Current developers
Stephen Chong
Andrew Myers
K. Vikram
Mailing lists
(Open subscription, low traffic.)
Jif users
Jif announcements
Related projects
Jif: Java information flow
Swift
Fabric
Support
The development and maintenance of the SIF system has been supported by NSF grants 0430161 and 0627649, and by TRUST (supported by NSF, AFOSR, and iCAST).
SIF: Servlet Information Flow
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another.
Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.
Publications
-
SIF: Enforcing Confidentiality and Integrity in Web Applications
Proceedings of USENIX Security Symposium 2007, pages 1–16, August 2007. Stephen Chong, K. Vikram, Andrew C. Myers.