Language-Based Information-Flow Security: Andrei Sabelfeld and Andrew C. Myers
Language-Based Information-Flow Security: Andrei Sabelfeld and Andrew C. Myers
Language-Based Information-Flow Security: Andrei Sabelfeld and Andrew C. Myers
1, JANUARY 2003 1
Abstract— Current standard security practices do not pro- untrusted, possibly malicious hosts or code, making assurance
vide substantial assurance that the end-to-end behavior of a of confidentiality still more difficult.
computing system satisfies important security policies such as The standard way to protect confidential data is (discre-
confidentiality. An end-to-end confidentiality policy might assert
that secret input data cannot be inferred by an attacker through tionary) access control: some privilege is required in order to
the attacker’s observations of system output; this policy regulates access files or objects containing the confidential data. Access
information flow. control checks place restrictions on the release of information
Conventional security mechanisms such as access control but not its propagation. Once information is released from
and encryption do not directly address the enforcement of its container, the accessing program may, through error or
information-flow policies. Recently, a promising new approach
has been developed: the use of programming-language tech- malice, improperly transmit the information in some form. It is
niques for specifying and enforcing information-flow policies. unrealistic to assume that all the programs in a large computing
In this article we survey the past three decades of research on system are trustworthy; security mechanisms such as signature
information-flow security, particularly focusing on work that uses verification and antivirus scanning do not provide assurance
static program analysis to enforce information-flow policies. We that confidentiality is maintained by the checked program. To
give a structured view of recent work in the area and identify
some important open challenges. ensure that information is used only in accordance with the
relevant confidentiality policies, it is necessary to analyze how
Index Terms— Computer security, confidentiality, information information flows within the using program; because of the
flow, noninterference, security-type systems, covert channels,
security policies, concurrency. complexity of modern computing systems, a manual analysis
is infeasible.
Belief that a system is secure with respect to confidentiality
I. I NTRODUCTION should arise from a rigorous analysis showing that the system
as a whole enforces the confidentiality policies of its users.
P ROTECTING the confidentiality of information manip-
ulated by computing systems is a long-standing yet in-
This analysis must show that information controlled by a con-
creasingly important problem. There is little assurance that fidentiality policy cannot flow to a location where that policy
is violated. The confidentiality policies we wish to enforce
current computing systems protect data confidentiality and
are, thus, information-flow policies and the mechanisms that
integrity; existing theoretical frameworks for expressing these
enforce them are information-flow controls. Information-flow
security properties are inadequate, and practical techniques for
policies are a natural way to apply the well-known systems
enforcing these properties are unsatisfactory. In this article
principle of end-to-end design [1] to the specification of
we discuss language-based techniques—in particular, program
computer security requirements; therefore, we also consider
semantics and analysis—for the specification and enforcement
them to be specifications of end-to-end security. In a truly
of security policies for data confidentiality.
secure system, these confidentiality policies could be precisely
Language-based mechanisms are especially interesting be-
expressed and translated into mechanisms that enforce them.
cause the standard security mechanisms are unsatisfactory
However, practical methods for controlling information flow
for protecting confidential information in the emerging, large
have eluded researchers for some time.
networked information systems. Military, medical, and finan-
Recently, a promising new approach has been developed by
cial information systems, as well as web-based services such
the authors and others: the use of type systems for information
as mail, shopping, and business-to-business transactions are
flow (e.g., [2]–[14]). In a security-typed language, the types
applications that create serious privacy questions for which
of program variables and expressions are augmented with
there are no good answers at present.
annotations that specify policies on the use of the typed data.
Analyzing the confidentiality properties of a computing
These security policies are then enforced by compile-time
system is difficult even when insecurity arises only from
type checking, and, thus, add little or no run-time overhead.
unintentional errors in the design or implementation. Addi-
Like ordinary type checking, security-type checking is also
tionally, modern computing systems commonly incorporate
inherently compositional: secure subsystems combine to form
Manuscript received April 15, 2002; revised August 21, 2002. This work a larger secure system as long as the external type signatures
was supported in part by ONR Grant N00014-01-1-0968, in part by NSF of the subsystems agree. The recent development of semantics-
CAREER Award 0133302, and in part by an Alfred P. Sloan Research Fel- based security models (i.e., models that formalize security in
lowship. Any opinions, findings, conclusions, or recommendations contained
in this material are those of the authors and do not necessarily reflect the terms of program behavior) has provided powerful reasoning
views of the Department of the Navy, Office of Naval Research, the National techniques (e.g., [3], [5], [6], [9]–[17]) about the properties
Science Foundation, or the Alfred P. Sloan Foundation. that security-type systems guarantee. These properties increase
A. Sabelfeld and A. C. Myers are with the Computer Science Depart-
ment, Upson Hall, Cornell University, Ithaca, NY 14853, USA (e-mail: security assurance because they are expressed in terms of
andr{ei, u}@cs.cornell.edu). end-to-end program behavior and, thus, provide a suitable
2 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 21, NO. 1, JANUARY 2003
vocabulary for end-to-end policies of programs. Other common security enforcement mechanisms such as
The rest of the article is organized as follows. Section II firewalls, encryption, and antivirus software are useful for pro-
gives some background on the problem of protecting con- tecting confidential information. However, these mechanisms
fidentiality, including why existing security techniques are do not provide end-to-end security. For example, a firewall
unsatisfactory. Section III illustrates the basics of information- protects confidential information by preventing communica-
flow techniques by giving examples of a security condition and tion with the outside. In practical systems, however, firewalls
a security-type system. Section IV gives a structured overview permit some communication in both directions (e.g., [23]);
of recent work in the field. Section V identifies important whether this communication violates confidentiality lies out-
challenges for future work. The article closes in Section VI. side the scope of the firewall mechanism. Similarly, encryption
