Gradual Security Typing in Dart
This page will describe artifacts associated to SecDart which is an extension to the Dart programming language with gradual security typing.
Installation instructions
We will provide three ways to interact with the SecDart's security analysis (currently just the first one is available!):
- Using the online SecDart Pad at https://pleiad.cl/secdart/
- The SecDart Analyzer CLI
- The SecDart Plugin for Analysis Server.
SecDart Pad: Functionality
The following screenshot shows how the SecDart Pad looks like
The SecDart Analyzer CLI
Instructions will be placed here soon.
Integration with the Analysis Server
We developed a plugin for the Dart Analysis Server. The implementation is not stable yet, but we are working on that. The following screenshot shows a (custom) security error reported by the security analysis in the “Dart Analysis” windows of WebStorm
SecDart : Language features
SecDart covers a subset of the language and add security labels to language constructors
Dart subset
The following BNF notation represents the AST of the supported subset of Dart, so is not a grammar specification. We use brackets in the BNF rules to refer to the name of the class of the Ast node provided by the Dart Analyzer.
compilationUnitMember ::= | [FunctionDeclaration] functionDeclaration ::= 'external' functionSignature | functionSignature [FunctionBody] functionSignature ::= [Type]? ('get' | 'set')? [SimpleIdentifier] [FormalParameterList] binaryExpression ::= [Expression] [Token] [Expression] functionBody ::= [BlockFunctionBody] | [EmptyFunctionBody] | [ExpressionFunctionBody] blockFunctionBody ::= block expressionFunctionBody ::= '=>' [Expression] ';' block ::= '{' statement* '} statement ::= [Block] | [VariableDeclarationStatement] | [IfStatement] | [ReturnStatement] | [ExpressionStatement] variableDeclarationStatement ::= [VariableDeclarationList] ';' variableDeclarationList ::= finalConstVarOrType [VariableDeclaration] (',' [VariableDeclaration])* variableDeclaration ::= [SimpleIdentifier] ('=' [Expression])? ifStatement ::= 'if' '(' [Expression] ')' [Statement] ('else' [Statement])? returnStatement ::= 'return' [Expression]? ';' expressionStatement ::= [Expression]? ';' expression ::= [AssignmentExpression] | [ConditionalExpression] cascadeSection* //the Dart grammar does not include the followings nodes here to avoid left recursion, however for the sake of presentation we inline them here. | [BinaryExpression] | [InvocationExpression] | [Literal] | [ParenthesizedExpression] | [Identifier] assignmentExpression ::= [Expression] assignmentOperator [Expression] conditionalExpression ::= [Expression] '?' [Expression] ':' [Expression]
Security labels
SecDart uses annotations to specify security labels. We can specify security labels for the following entities:
- parameters of functions
int min(@high int a,@high int b)
- variable definition
void sendToFacebook(){ ... @low String message = .... ... }
- function declarations
@latent("H","H") @low int max(@low int a,@high int b){ return a+b; }