A Perspective on Information-Flow Control

Abstract

Information-flow control tracks how information propagates through the program during execution to make sure that the program handles the information securely. Secure information flow is comprised of two related aspects: information confidentiality and information integrity — intuitively pertaining to the reading and writing of the information. The prevailing basic semantic notion of secure information flow is noninterference, demanding independence of public (or, in the case of integrity, trusted) output from secret (or, in the case of integrity, untrusted) input. This document gives an account of the state-of-the-art in confidentiality and integrity policies and their enforcement with a systematic formalization of four dominant formulations of noninterference: termination-insensitive, termination-sensitive, progress-insensitive, and progress-sensitive, cast in the setting of two minimal while languages. 1. Information-flow control The control of how information is propagated by computing systems is vital for information security. Historically, access control has been the main means of preventing information from being disseminated. As the name indicates, access control verifies that the program’s access rights at the point of access, and either grants or denies the program access. Once the program has been given access to information no further effort is made to make sure that the program handles the accessed information correctly. However, access control is inadequate in many situations, since it forces an all-or-nothing choice of either fully trusting the program not to leak/compromise information or not allowing access to this information altogether. Information-flow control tracks how information propagates through the program during execution to make sure that the program handles the information securely. The research on secure information flow goes back to the early 70’s [35,39], primarily in the context of military systems. Secure information flow is comprised of two related aspects: information confidentiality and information integrity — intuitively pertaining to the reading and writing of the information. The prevailing basic semantic notion of secure information flow is noninterference [46], demanding independence of public (or, in the case of integrity, trusted) output from secret (or, in the case of integrity, untrusted) input. As the field has matured, numerous variations of noninterference [98], as well as other semantic characterizations have been explored [103]. Recently, information integrity has received attention [55,57,19,4]. Integrity has frequently been seen as the dual of confidentiality [18], though it can be argued that this description might ignore other important facets [19]. One important aspect of integrity lies in its interaction with declassification — intentional lowering of security classification of information — in order to prevent the attacker from controlling what information is declassified [77,78]. Below we give an account of the state-of-the-art in confidentiality and integrity policies and enforcement, with a detailed exposition of various formulations of noninterference.