Distinguished paper answers the question of granularity

A method to bridge the gap between different information flow control approaches, bringing us one step closer to building secure software systems. This groundbreaking result, that answers a long-standing open question in the security community, won a distinguished paper award at the Symposium on Principles of Programming Languages (POPL 2019) in Cascais, Portugal.
Marco Vassena, PhD student in the information Security division at Computer Science and Engineering, was already excited that his paper had been accepted at the conference. 
“Then, the day right before flying to the conference, I found out that out of 77 accepted papers, mine was one of the six that had been distinguished by the program committee. I was on top of the world!”

Information-flow control is an emerging security mechanism that shows promising results in securing modern software systems, which are typically constructed using components of different origin. However, the practice has yet to see widespread use. Traditional heavyweight approaches rely on specific fully-fledged programming languages that require substantial efforts to develop and to adopt. Recent approaches based on information-flow control software libraries are lightweight, but have been considered too imprecise in practice. 

The question of granularity

Both fully-fledged information-flow control languages and libraries enforce security by tracking flows of information within a computer program, but they do it at different levels of granularity. Information-flow control languages inspect every single program instruction to detect information leaks in a fine-grained fashion, where information-flow control libraries focus only on specific input/output instructions, tracking information leaks in a coarse-grained fashion
“The security community has been discussing about the trade-offs that arise from the different granularity of these approaches for a long time, researchers have claimed that the coarse-grained approach is intrinsically more imprecise than the fine-grained approach and thus concluded that software libraries are bound to raise more false alarms than fully-fledged languages in practice” says Marco Vassena. 

In the paper “From Fine- to Coarse-Grained Dynamic Information Flow Control” Marco Vassena and his colleagues* present mathematical proof that these two different approaches are actually equally effective.
“Our research disproves that unfunded claim. Software libraries can track information as precisely as fully-fledged languages and thus represent a viable approach to securing modern software systems.” 
 

Reading on the subject

*From Fine- to Coarse-Grained Dynamic Information Flow Control and Back
Authors: Marco Vassena, Alejandro Russo, Deepak Garg, Vinset Rajani, Deian Stefan. Presented at the 46th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2019), Cascais, Portugal.


Marco Vassena defended his PhD thesis on the subject of "Veryfing Information Flow Control Libraries" in February 2019.


Published: Mon 04 Mar 2019. Modified: Thu 21 Mar 2019