Responsive programs are vulnerable to traffic analysis attacks. To address this, we propose OblivIO—the first secure execution framework for event-driven reactive programming. Its core innovation is the adaptation of data obliviousness to the reactive paradigm, achieved by injecting controlled dummy messages to decouple communication traffic patterns from sensitive program logic. We design a potential-annotated information-flow type system that formally bounds traffic overhead, and integrate constant-time cryptographic primitives with potential-based analysis to enforce strictly constant traffic behavior. The OblivIO interpreter, built atop this framework, provides formal security guarantees against traffic analysis. Empirical evaluation demonstrates its effectiveness in protecting security-critical operations while maintaining manageable performance overhead.

Traffic analysis attacks remain a significant problem for online security. Communication between nodes can be observed by network level attackers as it inherently takes place in the open. Despite online services increasingly using encrypted traffic, the shape of the traffic is not hidden. To prevent traffic analysis, the shape of a system's traffic must be independent of secrets. We investigate adapting the data-oblivious approach the reactive setting and present OblivIO, a secure language for writing reactive programs driven by network events. Our approach pads with dummy messages to hide which program sends are genuinely executed. We use an information-flow type system to provably enforce timing-sensitive noninterference. The type system is extended with potentials to bound the overhead in traffic introduced by our approach. We address challenges that arise from joining data-oblivious and reactive programming and demonstrate the feasibility of our resulting language by developing an interpreter that implements security critical operations as constant-time algorithms.