This work presents the first purely library-based implementation of fine-grained, Denning-style static information flow control (IFC) in Rust, requiring no compiler modifications. Existing language-level IFC approaches often struggle to balance fine-grained tracking with compiler intrusiveness, while coarse-grained methods restrict programming flexibility. By leveraging Rust’s type system, type inference, compile-time program counter labels, and macro mechanisms, the proposed approach introduces lightweight constructs—such as `pc_block!`, `fcall!`, and `mcall!`—to support both explicit and implicit flow checks and enable secure interoperability with third-party libraries. The method imposes minimal annotation overhead and negligible compilation cost, offering strong security guarantees while significantly relaxing the programming model and reducing escape hatches compared to prior systems like Cocoon.

Existing language-based information-flow control (IFC) tools face a fundamental tension: Denning-style systems that track explicit and implicit flows at the variable level typically require compiler modifications, while more coarse-grained approaches, including recent work Cocoon, avoid compiler changes but impose more restrictive programming models. We present Filament, a Denning-style static IFC library for Rust that requires no compiler modifications. Filament addresses three key challenges in building a practical IFC library for Rust. First, it enables fine-grained explicit-flow checking with minimal annotation overhead by leveraging Rust's type inference. Second, it introduces pc_block!, a lightweight construct for enforcing implicit flows via a compile-time program counter label, without requiring compiler support. Third, it provides fcall! and mcall! macros to support seamless and safe interoperability with standard and third-party libraries. Our evaluation shows that Filament incurs negligible compile-time overhead and requires only modest annotations. Moreover, compared to Cocoon, Filament offers a more permissive programming model, reducing the need for frequent escape hatches that bypass security checks.