Automatically Enforcing Information Flow Security with Dependency Injection
We present a new model for enforcing rule-based information flow policies in server applications. Our framework automatically inserts
authorization logic whenever data flows into or out of application logic. Authorization logic is defined in a single policy, and applied
uniformly by the framework. Application logic is independent of the policy, so does not need explicit checks. This separation of concerns
improves maintainability while providing correctness guarantees. Our programming model is derived from Jeeves, a programming
language with a special type system to provide ``policy-agnostic programming.'' Our framework, Jagger, uses the standard Java type
system to implement policy-agnostic programming. It uses code generation and the Dagger dependency injection framework to provide
information flow guarantees with minimal programmer burden.