Skip to main content
    • Aa
    • Aa

Flexible dynamic information flow control in the presence of exceptions*


We describe a language-based, dynamic information flow control (IFC) system called LIO. Our system presents a new design point for IFC, influenced by the challenge of implementing IFC as a Haskell library, as opposed to the more typical approach of modifying the language runtime system. In particular, we take a coarse-grained, floating-label approach, previously used by IFC Operating Systems, and associate a single, mutable label—the current label—with all the data in a computation's context. This label is always raised to reflect the reading of sensitive information and it is used to restrict the underlying computation's effects. To preserve the flexibility of fine-grained systems, LIO also provides programmers with a means for associating an explicit label with a piece of data. Interestingly, these labeled values can be used to encapsulate the results of sensitive computations which would otherwise lead to the creeping of the current label. Unlike other language-based systems, LIO also bounds the current label with a current clearance, providing a form of discretionary access control that LIO programs can use to deal with covert channels. Moreover, LIO provides programmers with mutable references and exceptions. The latter, exceptions, are used in LIO to encode and recover from monitor failures, all while preserving data confidentiality and integrity—this addresses a longstanding concern that dynamic IFC is inherently prone to information leakage due to monitor failure.

Hide All

This work was partially done while the author was at Stanford.


This work was funded by DARPA CRASH under contract N66001-10-2-4088, by multiple gifts from Google, by a gift from The Mozilla Corporation, and by the Swedish research agencies VR and the Barbro Oshers Pro Suecia Foundation. Deian Stefan was supported by the DoD through the NDSEG Fellowship Program.

Linked references
Hide All

This list contains references from the content that can be linked to their source. For a full set of references and notes please see the PDF or HTML where available.

R. Atkey (2009) Parameterised notions of computation. J. Funct.Program. 19 (3–4), 335376.

K. Crary , A. Kliger & F. Pfenning (2005) A monadic analysis of information flow security with mutable state. J. Funct. Program. 15 (2), 249291.

D. E. Denning (1976) A lattice model of secure information flow. Commun. ACM 19 (5), 236243.

D. E. Denning & P. J. Denning (1977) Certification of programs for secure information flow. Commun. ACM 20 (7), 504513.

P. Efstathopoulos , M. Krohn , S. VanDeBogart , C. Frey , D. Ziegler , E. Kohler , D. Mazières , F. Kaashoek & R. Morris (2005) Labels and event processes in the Asbestos operating system. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.

J. Hughes (2000) Generalising monads to arrows. Sci. Comput. Program. 37 (1–3), 67111.

M. Krohn , A. Yip , M. Brodsky , N. Cliffer , M. F. Kaashoek , E. Kohler & R. Morris (2007) Information flow control for standard OS abstractions. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.

B. W. Lampson (1973) A note on the confinement problem. Commun. ACM 16 (10), 613615.

C. E. Landwehr (1981) Formal models for computer security. Comput. Survels 13 (3), 247278.

P. Li & S. Zdancewic (2010) Arrows for secure information flow. Theor. Comput. Sci. 411 (19), 19741994.

A. C. Myers & B. Liskov (1997) A decentralized model for information flow control. In Proceedings of Symposium on Operating Systems Principles. New York, NY, USA: ACM.

P. Rondon M, Kawaguci, M. & R. Jhala (2008) Liquid types. ACM SIGPLAN Not. 43 (6), 159169.

A. Sabelfeld & A. C. Myers (2003) Language-based information-flow security. IEEE J. Sel. Areas Commun. 21 (1), 519.

J. H. Saltzer & M. D. Schroeder (1975) The protection of information in computer systems. Proc. IEEE 63 (9), 12781308.

M. Sulzmann , G. J. Duck , S. Peyton Jones & P. J. Stuckey (2007) Understanding functional dependencies via constraint handling rules. J. Funct. Program. 17 (1), 83129.

T. Tsai , A. Russo & J. Hughes (2007) A library for secure multi-threaded information flow in Haskell. In Proceedings of Computer Security Foundations Symposium. Washington, DC, USA: IEEE Computer Society.

S. VanDeBogart , P. Efstathopoulos , E. Kohler , M. Krohn , C. Frey , D. Ziegler , F. Kaashoek , R. Morris & D. Mazières (2007) Labels and event processes in the Asbestos operating system. ACM Trans. Comput. Syst. 25 (4), 1730.

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Journal of Functional Programming
  • ISSN: 0956-7968
  • EISSN: 1469-7653
  • URL: /core/journals/journal-of-functional-programming
Please enter your name
Please enter a valid email address
Who would you like to send this to? *


Full text views

Total number of HTML views: 0
Total number of PDF views: 46 *
Loading metrics...

Abstract views

Total abstract views: 250 *
Loading metrics...

* Views captured on Cambridge Core between 12th January 2017 - 23rd September 2017. This data will be updated every 24 hours.