Jif: Java + information flow

Jif is a security-typed programming language that extends Java with support for information flow control and access control, enforced at both compile time and run time. The source code for the Jif compiler and run-time system is now available for download. Jif is written in Java and is built using the Polyglot extensible Java compiler framework.

Static information flow control can protect the confidentiality and integrity of information manipulated by computing systems. The compiler tracks the correspondence between information the policies that restrict its use, enforcing security properties end-to-end within the system. After checking information flow within Jif programs, the Jif compiler translates them to Java programs and uses an ordinary Java compiler to produce secure executable programs.

Jif extends Java by adding labels that express restrictions on how information may be used. For example, the following variable declaration declares not only that the variable x is an int, but also that the information in x is governed by a security policy:

    int {Alice→Bob} x;

In this case, the security policy says that the information in x is controlled by the principal Alice, and that Alice permits this information to be seen by the principal Bob. The policy {Alice←Bob} means that information is owned by Alice, and that Alice permits it to be affected by Bob. Based on label annotations like these, the Jif compiler analyzes information flows within programs, to determine whether they enforce the confidentiality and integrity of information.

Other systems that provide related functionality are the Flow Caml and SPARK/Ada languages. Jif provides richer support for tying security requirements to programs, with important features like selective, robust downgrading, language-based access control, and dynamic labels and principals. These features are crucial for language-based reasoning about security in complex applications.

Jifclipse is a nice Eclipse-based IDE for Jif developed at Penn State. It tends not to support the latest version of Jif, however.

Jif downloads

Jif 3.4.1 was released April 26, 2013
Jif 3.3.1 was released in February 2009.

