programmers have no help deciding how to place code and
data in the system for best interactive performance. In Swift,
the compiler automatically places code and data to optimize
interactive performance, subject to security constraints, and
automatically synthesizes secure protocols where communication is required.
Of course, others have noticed that Web applications are
hard to make secure and awkward to write. Prior research
has addressed security and expressiveness separately.
One line of work has tried to make Web applications more
secure, through analysis10, 12, 22 or monitoring9, 16, 23 of server-side application code. However, this work does not help
application developers decide when code and data can be
placed on the client. Conversely, the awkwardness of programming Web applications has motivated a second line of
work toward a unified language for writing distributed Web
24 However, this work largely ignores security; the programmer controls code placement, but nothing
ensures the placement is secure.
Swift differs by addressing security and expressiveness
together. One novel feature illustrating this is its selective
replication of computation and data onto both the client and
server. Replication is useful for validation of form inputs,
which should happen on the client so the user does not have
to wait for the server to respond to invalid inputs, but must
also happen on the server because client-side validation is
untrusted. With Swift, programmers write validation code
only once. Compared to the current practice in which developers write separate, possibly inconsistent validation code
for the client and server, Swift improves both security and
An earlier publication3 is a good source for further details
about Swift, especially regarding the run-time system and
Figure 1 depicts the architecture of Swift. The programmer
writes annotated Java source code, shown at the top of the
diagram. Proceeding from top to bottom, a series of program transformations converts the code into the partitioned
form shown at the bottom, with Java code running on the
2. 1. Jif source code
The source language of the program is an extended version
of the Jif 3.0 programming language.
15 Jif extends the Java
programming language with language-based mechanisms
for information flow control and access control. Information
security policies can be expressed directly within Jif programs, as labels on program variables. By statically checking
a program, the Jif compiler ensures that these labels are consistent with flows of information in the program.
The original model of Jif security is that if a program
passes compile-time static checking, and the program runs
on a trustworthy platform, then the program will enforce the
information security policies expressed as labels. For Swift,
we assume that the Web server can be trusted, but the client
machine and browser may be buggy or malicious. Therefore,
80 CommunICatIons of the aCm | febrUary 2009 | vol. 52 | no. 2
Swift transforms program code so that the application runs
securely, even though it runs partly on the untrusted client.
2. 2. WebIL intermediate code
The first phase of program transformation converts Jif
programs into code in an intermediate language we call
WebIL. Like Jif, WebIL includes annotations, but the space
of allowed annotations is much simpler, describing constraints on the possible locations of application code and
data. For example, the annotation S means that the annotated code or data must be placed on the Web server. The
annotation C?S means that it must be placed on the server,
and may optionally be replicated on the client as well. It is
convenient to program directly in WebIL, but this does not
enforce secure information flow.
2. 3. Placement and optimization
The initial WebIL annotations are merely constraints on
code and data placement. The second phase of compilation
decides the exact placement and replication of code and
data between the client and server, in accordance with these
constraints. The system uses a polynomial-time algorithm
to minimize the cost of the placement, by avoiding unnecessary network messages.
2. 4. splitting code
Once code and data placements have been determined, the
compiler transforms the WebIL code into two Java programs,
one representing server-side computation and the other, client-side computation. This is a fine-grained transformation.
Different statements within the same method may run variously on the server and the client, and similarly with different
fields of the same object. Sequential statements in the program
source code may become separate code fragments on the client and server that invoke each other via network messages.
figure 1: the swift architecture.
Located WebIL code