can be used to secure an information channel so that only
II. BACKGROUND the communicating endpoints have access to the information.
Terminology for security properties relating to confidential- However, this encryption provides no assurance that once the
ity is somewhat inconsistent. This article is about the language- data is decrypted, the computation at the receiver respects the
based specification and enforcement of strong confidentiality confidentiality of the transmitted data. Antivirus software is
policies based on information flow. In this framework, it is based on detecting patterns of previously known malicious
assumed that computation using confidential information is behavior in code and, thus, offers limited protection against
possible, and that it is important to prevent the results of new attacks.
the computation from leaking even partial information about
confidential inputs. This kind of security was described in B. Related Work on Language-Based Security
Lampson’s seminal article [18] as information confinement,
Language-based mechanisms have been used for security
and has also been known as secrecy. However, both “con-
goals other than protecting confidentiality. Perhaps the best-
finement” and “secrecy” have been used to describe related
known language-based security mechanism is the Java run-
but weaker security properties. In the context of capability
time environment, which provides a well-known set of security
systems, “confinement” refers to the ability to prevent capabil-
mechanisms for Java applets, including the bytecode veri-
ities (and hence authority) from being transmitted improperly.
fier [24], the sandbox model [25], and stack inspection [26].
Similarly, work on cryptographic protocols often builds on the
All three of these mechanisms are language-based—that is,
Dolev–Yao model [19], where secret information is assumed
enforced through the Java language—although only the byte-
to be indivisible and can be leaked only by insertion in its
code verifier uses static program analysis. None of these
entirety into a message. Finally, “privacy” is sometimes used
mechanisms is intended to control information flow, and,
to refer to the protection of the confidentiality of a principal,
therefore, they are not effective at protecting confidential data.
but is also sometimes used as a synonym for anonymity. For
The bytecode verifier ensures only that applications respect the
clarity we use the term confidentiality. Unless otherwise stated,
Java type system, so that object references cannot be forged
the term security refers to confidentiality in this article.
and private fields cannot be directly accessed. Protection of
private fields is important for confidentiality but because it is
A. Standard Security Mechanisms static, it is less powerful than access-control mechanisms. The
Although the difficulty of strongly protecting confidential sandbox model restricts what classes a Java applet can name,
information has been known for some time, the research but a malicious applet may violate confidentiality by commu-
addressing this problem has had relatively little impact on the nicating with the host from which it was downloaded. Stack
design of commercially available computing systems. These inspection is a dynamic access-control mechanism; although
systems employ security mechanisms such as access control, it helps protect integrity, it does not address confidentiality.
capabilities, firewalls, and antivirus software; it is useful to see Language-based techniques are also used in other ongoing
how the these standard security mechanisms fall short. security research, where the goal is to use type safety to protect
Access control, as embodied in access-control lists [20] the machine against subversion by mobile code (e.g., [24],
and capabilities [21], [22], is an important part of the current [27]–[29]), although some more general security policies can
security infrastructure. For example, a file may be assigned be enforced [30]–[33]. However, none of this language-based
access-control permissions that prevent users other than its work addresses end-to-end security policies.
owner from reading the file; more precisely, these permissions
prevent processes not authorized by the file owner from
C. Covert Channels
reading the file. However, access control does not control how
the data is used after it is read from the file. To soundly enforce Mechanisms for signaling information through a computing
confidentiality using this access-control policy, it is necessary system are known as channels. Channels that exploit a mech-
to grant the file access privilege only to processes that will anism whose primary purpose is not information transfer are
not improperly transmit or leak the confidential data—but called covert channels [18]; they pose the greatest challenge
these are precisely the processes that obey a much stronger in preventing improper information leaks. Covert channels fall
information-flow policy! Access-control mechanisms cannot into several categories:
identify these processes; therefore, access control, while use- • Implicit flows signal information through the control
ful, cannot substitute for information-flow control. structure of a program.
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 3
h∈
/ Vars(exp) [C5–6] that given an if (loop) with a high guard, the branches
[E1–2]
exp : high (loop body) must be typable in a high context. Let us refer
exp : low
to loops with a high guard as high loops, and to conditionals
exp : low with a high condition as high conditionals. The rule [C7] is
[C1–3] [pc]
skip [pc]
h := exp
[low ]
l := exp a subsumption rule. It guarantees that if a program is typable
[pc]
C1 [pc]
C2
exp : pc [pc]
C in a high context then it is also typable in a low context. This
[C4–5] rule allows us to reset the program counter to low after a high
[pc]
C1 ; C2 [pc]
while exp do C
conditional or a loop, avoiding one source of label creep (cf.
exp : pc [pc]
C1 [pc]
C2 [high]
C Sections II-E and II-F).
