Extensible, Optimizing Compiler for Secure Distributed Programs. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2021). Association for Computing Machinery, New York, NY, USA. 740–755. isbn:9781450383912 https://doi.org/10.1145/3453483.3454074

Digital Library

[3]

Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-Insensitive Noninterference Leaks More Than Just a Bit. In Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security (ESORICS ’08). Springer-Verlag, Berlin, Heidelberg. 333–348. isbn:9783540883128 https://doi.org/10.1007/978-3-540-88313-5_22

Digital Library

[4]

Thomas H. Austin and Cormac Flanagan. 2009. Efficient Purely-Dynamic Information Flow Analysis. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS ’09). Association for Computing Machinery, New York, NY, USA. 113–124. isbn:9781605586458 https://doi.org/10.1145/1554339.1554353

Digital Library

[5]

Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. SIGOPS Oper. Syst. Rev., 51, 1 (2017), sep, 94–99. issn:0163-5980 https://doi.org/10.1145/3139645.3139660

Digital Library

[6]

Edwin Brady. 2007. Idris. Archived from http://www-fp.cs.st-and.ac.uk/ eb/darcs/Idris/

[7]

Roderick Chapman and Adrian Hilton. 2004. Enforcing Security and Safety Models with an Information Flow Analysis Tool. In Proceedings of the 2004 Annual ACM SIGAda International Conference on Ada: The Engineering of Correct and Reliable Software for Real-Time & Distributed Systems Using Ada and Related Technologies (SIGAda ’04). Association for Computing Machinery, New York, NY, USA. 39–46. isbn:1581139063 https://doi.org/10.1145/1032297.1032305

Digital Library

[8]

Stephen Nathaniel Chong. 2008. Expressive and Enforceable Information Security Policies. Ph. D. Dissertation. Cornell University. "http://people.seas.harvard.edu/~chong/pubs/chong_dissertation.pdf"

[9]

Will Crichton, Marco Patrignani, Maneesh Agrawala, and Pat Hanrahan. 2022. Modular Information Flow through Ownership. In Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2022). Association for Computing Machinery, New York, NY, USA. 1–14. isbn:9781450392655 https://doi.org/10.1145/3519939.3523445

Digital Library

[10]

Debian benchmarksgame-team. 2022. The Computer Language 22.05 Benchmarks Game. https://benchmarksgame-team.pages.debian.net/benchmarksgame/index.html Accessed 2 November 2022

[11]

Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM, 19, 5 (1976), may, 236–243. issn:0001-0782 https://doi.org/10.1145/360051.360056

Digital Library

[12]

Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM, 20, 7 (1977), jul, 504–513. issn:0001-0782 https://doi.org/10.1145/359636.359712

Digital Library

[13]

Simon Gregersen, Søren Eller Thomsen, and Aslan Askarov. 2019. A Dependently Typed Library for Static Information-Flow Control in Idris. In Principles of Security and Trust, Flemming Nielson and David Sands (Eds.). Springer International Publishing, Prague, Czech Republic. 51–75. isbn:978-3-030-17138-4 https://doi.org/10.1007/978-3-030-17138-4_3

[14]

Christian Hammer, Jens Krinke, and Gregor Snelting. 2006. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In Proceedings IEEE International Symposium on Secure Software Engineering. IEEE, Arlington, Virginia, USA. 10 pages.

[15]

Daniel Hedin and Andrei Sabelfeld. 2012. A Perspective on Information-Flow Control. In Software Safety and Security - Tools for Analysis and Verification, Tobias Nipkow, Orna Grumberg, and Benedikt Hauptmann (Eds.) (NATO Science for Peace and Security Series - D: Information and Communication Security, Vol. 33). IOS Press, Amsterdam. 319–347. https://doi.org/10.3233/978-1-61499-028-4-319

[16]

Elisavet Kozyri, Owen Arden, Andrew C. Myers, and Fred B. Schneider. 2016. JRIF: reactive information flow control for Java. Cornell University Computing and Information Science. https://ecommons.cornell.edu/handle/1813/41194

[17]

Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information Flow Control for Standard OS Abstractions. In Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles (SOSP ’07). Association for Computing Machinery, New York, NY, USA. 321–334. isbn:9781595935915 https://doi.org/10.1145/1294261.1294293

Digital Library

[18]

Ada Lamba, Max Taylor, Vincent Beardsley, Jacob Bambeck, Michael D. Bond, and Zhiqiang Lin. 2024. Cocoon artifact. https://doi.org/10.5281/zenodo.10798978

[19]

Butler W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM, 16, 10 (1973), oct, 613–615. issn:0001-0782 https://doi.org/10.1145/362375.362389

Digital Library

[20]

Linux Foundation. 2022. Servo. https://servo.org

[21]

Mozilla Research. 2020. The Rust Language. Archived from https://research.mozilla.org/rust/

[22]

A.C. Myers, A. Sabelfeld, and S. Zdancewic. 2004. Enforcing robust declassification. In Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004. IEEE, New York City, NY, USA. 172–186. https://doi.org/10.1109/CSFW.2004.1310740

[23]

Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). Association for Computing Machinery, New York, NY, USA. 228–241. isbn:1581130953 https://doi.org/10.1145/292540.292561

Digital Library

[24]

Andrew C. Myers and Barbara Liskov. 1997. A Decentralized Model for Information Flow Control. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP ’97). Association for Computing Machinery, New York, NY, USA. 129–142. isbn:0897919165 https://doi.org/10.1145/268998.266669

Digital Library

[25]

Andrew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. 2006. Jif 3.0: Java information flow. http://www.cs.cornell.edu/jif

[26]

Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC’20). USENIX Association, USA. Article 40, 18 pages. isbn:978-1-939133-17-5

Digital Library

[27]

Flemming Nielson and Hanne Riis Nielson. 1999. Type and Effect Systems. Springer Berlin Heidelberg, Berlin, Heidelberg. 114–136. isbn:978-3-540-48092-1 https://doi.org/10.1007/3-540-48092-7_6

[28]

Noel. 2010. The Rust Language. http://lambda-the-ultimate.org/node/4009

[29]

Leo J. Rotenberg. 1973. Making Computers Keep Secrets. Ph. D. Dissertation. Massachusetts Institute of Technology. Boston, MA.

