In security-typed programming languages, types statically enforce noninterference between potentially conspiring values, such as the arguments and results of functions. But to adopt static security types, like other advanced type disciplines, programmers face a steep wholesale transition, often forcing them to refactor working code just to satisfy their type checker. To provide a gentler path to security typing that supports safe and stylish but hard-to-verify programming idioms, researchers have designed languages that blend static and dynamic checking of security types. Unfortunately, most of the resulting languages only support static, type-based reasoning about noninterference if a program is entirely statically secured. This limitation substantially weakens the benefits that dynamic enforcement brings to static security typing. Additionally, current proposals are focused on languages with explicit casts and therefore do not fulfill the vision of gradual typing, according to which the boundaries between static and dynamic checking only arise from the (im)precision of type annotations and are transparently mediated by implicit checks. In this article, we present GSL Ref , a gradual security-typed higher-order language with references. As a gradual language, GSL Ref supports the range of static-to-dynamic security checking exclusively driven by type annotations, without resorting to explicit casts. Additionally, GSL Ref lets programmers use types to reason statically about termination-insensitive noninterference in all programs, even those that enforce security dynamically. We prove that GSL Ref satisfies all but one of Siek et al.’s criteria for gradually-typed languages, which ensure that programs can seamlessly transition between simple typing and security typing. A notable exception regards the dynamic gradual guarantee, which some specific programs must violate if they are to satisfy noninterference; it remains an open question whether such a language could fully satisfy the dynamic gradual guarantee. To realize this design, we were led to draw a sharp distinction between syntactic type safety and semantic type soundness , each of which constrains the design of the gradual language.

中文翻译：

---

带有引用的类型驱动渐进式安全性

在安全类型的编程语言中，类型静态地强制潜在的共谋值之间不干涉，例如函数的参数和结果。但是要采用静态安全类型，就像其他高级类型规则一样，程序员面临着急剧的整体过渡，经常迫使他们重构工作代码以满足他们的类型检查器。为了提供一条更温和的安全类型路径，支持安全、时尚但难以验证的编程习惯，研究人员设计了混合静态和动态安全类型检查的语言。不幸的是，如果程序完全是静态保护的，那么大多数生成的语言只支持关于不干扰的静态、基于类型的推理。这种限制大大削弱了动态强制为静态安全类型带来的好处。此外，目前的提议侧重于具有显式类型转换的语言，因此不能实现渐进类型的愿景，根据这种愿景，静态和动态检查之间的界限仅来自类型注释的（不）精确度，并且由隐式检查透明地调解。在本文中，我们介绍 GSL参考，一种渐进式安全类型的高阶语言，带有引用。作为一种渐进式语言，GSL参考支持完全由类型注释驱动的静态到动态安全检查范围，而无需使用显式强制转换。此外，GSL参考让程序员使用类型来静态推理终止不敏感的非干扰全部程序，甚至是那些动态执行安全性的程序。我们证明 GSL参考满足 Siek 等人对渐进式语言的标准之一，这确保程序可以在简单输入和安全输入之间无缝转换。一个值得注意的例外是动态渐进保证，某些特定程序如果要满足不干扰则必须违反该保证；这种语言是否能够完全满足动态渐进保证仍然是一个悬而未决的问题。为了实现这个设计，我们被引导在句法类型之间做出明显的区分安全和语义类型健全性，每一个都限制了渐变语言的设计。