[C6–7]
[pc]
if exp then C1 else C2 [low ]
C Examples of typed programs are [low ]
h := l+4; l := l−5
and [high]
if h = 1 then h := h + 4 else skip. As expected,
Fig. 3. Security-type system. the example programs with explicit and implicit insecure flows
l := h and if h = 1 then l := 1 else skip are not typable.
which reads “if two input states share the same low values,
IV. T RENDS IN L ANGUAGE -BASED I NFORMATION F LOW
then the behaviors of the program executed on these states are
indistinguishable by the attacker.” The particular model of the We have considered succinct examples of how to express a
observable behavior depends on the desired security property. noninterference-style security policy using low-view relations
For example, in our language we may set s ≈ L s iff s, s ∈ and a static certification-style security analysis using a type
S implies s =L s . Under this assumption, condition (∗) system. However, the true value of these two representa-
corresponds to the absence of strong dependency [49], [50] of tions lies in their connection. Indeed, the ultimate goal for
the variable h on the variable l. According to such a condition, formalizing confidentiality properties is to have tools that
the program h := l+4 is secure because the low output (which are not only expressive but also ensure rigorous end-to-end
is the same as low input) is unaffected by changes to the high security policies. While work on information flow prior to the
input. The program (if l = 5 then h := h + 1 else l := l + 1) mid-nineties typically handled either policies or analyses in
is also secure because the final values of l only depend separation, Volpano et al. [3] were the first to establish an
on the initial value of l. However, the programs l := h explicit connection. They cast a Denning-style analysis as a
and (if h = 3 then l := 5 else skip) are clearly insecure: for type system similar to Figure 3 and showed that if a program
example, taking 2 and 3 as initial high values gives different is typable then it is secure according to condition (∗). This
final values for l. For the former program with 0 as the initial result improves security assurance because it is based on an
value of l we have (2, 0) = L (3, 0), but l := h(2, 0) = extensional security definition. Such a definition is expressed
(2, 2) ≈L (3, 3) = l := h(3, 0). by the low view under a standard semantic model as opposed
to the ad-hoc security semantics (or no security semantics at
B. A Security-Type System all) underlying previous approaches (e.g., [2], [52]–[61]).
We identify four directions of research in language-based
A security-type system is a collection of typing rules that security that branch off from this meeting point of noninter-
describe what security type is assigned to a program (or ex- ference and static certification: (i) enriching the expressiveness
pression), based on the types of subprograms (subexpressions). of the underlying programming language, (ii) exploring the
We write
exp : τ to mean that the expression exp has type impact of concurrency on security, (iii) analyzing covert
τ according to the typing rules. This assertion is known as channels, and (iv) refining security policies. In the rest of
a typing judgment. Similarly, the judgment [pc]
C means this section, we sketch recent work in these directions. The
that the program C is typable in the security context pc. For diagram in Figure 4 illustrates the structure of current work
our purposes, the security context is just the program counter and is intended to serve as a road map for the interested reader
label pc (cf. Section II-F). to follow the evolution described (recommended references are
Figure 3 presents the typing rules for our simple language. provided in the diagram).
(This system is, in fact, equivalent to a type system by Volpano
et al. [3].) Expression types and security contexts can be either
high or low . According to the rules [E1–2], any expression A. Language Expressiveness
(including constants, the variable h, and even l) can have type A major line of research in information flow pursues the
high; however, an expression can have type low only if it has goal of accommodating the increased expressiveness of mod-
no occurrences of h. ern programming languages. We concentrate on progress on
Consider the rules [C1–7]. The commands skip and h := procedures, functions, exceptions, and objects.
exp are typable in any context. The command l := exp is Procedures: Volpano and Smith [63] give a type system
only typable if exp has type low . This prevents explicit flows. for a language with first-order procedures and prove that it
Notice that l := exp is only typable in the low context which, guarantees noninterference. The type system relies heavily on
in combination with the rest of the (purely compositional) polymorphism, a well-studied concept in type systems. Poly-
rules, disallows implicit flows. Indeed, notice that [high]
C morphism means that the type of commands or expressions
for some command C ensures that there are no assignments to may be generic, i.e., may depend on the context. For example,
low variables in C. This justifies the requirement of the rules procedures may have polymorphic security types so that their
6 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 21, NO. 1, JANUARY 2003
static noninterference
certification [40], [62] [47], [49], [50]
declassification
procedures [63] sound security analysis [3]
[2], [4], [64], [65]
exceptions relative
threads [6] timing [10]
[7], [14], [67] security [70]
quantitative
distribution probability
objects [7], [13] security
[71], [72] [9], [11]
[73], [74]
invocation can be adjusted to either low or high context. exceptional conditions. Exceptions can be caught by a special
(Recall that a high context corresponds to a high program language construct, resulting in a nonlocal transfer of control
counter, i.e., a program point inside a high conditional or that can create implicit flows. If not caught, an exception
loop.) Notice that our example type system in Figure 3 also may also create an implicit flow of information. Volpano and
has simple polymorphic rules in pc, e.g., h := h + 3 can Smith [67] propose a simple but restrictive type system for
either be typed by [high]
h := h + 3 or [low ]
h := h + 3 handling exceptions. Myers [7] argues that this may lead to
depending on the context. loss of precision in the analysis and introduces path labels
Functions: Heintze and Riecke [5] consider information that allow finer-grained tracking of the implicit flows caused
flow in the SLam calculus, a functional language, based on the by exceptions. Pottier and Simonet [14], [77], [78] suggest
λ-calculus [75], that supports first-class functions (functions a similarly fine-grained analysis of exceptions and also give
usable as ordinary values). They propose a type system for noninterference proofs for a functional setting.