[30]

Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, and Emmett Witchel. 2009. Laminar: practical fine-grained decentralized information flow control. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, Michael Hind and Amer Diwan (Eds.). ACM, Dublin, Ireland. 63–74. https://doi.org/10.1145/1542476.1542484

Digital Library

[31]

Alejandro Russo. 2015. Functional Pearl: Two Can Keep a Secret, If One of Them Uses Haskell. In Proceedings of the 20th ACM SIGPLAN International Conference on Functional Programming (ICFP 2015). Association for Computing Machinery, New York, NY, USA. 280–288. isbn:9781450336697 https://doi.org/10.1145/2784731.2784756

Digital Library

[32]

A. Sabelfeld and A.C. Myers. 2003. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21, 1 (2003), 5–19. https://doi.org/10.1109/JSAC.2002.806121

Digital Library

[33]

Vincent Simonet. 2003. The Flow Caml System: documentation and user’s manual. Institut National de Recherche en Informatique et en Automatique (INRIA). © INRIA

[34]

Geoffrey Smith and Dennis Volpano. 1998. Secure Information Flow in a Multi-Threaded Imperative Language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’98). Association for Computing Machinery, New York, NY, USA. 355–364. isbn:0897919793 https://doi.org/10.1145/268946.268975

Digital Library

[35]

Stack Overflow. 2022. Annual Developer Survey. https://survey.stackoverflow.co/2022/

[36]

Milijana Surbatovich, Naomi Spargo, Limin Jia, and Brandon Lucia. 2023. A Type System for Safe Intermittent Computing. Proc. ACM Program. Lang., 7, PLDI (2023), Article 136, jun, 25 pages. https://doi.org/10.1145/3591250

Digital Library

[37]

The Rust Foundation. 2022. Prodution Users — Rust Programming Language. https://www.rust-lang.org/production/users

[38]

Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A Sound Type System for Secure Flow Analysis. J. Comput. Secur., 4, 2–3 (1996), jan, 167–187. issn:0926-227X

Digital Library

[39]

Jian Xiang and Stephen Chong. 2021. Co-Inflow: Coarse-grained Information Flow Control for Java-like Languages. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA. 18–35. https://doi.org/10.1109/SP40001.2021.00002

[40]

Matteo Zanioli, Pietro Ferrara, and Agostino Cortesi. 2012. SAILS: Static Analysis of Information Leakage with Sample. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC ’12). Association for Computing Machinery, New York, NY, USA. 1308–1313. isbn:9781450308571 https://doi.org/10.1145/2245276.2231983

Digital Library

[41]

Steve Zdancewic and Andrew C. Myers. 2000. Confidentiality and Integrity with Untrusted Hosts: Technical Report. Cornell University.

[42]

Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. 2008. Securing Distributed Systems with Information Flow Control. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI’08). USENIX Association, USA. 293–308. isbn:1119995555221

Digital Library

[43]

Lantian Zheng and Andrew C. Myers. 2005. Dynamic Security Labels and Noninterference (Extended Abstract). In Formal Aspects in Security and Trust, Theo Dimitrakos and Fabio Martinelli (Eds.). Springer US, Boston, MA. 27–40. isbn:978-0-387-24098-5

Cited By

Beardsley VSridharan M(2024)Static-Dynamic Information Flow Control in RustCompanion Proceedings of the 2024 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3689491.3691820(16-18)Online publication date: 20-Oct-2024
https://dl.acm.org/doi/10.1145/3689491.3691820

Index Terms

Cocoon: Static Information Flow Control in Rust
1. Security and privacy
  1. Systems security
    1. Information flow control
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Static-Dynamic Information Flow Control in Rust
SPLASH Companion '24: Companion Proceedings of the 2024 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity

Information Flow Control (IFC) provides security by preventing high-secrecy data from flowing to low-secrecy data, and low-integrity data from flowing to high-integrity data. However, prior approaches to IFC either suffer from imprecision and falsely ...
Encoding information flow in AURA

Two of the main ways to protect security-sensitive resources in computer systems are to enforce access-control policies and information-flow policies. In this paper, we show how to enforce information-flow policies in AURA, which is a programming ...
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 8, Issue OOPSLA1

April 2024

1492 pages

EISSN:2475-1421

DOI:10.1145/3554316

Editor:
Michael Hicks
Amazon, USA

Issue’s Table of Contents

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 April 2024

Published in PACMPL Volume 8, Issue OOPSLA1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
535
Total Downloads

Downloads (Last 12 months)535
Downloads (Last 6 weeks)110

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Beardsley VSridharan M(2024)Static-Dynamic Information Flow Control in RustCompanion Proceedings of the 2024 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3689491.3691820(16-18)Online publication date: 20-Oct-2024
https://dl.acm.org/doi/10.1145/3689491.3691820

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents