A New Field: Information Type Flow
In my last post on Information Flow, I noticed that some flows are more informative than others. I used a switch statement for my illustrative example of that observation. But, from my experience as a software developer, I have a small aversion to switch statements. Usually, when I feel compelled to use one, it’s because I’m not using OO design principles. It’s because that switch should really be replaced with a polymorphic dispatch.
So, thanks to my Super Awesome Postdoc, we coined a new field as a result. It stands to reason that Information Flow analysis can be performed on types, just as it has previously been performed on values. A collection of questions suggest themselves:
- Is it useful? Does sensitive/interesting/important information actually leak as a result of polymorphism? For a typical program, how much does the polymorphic dispatch reveal about your system? On the one hand, I think not so much; because the dispatch is taken on type-compatible instances. On the other, perhaps alot, if you represent much of the problem’s domain in the type system (AuthenticatedCustomer vs Guest). How do standard practices such as Design Patterns affect a programs information type flow?
- What does the analysis entail? Does it require a statically typed language, so that you can easily identify the polymorphic call sites? Do you still have to provide instrumentation that take place at runtime?
- What about dynamic languages? Does type-information make its way into dynamic programs? Even in a dynamic language, are the programmers developing as if they had a strongly typed world?