confidentiality and integrity in SLam and prove a noninterfer- Objects: Objects are another important language feature;
ence theorem using logical relations. They also extend SLam they subsume first-class functions because first-class functions
and the type system with state and concurrency, but do not can be encoded as objects. The JFlow language [7] extends
prove noninterference. Java with a type system for tracking information flow. This
Zdancewic and Myers [12], [76] define a secure calculus language has also been implemented in the Jif compiler [44].
that has first-class continuations, state, and references, and Barthe and Serpette [8] consider information flow in a simple
prove that its type system enforces noninterference. Continu- object-oriented language based on the Abadi–Cardelli func-
ations are a more expressive control construct than functions. tional object calculi [79] and show that their type system en-
They also show that a fragment of SLam, augmented with state forces noninterference. Banerjee and Naumann [13] develop a
and references, can be encoded in their continuation-passing security-type system for a Java-like imperative object-oriented
style calculus without any loss of precision. language and show that it enforces noninterference.
Pottier and Conchon [16] show a systematic way to extend
conventional type systems with flow control in a functional B. Concurrency
setting. This approach simplifies correctness proofs by al- In principle, concurrency could be considered one of the
lowing them to be extracted from the correctness proofs language extensions in the previous section. However, the
for the original type system. Pottier and Simonet [14], [77] nature of concurrent computation raises new concerns about
prove noninterference for an extension of the purely functional the low-view model, making concurrency a major topic of its
part of SLam, extended with references, exceptions, and type own.
polymorphism. Nondeterminism: A first step toward concurrency is
Exceptions: Exceptions (such as in Java) can be raised by nondeterministic computation. Noninterference as originally
the language in an event of a run-time error, such as division defined was a property of deterministic computations. A
by 0. They may also be used by the programmer to signal straightforward way to generalize it to nondeterminism is to
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 7
consider the observable behavior of a program to be the set sequential languages—are sufficient for noninterference under
of its possible results. With this interpretation, the security a purely nondeterministic scheduler: no while loop may have
condition (∗) of Section III-A means that high inputs may a high guard, and no high conditional may contain a while
not affect the set of possible low outputs. This is known as a loop in its branch.
possibilistic security condition [80]. There is a substantial body However, some programs that this analysis determines to
of work on possibilistic generalizations of noninterference for be secure—and that meet the possibilistic security condition—
a nondeterministic setting (e.g., [80]–[83]). may be insecure in practice. For example, the program
In the context of programming languages, Banâtre, Bryce,
(if h = 1 then Clong else skip); l := 1 l := 0
and Le Métayer [57] suggest an analysis that tracks dependen-
cies between variables for a language with a nondeterministic (where denotes the parallel composition and C long is a time-
choice operator. consuming series of skip commands) is considered secure.
Leino and Joshi [66], [84] define an elegant equational However, under many schedulers (such as round-robin), if h
security property for nondeterministic programs. Define a is 1 then the last subcommand to be executed is likely to
program HH (“havoc on h”) to have the (informal) semantics be l := 1. This is an encoding of a timing leak into a direct
“set h to an arbitrary value”. Now, a program C is considered leak (by assignments, sequential and parallel composition). Al-
secure iff though the set of possible results of the program is independent
of h assuming a nondeterministic scheduler, some refinements
∀s ∈ S. HH ; C; HH s ≈ C; HH s
of the program, in which possible outcomes are eliminated by
for an appropriate equivalence relation ≈ on sets of final choosing a scheduler, are not secure. In a concurrent setting,
values. The occurrence of HH after C, in effect, equalizes possibilistic security is often subject to such refinement attacks.
the set of possible final values of h. This equation has the Later work by Volpano and Smith [9], [86] investigates
intuitive reading that scrambling the initial value of h does not security in the presence of the uniform scheduler (such a
reflect on the set of final values of l; thus, it is a possibilistic scheduler selects a thread from the pool of live threads with
security condition. Among advantages of this approach is the the uniform probability distribution) and gives a probability-
flexibility in the choice of ≈ and verification conditions [66], sensitive security specification that rejects the program above
[84] for proving equational security. as insecure. Because scheduling policies may vary from imple-
Sabelfeld and Sands [17], [85] formalize a number of mentation to implementation, Sabelfeld and Sands [11] argue
security specifications by partial equivalence relations (PERs) for scheduler-independent security (robust with respect to a
of which the equational security condition above is an instance. wide class of potentially probabilistic schedulers) and prove a
Abadi et al. [15] were the first to adapt PERs from program noninterference result for a security-type system.
