Abstract:
Distributed Information Flow Control (DIFC) is a system-level security mechanism that can simplify program security but requires that a programmer supply policy code in any programs it helps to secure. Writing this policy code is not a simple matter, and is thus likely to consume significant programmer attention and introduce bugs.
Thus do we implement Boat, a means to simplify DIFC programming. Boat reads a program's C source and a policy specification, generates from these a system of constraints, and solves those constraints to generate instrumentation for the original C source. Thus, Boat augments the original program with added code to ensure that its DIFC policy matches the programmer's specification.