Blame-Enabled Jif

Blame-Enabled Jif is a modification of the Jif compiler to provide traces of security errors encountered during compilation. At present, label checking errors in security-typed languages are not well understood. Jif and Flowcaml (the two most mature implementations of a security-typed language compiler) currently provide limited facilities for explaining why an individual constraint may fail. However, as information-flow errors may be caused by any runtime code path, a local approach to error explanation often fails to explain the real cause of security errors.

Error Explanations

Even simple errors can be impenetrable in Jif [1]. For example: 

int{Alice:} aliceData;

public void modifyData(int{Alice:} newData) {
   aliceData = newData;
}

When the above code is compiled, the most recent version of Jif (3.1.1) gives the following error message: 

BlameTest.jif:21: Label of right hand side not less restrictive than the label
    for field aliceData
        aliceData = newData;
        ^-------^
Jif also provides an -explain option to give a lot of information about a failed constraint; sometimes this is helpful and sometimes this is not. A side effect of the error reporting strategy that Jif uses is that programmers are basically forced to use -explain all the time, causing frequent headaches. Blame-Enabled Jif provides "better" error messages, where "better" means that we get to see the whole error, from symptom to cause. 
--- ERROR ---
constraint: {#var_newData; #pc3; #var_{this}} <= {Alice: } in environment [{this} <= {caller_pc}]
position: BlameTest.jif:21,1-10
BlameTest.jif:21: constraint generated by
        aliceData = newData;
        ^-------^

environment: [{this} <= {caller_pc}]

failed: {#var_newData; #pc3; #var_{this}} <= {Alice: }
why: {#var_{this}} == {this} in environment [{this} <= {caller_pc}]@BlameTest.jif:1,7-22
BlameTest.jif:1: constraint generated by
public class BlameTest {
       ^-------------^

unsatisfiable: {this} <= {Alice: }
-------------

The error trace from Blame-Enabled Jif indicates:

  • A constraint failed at the assignment; some variables were forced to be less than {Alice:}.
  • That constraint failed because the variable #var_{this} was set equal to the this label.
  • The equation {this} <= {Alice:} was unsatisfiable.

    • With knowledge of the Jif compiler, we know that {this} in a method is always constrained to be less than the caller_pc of a method. By setting the begin label on modifyData to {Alice:}, we can force this to be less than {Alice:} and so resolve this error.

    While resolving this error is a little esoteric, the important feature of Blame-Enabled Jif is that it does not just notify the user that a constraint solving error has occured: it examines the failed constraint, determines which of the variables in the failed constraint contributed to an error, and thus provides a trace of what caused the error.

    Our key modifications to the Jif compiler are:

  • A blame engine for explaining errors in the constraint solver that occur during variable assignment.
  • Introducing auxiliary variables to provide traces for errors that would otherwise fail statically, i.e. errors that would otherwise have no trace.

    • While introducing more variables increases the runtime of the Jif constraint solver, this does not greatly impact the performance of the Jif solver, as it usually behaves in a linear-time. We believe that this is an acceptable trade-off.

    More details about the theoretical background of the error explanations provided by Blame-Enabled Jif can be found in the technical report describing this work [2]. This work will be presented at SIGSOFT/FSE 2008.

    Using Blame-Enabled Jif

  • Download and extract the files for Blame-Enabled Jif here.
  • Copy the .jar files generated by compiling Jif (version 3.X) using ant jar to the jif-blame/lib/ directory. (For now, these files are included in the Blame-Enabled Jif distribution.)
  • Compile Blame-Enabled Jif using ant.
  • Use the executable bin/jifblamec to compile your source files, as you would use jifc.

    Comments

  • Blame-Enabled Jif is distributed under the Jif License.
  • Not all errors will have an error trace. In the event where an unsatisfiable constraint (for example, {Alice:} <= {}) is added to the constraint solver, Blame-Enabled Jif will give the same report as the Jif compiler. However, as discussed above, this should occur less because of the intermediate variables that we introduce during and after constraint generation.

    Jifclipse

    We have also implemented our error explanation algorithm as a view in Jifclipse, a Jif IDE written in Eclipse [3]. This feature will be included in future releases of Jifclipse.

    Notes

    [1] This is not meant to be a major criticism of Jif. Jif does many things very well. Error explanations just aren't one of them. :) I am indebted to Andrew Myers and his students for providing an excellent piece of software.

    [2] Dave King, Trent Jaeger, Somesh Jha, Sanjit A. Seshia. Effective Blame for Information-Flow Violations. Technical Report NAS-TR-0069-2007, Department of Computer Science and Engineering, Pennsylvania State University.

    [3] Boniface Hicks, Dave King, Patrick McDaniel. Jifclipse: Development tools for security-typed applications. In Proceedings of the 2nd ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '07).

    Acknowledgements

    My thanks to Boniface Hicks and Kiyan Ahmadizadeh for their work on Jifclipse, and to Stephen Chong for his work making the Jif compiler more extensible (this has significantly cleaned up the code).

    David King
    Last modified: Mon Aug 11 13:42:28 EDT 2008