Building Distributed Systems With Information Flow Control

Other Titles


Computing technology has made recording and copying information cheap and convenient, resulting in numerous security problems: from accidental copying leading to confidentiality breaches to rapid proliferation of spam, worms and other malicious code. At the same time, distributed information systems provide value through efficient information dissemination. This thesis investigates techniques that address the challenge of building distributed systems while providing the assurance of security. This thesis first focuses on web information systems based on the clientserver communication paradigm. Servlet Information Flow (SIF) is a novel software framework for building high-assurance web applications. Security concerns are expressed as end-to-end confidentiality and integrity policies within the application code. Expressive policies allow users and application providers to protect information from one another. Together, the compiler and the runtime apply information flow analysis to prevent flow of confidential information to clients and flow of low-integrity information from clients, thereby moving the trust out of the application and into the framework. This increased assurance is obtained with modest enforcement overhead. Where SIF enables servers to quickly and securely disseminate data to numerous clients, Swift is a new approach for building web applications that allows moving code, in addition to data, to clients. Moving code to the client makes the applications more responsive for the clients, since not every user request needs a round trip to the server. While more efficient, this mechanism introduces security complications since the client can manipulate code running on it and influence, or gain illegal access to, sensitive server-side data. Swift allows the programmer to write the entire application code as a single sequential Java-like program with security policy annotations. The compiler automatically partitions the program between the client and server so as to respect all security policies while generating efficient client-server communication protocols. Finally, this thesis identifies a general problem for distributed systems: read channels, which leak information via the pattern of data fetch requests to an untrusted host. We first discuss a type systems approach based on attaching an access label to each reference to a remote object. We show how the type system can prevent read channels by statically discovering their presence in a distributed program. We also discuss the expressiveness limitations of the type system approach. To address these limitations, we present a program transformation technique based on abstract interpretation to automatically eliminate read channels in any given program. We evaluate the performance of this technique on some benchmark programs.

Journal / Series

Volume & Issue



Date Issued




distributed systems, information flow; security, programming languages; web applications, covert channels


Effective Date

Expiration Date




Union Local


Number of Workers

Committee Chair

Myers,Andrew C.

Committee Co-Chair

Committee Member

Kozen,Dexter Campbell
Schneider,Fred Barry

Degree Discipline

Computer Science

Degree Name

Ph. D., Computer Science

Degree Level

Doctor of Philosophy

Related Version

Related DOI

Related To

Related Part

Based on Related Item

Has Other Format(s)

Part of Related Item

Related To

Related Publication(s)

Link(s) to Related Publication(s)


Link(s) to Reference(s)

Previously Published As

Government Document




Other Identifiers


Rights URI


dissertation or thesis

Accessibility Feature

Accessibility Hazard

Accessibility Summary

Link(s) to Catalog Record