Gradual Information Flow Typing Tim Disney and Cormac Flanagan University of California Santa Cruz Abstract. We present a method to support the gradual evolution of secure scripts by formalizing an extension of the simply-typed lambda calculus that provides information flow constructs. These constructs al- low initially insecure programs to evolve via targeted refactoring and to provide dynamic information flow guarantees via casts, as well as static information flow guarantees via labeled types. 1 Introduction Several decades of software engineering experience has demonstrated that writ- ing “correct” software is close to impossible, due to the inherent complexity of software systems and the fallible nature of human programmers. Consequently, relying on security to be an emergent property of software is unwise. We ar- gue instead that security properties, such as data confidentiality and integrity, should be monitored and enforced by small trusted parts of the code base, with help from the run-time system where appropriate. In practice, programmers are initially concerned more with functionality than with security. It is only once a system has proven useful, and has attracted users and potential attackers, that security concerns become dominant. While it might be preferable to address security concerns right from the start of a project, com- petitive pressures often dictate quickly developing an initial (perhaps insecure) system that helps clarify the requirements and gain a market foothold, and then to evolve the system with additional features, including security guaran- tees. Hence, we would like to support a development methodology whereby the programmer first develops an initial, insecure system, and then incrementally refactors the system to add data confidentiality and integrity guarantees via information flow tracking. Much prior work has addressed information flow security. Most of this work has focused on static type systems such as JFlow [15], Jif [14], and others [29, 16], which involve significant up-front costs. More recent investigations explore dynamic information flow [4, 5, 10], which requires less up-front investment but which cannot document security properties as types. In this paper, we explore some initial steps towards realizing the vision of gradual evolution from untyped scripts into security typed applications. Since prior work has addressed evolving dynamic scripts into typed code [1, 27, 12, 11], the starting point for our development is a typed language. We explore how to gradually extend programs in this language with security guarantees and with security types.