analysis to reason about variations in the spirit of the low Smith [87] and, independently, Boudol and Castellani [88],
view ≈L in the deterministic setting. The extension of PERs [89] observe that a high while-loop can be considered secure
to handle nondeterministic security [17], [85] develops a link in a concurrent setting, provided that there are no low assign-
between low-view relations ≈ L and equivalence relations ≈ ments that follow the loop. This is enforced by respective type
for programs that exhibit nondeterminism. systems. Smith’s type system guarantees probabilistic nonin-
Thread concurrency: Consider multithreaded programs terference. Boudol and Castellani’s typing rules are extended
executed on a single processor. One complication with con- to schedulers with the result that any typed system (consisting
current models is that the high part of program states has to of threads and a scheduler) must satisfy possibilistic noninter-
be protected at all times during computation. For example, ference.
we might consider the program (thread) h := 0; l := h secure Sabelfeld [90] extends both the definition of noninterference
because the initial secret value has been overridden by constant and a type system to handle thread synchronization. The effect
0. However, security can be compromised in case another of synchronization is similar to that of loops: the type system
(secure) program runs in parallel. This other program may rules out synchronization that depends on high data in order
update the value of h with a secret (e.g., h := h for some to ensure noninterference.
high variable h ) immediately before l := h is executed by the Honda et al. [91], [92] have taken another approach to
first thread. secure concurrent languages: security-type systems for the
Another issue is that the security of multithreaded computa- asynchronous π-calculus, a general model of concurrent com-
tion is tightly connected with timing- and probability-sensitive putation in which threads are implicit. Channel types in these
security. Indeed, assuming that the scheduler that determines languages may be annotated with a number of attributes that
what thread is selected at the next step exhibits (potentially describe possible communication patterns; notably, channel
probabilistic) behavior, this behavior is reflected on the choice types may be linear or affine, meaning that the channel may
of what thread is executed. Thus, the execution order of low- be used for exactly one or at most one message, respectively.
level computation may be affected. We will focus on timing- These complex security-type systems are able to enforce
and probability-sensitive security in Section IV-C. noninterference with about the same precision as the other
In contrast to earlier work on security for concurrent pro- type systems for concurrent languages.
grams [52], [53], [56], [58], Smith and Volpano [6] prove Pottier [93] presents a syntactic technique that extends the
noninterference for a multithreaded language. They show that π-calculus to a calculus of pairs of processes. Noninterference
two requirements—imposed in addition to those enforced for is reduced to a safety property for such a calculus, and
8 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 21, NO. 1, JANUARY 2003
this property is established by subject reduction, which is a typed program is automatically partitioned in a fine-grained
standard technique for showing the soundness of type systems. manner into communicating subprograms that run securely on
This technique is also used in noninterference results for the available hosts and carry out the original computation. The
functional languages [14], [77], [78], [93]. security types in the language can specify both confidentiality
Zdancewic [94] develops an alternate approach to checking and integrity policies; the latter are used to prevent untrusted
security for concurrent systems based on the idea of low- hosts from subverting security-critical decisions. The system is
view determinism developed by Roscoe [95] in the context of intended to allow enforcement of end-to-end security policies
CSP. A program is considered to be secure only if its results, that go beyond noninterference, but there is no proof that the
viewed through the low-view relation ≈ L , are deterministic system enforces a noninterference-like property. A theorem
despite considering high inputs as chosen nondeterministically. about the integrity of control flow in the partitioned program
This security condition generalizes noninterference, but is not is proved, however.
possibilistic and is not subject to refinement attacks. However, Language-based techniques are useful in modeling and
it may rule out useful nondeterminism. Zdancewic gives a analyzing information flow in security protocols. Abadi [64],
security-type system for a concurrent language that supports [97] shows how confidentiality can be achieved by typing
an arbitrary number of processes and message-passing com- in distributed security protocols in the presence of shared-
munication (including first-class channels); he shows that this key encryption. A recent work by Abadi and Blanchet [98]
type system, when combined with a suitable alias analysis, deals with types for protocols involving public-key encryption.
enforces the security condition. Sumii and Pierce’s work on protocols [99] employs logical
Distribution: Understanding security in the distributed relations for reasoning about the low view of systems in the
setting is one of the most pressing needs. Distributed systems presence of encryption.
are naturally concurrent, but three new issues are raised in
this setting: first, distributed programs must have the ability
C. Covert Channels
to exchange messages, and these communications may be ob-
served to some extent by attackers. Second, systems are often Recall from Section II-C that covert channels are ways
distributed precisely because they serve the needs of multiple to transfer information within a computing system using
principals who do not fully trust each other. A way is needed to mechanisms not intended to function as information channels.
provide security despite this mutual distrust. Third, distributed For example, many implicit flows are examples of covert
systems have components (such as host machines) that can storage channels. There are several kinds of covert channels
fail; these failures may include the complete subversion of that are more difficult to identify: for example, information
these components by malicious attackers. A subverted host flows resulting from dependencies between sensitive data and
may continue to simulate proper functioning, but improperly observable behavior of the system such as timing or the
release data it receives; it may also attempt to compromise the system’s stochastic behavior. Thus, the assumption that the
behavior of other components of the system to cause them to attacker is capable of such observations must be reflected in
violate confidentiality. the low view of the system.
