Lazy Programs Leak Secrets
Paper in proceedings, 2013

To preserve confidentiality, information-flow control (IFC) restricts how untrusted code handles secret data. While promising, IFC systems are not perfect; they can still leak sensitive information via covert channels. In this work, we describe a novel exploit of lazy evaluation to reveal secrets in IFC systems. Specifically, we show that lazy evaluation might transport information through the internal timing covert channel, a channel present in systems with concurrency and shared resources. We illustrate our claim with an attack for LIO, a concurrent IFC system for Haskell. We propose a countermeasure based on restricting the implicit sharing caused by lazy evaluation.

language-based security

covert channels

lazy evaluation


information flow control


Pablo Buiras

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Alejandro Russo

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 8208 116-122

Areas of Advance

Information and Communication Technology

Subject Categories

Computer Science





More information