Jif: Language-based Information-flow Security in Java
This addresses security vulnerabilities in software systems for developers, but it is incremental as it builds on existing language-based security approaches.
The paper examines Jif, a Java extension that adds security labels to the type system to specify confidentiality and integrity policies, tackling the information flow problem in software security, and demonstrates its application through examples like a voting system and a web container, with a small program simulation showing its usefulness.
In this report, we examine Jif, a Java extension which augments the language with features related to security. Jif adds support for security labels to Java's type system such that the developer can specify confidentiality and integrity policies to the various variables used in their program. We list the main features of Jif and discuss the information flow problem that Jif helps to solve. We see how the information flow problem occurs in real-world systems by looking at two examples: Civitas, a ballot/voting system where voters do not necessarily trust voting agents, and SIF, a web application container implemented using Jif. Finally, we implement a small program that simulates information flow in a booking system containing sensitive data and discuss the usefulness of Jif based on this program.