Early confidentiality definitions for language-based dis- Termination channels: Assuming that an attacker can
tributed systems were phrased in terms of a security logic observe program termination (or nontermination), program
(which, however, lacked a rigorous relation to program seman- while h = 1 do skip is no longer secure. Volpano and
tics). Reitman’s logic [96] addresses the security of message- Smith [67] argue for termination-sensitive noninterference.
passing primitives commonly used in distributed programs. Such noninterference can be expressed as condition (∗) with
Banâtre and Bryce’s logic [56], [58] formalizes security prop- the low-view relation ≈ L that relates two behaviors iff both
erties for a language with synchronous message passing. diverge or both terminate in low-equal final states (s ≈ L s
Sabelfeld and Mantel [72] investigate the security impli- iff either s, s ∈ S and s =L s or s = s = ⊥). In order to
cations of various communication primitives. They consider prevent termination attacks, the type system of [67] disallows
blocking vs. nonblocking and synchronous vs. asynchronous high loops and requires high conditionals have no loops in the
primitives for message passing and propose a type system that branches.
enforces timing-sensitive noninterference for a language that Abadi et al. [15] establish a connection between security
features both multithreading and message passing. analysis and three types of program analyses: binding-time
Relatively little work has addressed the problem of infor- analysis, call tracking, and program slicing. These analyses
mation flow in a distributed system that incorporates mutual are related because the properties they identify are all depen-
distrust and arbitrary component failure. Zdancewic et al. [71] dency properties. Abadi et al. express this dependency in terms
propose and implement an architecture called secure program of PERs for a calculus based on a variation of the λ-calculus.
partitioning to address these issues. The goal of this archi- They show that PERs capture termination-sensitive security.
tecture is to protect the confidentiality of multiple principals Binding-time analysis is particularly close to security anal-
who do not trust the other principals and have only partial (and ysis. In the field of partial evaluation, binding-time analysis
differing) trust in the host machines available for computation. divides program terms into static (known at partial-evaluation
In this setting, the informal security condition is that the time) and dynamic (to be supplied later). The correctness
security of a principal is not threatened unless there is a condition for binding-time analysis states that no static term
failure of a host that the principal trusts. A sequential, security- depends on a dynamic variable. Viewing dynamic as high and
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 9
static as low we obtain the connection to security. The connec- where p is a probabilistic choice operator that selects the left-
tion with partial evaluation has been explored by Sabelfeld and hand side command with the probability p and the right-hand
Sands [17], [85], Barthe and Serpette [8], and Thiemann [100]. side with the probability 1 − p; and rand (n) is a function
Timing channels: In practice, nontermination cannot be returning a random value from the range 0 . . . n according
distinguished from a very time-consuming computation. Thus, to the uniform distribution. According to purely possibilistic
the termination channel can be viewed as an instance of the conditions (e.g., [6], [66]) the program above is secure. Indeed,
timing channel. Timing channels can present a serious threat varying PIN does not change the set of possible outcomes
(see [101] for a timing attack on RSA encryption). As we for l. However, it does change the probability of outcomes for
have seen in Section IV-B, timing channels are particularly l, which is reflected by probability-sensitive definitions. Such
dangerous in the presence of concurrent threads, as they may definitions in non-language-specific settings include McLean’s
result in information leaks. Timing-sensitive noninterference flow model [102] and probabilistic noninterference [103],
is formalized by condition (∗) with the low-view relation ≈ L [104].
that relates two behaviors iff both diverge or both terminate Sabelfeld and Sands [17], [85] lift the PER model to
in the same number of execution steps in low-equal final probabilistic powerdomains to characterize probabilistic non-
states. A high conditional may generate a timing leak, e.g., interference. An important contribution of this work is the
if h = 1 then Clong else skip (cf. Section IV-B). Volpano compositionality result that guarantees that if secure programs
and Smith [9] suggest restricting high conditionals to have no are plugged into an appropriate context the resulting program
loops in the branches and wrapping each high conditional in is secure. Due to this property the correctness proofs for
a protect statement whose execution is atomic. This discipline security-type systems (which are also compositional) become
is enforced by an accompanying type system. straightforward, which is exemplified in [17].
Agat’s approach [10] to closing timing leaks is based on As we observed in Section IV-B, a scheduler in a concur-
another example of a well-studied technique in programming rent setting may be probabilistic. Volpano and Smith’s type
languages, program transformation. The transformation can system [9], [86] captures probabilistic flows resulting from
be represented as a type system with type assignments of the the uniform scheduler in a multithreaded language.
following form: C → C : Sl where C is the original program, Sabelfeld and Sands [11] connect probabilistic security with
C is the result of the transformation, and Sl is the low slice of probabilistic bisimulation [105] which is a standard semantic
C . The low slice Sl is different from C in that subcommands model for probabilistic computation. As a benefit of this
of C that involve high data are replaced by dummy commands connection, their security condition improves the precision
with no effect on high variables. This ensures Sl ≈ L C . of previous probability-sensitive definitions (e.g., [9]). They
Either the original program C is rejected (in case of a potential extend the language with dynamic thread creation and prove
explicit or implicit insecure information flow) or accepted and scheduler-independent timing-sensitive noninterference for a
transformed into program C free of timing leaks. The core security analysis. Correctness proofs are accommodated by a
rule of the type-and-transformation system is: compositional security definition that implies noninterference.