Related group publications

  1. Defining and enforcing referential security
    3rd Conference on Principles of Security and Trust (POST 2014), April 2014. Jed Liu and Andrew C. Myers.
  2. Toward general diagnosis of static errors
    Proceedings of the ACM Symposium on Principles of Programming Languages (POPL'14), pp. 569–581, January 2014. Danfeng Zhang and Andrew C. Myers. [ TR ]
  3. Language-based control and mitigation of timing channels
    Proceedings of the 2012 ACM Conference on Programming Language Design and Implementation (PLDI'12), June 2012. Danfeng Zhang, Aslan Askarov, and Andrew C. Myers.
  4. Sharing mobile code securely with information flow control
    Proceedings of the 2012 IEEE Symposium on Security and Privacy (Oakland), pp. 192–205, May 2012. Owen Arden, Michael D. George, Jed Liu, K. Vikram, Aslan Askarov, Andrew C. Myers.
  5. Attacker control and impact for confidentiality and integrity
    Logical Methods in Computer Science, 7(3), September 2011, Aslan Askarov and Andrew C. Myers.
  6. Predictive mitigation of timing channels in interactive systems
    Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS'11), pages 563–574, October 2011. Danfeng Zhang, Aslan Askarov, and Andrew C. Myers.
  7. Predictive black-box mitigation of timing channels
    Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10), to appear, October 2010. Aslan Askarov, Danfeng Zhang, and Andrew C. Myers.
  8. Quantifying information flow with beliefs
    Journal of Computer Security, 17(5):655–701, 2009. Michael Clarkson, Andrew C. Myers, Fred B. Schneider.
  9. Fabric: A platform for secure distributed computation and storage
    22nd ACM Symposium on Operating Systems Principles (SOSP'09), pages 321–334, October 2009. Jed Liu, Michael D. George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers.
  10. End-to-end enforcement of erasure and declassification
    Proceedings of the IEEE Computer Security Foundations Symposium (CSF), pages 98–111, June 2008. Stephen Chong, Andrew C. Myers.
  11. Hyperproperties
    Proceedings of the IEEE Computer Security Foundations Symposium (CSF), pages 51–65, June 2008. Michael R. Clarkson, Fred B. Schneider.
  12. Securing nonintrusive web encryption through information flow
    Proceedings of the 3rd ACM SIGPLAN Workshop on Programming Languages and Security (PLAS), pages 125–134, June 2008. Lantian Zheng, Andrew C. Myers.
  13. Civitas: Toward a secure voting system
    Proceedings of the 2008 IEEE Symposium on Security and Privacy (Oakland), pages 354–368, May 2008. Michael R. Clarkson, Stephen Chong, Andrew C. Myers. [ Civitas web site ]
  14. Secure web applications via automatic partitioning
    Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP'07), pages 31–44, October 2007. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng.
  15. SIF: Enforcing confidentiality and integrity in web applications
    Proceedings of USENIX Security Symposium 2007, pages 1–16, August 2007. Stephen Chong, K. Vikram, Andrew C. Myers.
  16. Dynamic security labels and static information flow
    International Journal of Information Security, 6(2–3), March 2007. Springer. Lantian Zheng, Andrew C. Myers.
  17. Enforcing robust declassification and qualified robustness
    Journal of Computer Security, 14(2):157–196, 2006. Andrew C. Myers, Andrei Sabelfeld, Steve Zdancewic.
  18. Information-flow security for interactive programs
    Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), pages 190–201, July 2006. Kevin R. O'Neill, Michael R. Clarkson, Stephen Chong.
  19. Decentralized robustness
    Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), July 2006. Stephen Chong, Andrew C. Myers.
  20. End-to-end availability policies and noninterference
    Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 272–286, June 2005. Lantian Zheng, Andrew C. Myers.
  21. Belief in information flow
    Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 31–45, June 2005. Michael Clarkson, Andrew C. Myers, Fred B. Schneider.
  22. Language-based information erasure
    Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 241–254, June 2005. Stephen Chong, Andrew C. Myers
  23. Security policies for downgrading
    Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS), pages 189–209, Washington, DC, USA, October 2004. Stephen Chong, Andrew C. Myers.
  24. Dynamic security labels and noninterference
    Proceedings of the 2nd International Workshop on Formal Aspects in Security and Trust (FAST), Toulouse, France, August 2004. Lantian Zheng, Andrew C. Myers.
  25. Enforcing robust declassification
    Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), Pacific Grove, California, June 2004, pages 172–186. Andrew C. Myers, Andrei Sabelfeld, Steve Zdancewic
  26. Owned policies for information security
    Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), Pacific Grove, California, June 2004. Hubie Chen, Stephen Chong.
  27. A model for delimited release
    Proceedings of the 2003 International Symposium on Software Security. LNCS 3233, Springer-Verlag, 2004, pages 174–191. Andrei Sabelfeld, Andrew C. Myers.
  28. Observational determinism for concurrent program security
    Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW'03), Pacific Grove, California, June 2003, 29–43. Steve Zdancewic, Andrew C. Myers
  29. Using replication and partitioning to build secure distributed systems
    IEEE Symposium on Security and Privacy, Oakland, California, May 2003, 236–250. Lantian Zheng, Stephen Chong, Andrew C. Myers, Steve Zdancewic.
  30. Language-based information-flow security
    IEEE Journal on Selected Areas in Communications 21(1), January 2003 (special issue on Design and Analysis Techniques for Security Assurance). Andrei Sabelfeld, Andrew C. Myers.
  31. Secure program partitioning
    ACM Transactions on Computing Systems (TOCS), 20(3):283–328, August 2002. Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, Andrew C. Myers. Earlier version available as Cornell University Computer Science Technical Report TR2001-1846, October 2001.
  32. Secure information flow and linear continuations
    Higher-Order and Symbolic Computation, 15(2–3):209–234, Sept. 2002. Steve Zdancewic, Andrew C. Myers.
  33. Untrusted hosts and confidentiality: secure program partitioning
    ACM SIGOPS Operating Systems Review, Proceedings of the 18th ACM Symposium on Operating Systems Principles
    , 35(5):1–14. Award Paper. Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, Andrew C. Myers.
  34. Robust declassification
    Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW'01), pages 15–23, Cape Breton, Nova Scotia, Canada, June 2001. Steve Zdancewic, Andrew C. Myers.
  35. Secure information flow and CPS
    Proceedings of the 10th European Symposium on Programming, pages 46–61, Genova, Italy, April 2001. Steve Zdancewic, Andrew C. Myers.
  36. Protecting privacy using the decentralized label model
    ACM Transactions on Software Engineering and Methodology, 9(4):410–442, October 2000. Andrew C. Myers, Barbara Liskov
  37. Confidentiality and integrity with untrusted hosts: technical report
    Cornell University Technical Report TR2000-1810, August 2000. Steve Zdancewic, Andrew C. Myers
  38. Practical mostly-static information flow control
    Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL), pages 228–241, San Antonio, Texas, January 1999. Andrew C. Myers.
  39. Complete, safe information flow with decentralized labels
    Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 186–197, Oakland, California, May 1998. Andrew C. Myers, Barbara Liskov.
  40. A decentralized model for information flow control
    Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP), pages 129–142, Saint-Malo, France, October 1997. Andrew C. Myers, Barbara Liskov.

Other work based on Jif

  1. Effective blame for information-flow violations. Dave King, Trent Jaeger, Somesh Jha, Sanjit A. Seshia. ACM SIGSOFT Int'l Symposium on Foundations of Software Engineering (FSE 2008).
  2. Jifclipse: development tools for security-typed languages. 2nd Workshop on Programming languages and Analysis for Security (PLAS), pages 1–10, June 2007. Boniface Hicks, Dave King, Patrick McDaniel.
  3. Understanding practical application development in security-typed languages.
    ACSAC 2006. Boniface Hicks, Kiyan Ahmadizadeh, Patrick McDaniel.
  4. Trusted declassification: high-level policy for a security-typed language.
    Programming Languages and Analysis for Security, 1st ACM SIGPLAN Workshop on (PLAS), pages 65–74, June 2006. Boniface Hicks, Dave King, Patrick McDaniel, Michael Hicks.
  5. Security-typed languages for implementation of cryptographic protocols: a case study.
    ESORICS 2005, pages 197–221, Sept. 2005. Aslan Askarov, Andrei Sabelfeld.
  6. Language-based enforcement of privacy policies.
    Privacy Enhancing Technologies, 4th International Workshop, pages 302–313, May 2004. Katia Hayati, Martin Abadi.