Many computer systems store and manipulate sensitive data. Programming language techniques can ensure that the computer systems handle this information correctly. However, current techniques for language-based information security can be difficult to use, requiring the programmer to invest considerable effort before receiving any information security guarantees.
We explore the inference of expressive human-readable information security policies as a step towards providing practical tools and techniques for strong language-based information security. We focus on inference, as opposed to specification, to reduce the burden on the programmer.
We define a novel security policy language that can express what information a program may release, under what conditions (or, when) such release may occur, and which procedures are involved with the release (or, where in the code the release occur). We’ve implemented a dataflow analysis for precisely inferring these policies for Java programs
Stephen Chong is an Assistant Professor of Computer Science in the Harvard School of Engineering and Applied Sciences. Steve’s research focuses on programming languages, information security, and the intersection of these two areas. He received a PhD from Cornell University, and a bachelor’s degree from Victoria University of Wellington, New Zealand. He was a visitor to Pomona and Harvey Mudd in 2008-2009.