calculus [107]. Secret keys and their usage are hidden by Di Pierro et al. [74] suggest approximate noninterference,
the low view in an extensional security condition. Abadi and which can be thought of as noninterference “up to .” They
Blanchet’s type system [98] analyzes Dolev–Yao secrecy for also provide a probability-sensitive program analyses that
the spi calculus. ensures precise [111] and approximate [74] noninterference for
Dam and Giambiagi’s admissibility [68] for JVM applets a probabilistic constraint-programming calculus. An extension
is a weakening of noninterference. They analyze an online of this work [112] is concerned with a sound analysis geared
payment protocol which involves encryption of secrets, and toward the attacker that is able to make external observations
show that it has the desired admissibility property. Admissi- about the system, such as the average state over a limited
bility corresponds to the security policy that explicitly states number of steps.
what dependencies between data are allowed in a program Lowe’s quantitative definition of information flow [113]
(including those caused by downgrading). Giambiagi’s subse- is intended to measure the capacity of covert channels in a
quent work [69], [108] separates protocol specification from its process-algebra setting. Like other quantitative definitions, this
implementation. The proposed security condition guarantees definition is based on Shannon’s information theory [114].
that an admissible program has no other information flows than However, unlike other models, Lowe’s definition is sensitive to
those intended by the protocol specification (and explicitly nondeterminism. The amount of leaked information is based
recorded in a confidentiality policy). The security condition on the number of different behaviors of a high-level user that
is termination and timing sensitive (agreeing with noninter- can be distinguished by a low-level user.
ference modulo flows allowed by the protocol specification).
This approach is realized for a guarded-command implemen- V. O PEN C HALLENGES
tation language that includes encryption, decryption, iteration,
This section discusses some challenges for language-based
message-passing and exception constructs [69].
security researchers. Some challenges are natural goals emerg-
Systems containing intentional downgrading channels intro-
ing from the existing directions described in Section IV; others
duce the possibility that these channels will be exploited to
have been investigated less but are nonetheless crucial for
downgrade more information than was intended by the pro-
practical enforcement of end-to-end security policies.
grammer. Zdancewic and Myers [65] propose robust declas-
sification, a security property that prevents exploitation of the
channels. Robust declassification says that an active attacker A. System-Wide Security
(who can affect system behavior) cannot learn anything more Computer systems are only as secure as their weakest point,
than a passive attacker (who may only observe the system’s so a system-wide security model is essential to guarantee
behavior). The presumption is that information flows visible that not only the system components are secure but also
to the passive attacker are intended to be present. their combination. A challenging direction here is the inte-
Volpano and Smith [70] concentrate on the scenario of a gration of language-based information flow and system-wide
password-checking program. They provide a type system that information-flow control. The secure program partitioning
allows for operations similar to password queries and give approach of Zdancewic et al. [71] directly addresses this notion
a security assurance based on probabilistic complexity: first, of end-to-end, system-wide security. It prevents attacks on
no well-typed program can leak secrets in polynomial (in the a distributed system considered as a whole, and explicitly
length of the secret) time; and, second, secret leaks are only models distrust between principals and hosts. Mantel and
possible with a negligible probability. Continuing this line of Sabelfeld [115], [116] also make a step in this direction,
work, Volpano [109] proves that leaking passwords in a system proposing a way to integrate language-based confidentiality
where passwords are stored as images of a one-way function properties of local computation into an abstract framework of
is not easier than breaking the one-way function. global properties. This link at the end-to-end level facilitates
Laud’s complexity-theoretic security specification [110] re- a modular end-to-end system design. Rigorous connections to
lies on computational indistinguishability by a polynomial- areas such as security protocols and trust management are most
time (again in the length of the secret) adversary in an desirable.
imperative language. The specification is accompanied by a
sound analysis that, e.g., accepts the program l := enc k (h),
i.e., encryption of h with a key k. B. Certifying Compilation
It is often useful to allow for a limited bandwidth of One potential weakness of using a compiler to validate
information leaks. For example, one may consider the program information flows is that it places both the type checker and the
that queries a four-digit number and matches it to a secret PIN code generator of the compiler in the trusted computed base
1
to be secure if the probability of leakage ( 10000 in this case) (TCB) [117]. It is clearly desirable to perform information-
is less than a threshold value . Early ideas of quantitative flow analysis on code that is as close to the executed code
security (as opposed to qualitative) go back to Denning’s as possible, avoiding these trust dependencies. This is also
work [41] which, however, does not provide automated tools important because much malicious code is distributed in the
for estimating the bandwidth. Clark et al. [73] propose syntax- form of programs in a low-level machine language (not to be
directed inference rules that aid in computing estimates on confused with the low level of confidentiality for data) such
information flow resulted from if statements in an imperative as Java applets or ActiveX components. Certifying compila-
language. tion [118] is an attractive way to generate machine code that
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 11
is annotated with the necessary information to perform static system must be able to enforce dynamically changing security
validation. Java bytecode verification [24] and typed assembly policies.
language [28] (primarily used to guarantee memory safety) are Dynamic security policies have been proposed in a lan-
examples of this approach. guage-based setting [4] and implemented in the Jif com-
Low-level languages have not received much attention in piler [7], [44]. In the Jif security-type system, types may be
studies of secure information flow. One difficulty with check- annotated with confidentiality labels that refer to variables of
ing information flow in low-level languages is that useful the type label. Thus, labels may be used both as first-class
information about program structure is lost during compi- values and as labels for other values. Types that depend on
lation. Consequently, typical source-language techniques do values computed at run time are dependent types, a topic
not generalize straightforwardly [12], [76], [119]. Zdancewic long of interest in the programming-languages community
and Myers [12], [76] present a type system that ensures (e.g., [122], [123]).
