Abstract:
Many computer systems store and manipulate sensitive data. To ensure the security of this data,
it is necessary to reason about the flow of information within, and between, computer systems.
Using programming language analyses, we can control information flow at fine granularity, and
statically enforce strong information security properties.
In this talk I'll give a brief overview of programming language-based information flow control,
and present Swift, a recent project that uses language-based information flow control to provide
a new way to write secure, efficient web applications.
In Swift, application code is written as Java-like code, annotated with security policies. Using
these policies, Swift partitions the application into JavaScript code to run on the client, and
Java code to run on the server. Code and data are placed to ensure that the specified policies are
obeyed, and also to provide good interactive performance. Security critical code and data are always
placed on the server. Swift makes it easier to write secure web applications: the programmer does not
need to worry about the secure or efficient placement of code and data.
Stephen Chong received a Ph.D. from Cornell University in August 2008, where he was advised by Andrew
Myers. Steve's research focuses on programming languages, information security, and the interesting
intersection of these two areas. He is currently visiting the computer science departments at Harvey
Mudd College and Pomona College, and will be joining Harvard University as an assistant professor in
Fall 2009.