noninterference in low-level programs in which the only con- Dynamic security policies are an important area for future
trol construct is continuations (which correspond to indirect work; although dynamic labels are not known to introduce
branches at the machine-code level [120].) Ordered linear unsoundness into the Jif type system, currently there are no
continuation types enforce a stack discipline that permits a noninterference results for any fragment that supports them.
high-precision analysis. The difficulty in adding dynamic labels is that because they
Another worthwhile direction for future work is adapting are computed at run time, they create an additional information
techniques for the security of machine code to information channel that must be controlled through the type system [7]. A
flow: for example, typed assembly languages [28] that guar- type system that provably controls this information channel—
antee machine code does not violate type safety, and proof- without being unnecessarily restrictive—would be a welcome
carrying code [30], [121], where a proof that the program result.
satisfies a security policy is distributed with the code and is
checked before execution. E. Practical Issues
Efforts spent on accommodating richer languages and mod-
eling elaborate attacks should be supported by the investigation
C. Abstraction-Violating Attacks
of the impact on the restrictiveness for a programmer. The
It is inevitable that the model of the attacker is an abstraction question is whether it is, in the first place, possible to write
that removes possibly important details about the real attacker. efficient secure programs that do not violate security require-
This abstraction enables the real attacker to circumvent the ments. For a timing-sensitive setting, a step has been made
security mechanisms by mounting an attack that lies outside by Agat and Sands [124] who show that basic algorithmic
the abstract model. One example of such an attack on timing- building blocks (such as sorting and searching) that manipulate
sensitive security is a cache attack [119]. Consider the follow- secret data can be securely implemented without a substantial
ing example: loss of efficiency: for n objects, the asymptotic complexities
of sorting and searching are O(n log n) and O(log n), respec-
(if h = 1 then h := h1 else h := h2 ); h := h1
tively.
where all variables are high. Independently of sensitive data, Only a few implementations exist that support security-
the program executes the same number of instructions. How- type inference [44], [71], [119]. More experience is needed
ever, in the presence of a cache, execution time is likely to for deeper understanding on practical implications of secure
be shorter when the initial value of h is 1: by the time the information flow.
last assignment is executed, the value of h 1 will already be The general problem of confidentiality for programs is
present in the cache. undecidable. For example, consider a program C that uses only
While this attack can be prevented by a cross-copying low variables. Clearly, we can reduce the (undecidable) prob-
transformation that ensures that the same memory cells are ref- lem whether C always diverges to the problem whether the
erenced in both branches of the if, possible attacks remain that program if h = 1 then (C; l := 7) else skip is secure. (While
are based on instruction cache, virtual memory and platform- this example is specific to termination-insensitive security, the
dependent behavior [119]. As this example demonstrates, it program if h = 1 then (C; l := 7) else (while true do skip) can
is vital that the abstractions made in the attacker model are be used in the reduction under termination-sensitive security.)
adequate with respect to potential attacks. It is important that security static analyses do not reject
too many secure programs, even though they are necessarily
conservative. Research aimed at improving the precision of
D. Dynamic Policies type systems deserves further attention (e.g., [10], [11], [76],
It is a common assumption in language-based work on [78], [87]–[89], [94]). Moreover, approaches other than type
information flow that information-flow policies are known systems offer valuable alternatives for accurate and flexible
statically, at compile time. This is not a realistic assumption security analyses. This is the focus of the following section.
for a large computing system. For example, the files in a
file system have attached security policies (permissions) that F. Variations of Static Analysis for Security
can be changed dynamically. If these permissions are to Control- and data-flow analyses [125] are established areas
be enforced as end-to-end policies, programs accessing file of program analysis concerned with dependencies due to
12 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 21, NO. 1, JANUARY 2003
control and data flow; they are a natural match for tracking (e.g., [7], [63]), dependent types (e.g., [7]), linear types
security dependencies in programs. While type systems are, (e.g., [12], [76]), and type-directed translation (e.g., [10],
in general, intuitive and well understood, one reason for using [71]).
control- and data-flow analyses is that type systems sometimes Semantics-based security models: Semantics-based mod-
lack the principal type (the most general type that can be given els are suitable for describing end-to-end policies such as
to a command or expression), which may result in the loss of noninterference and its extensions. These models allow for a
precision [126]. precise formulation of the attacker’s view of the system. This
Bodei et al. [127], [128] demonstrate the use of a control- view is described as a relation on program behaviors where
flow analysis to establish Bell–LaPadula security properties two behaviors are related if they are not distinguishable by
for the π-calculus. In the context of firewalls, formalized by the attacker. Attackers of varying capabilities can be modeled
ambients [129], Nielson et al. [130] show how to statically straightforwardly as different attacker views, and correspond
reject firewalls that may accept the attacker that fails to provide to different security properties. In particular, it has been shown
the required password. Bodei et al. [131] devise a control- how to represent the timing (e.g., [10]) and probabilistic
flow analysis that guarantees Dolev–Yao secrecy for the spi (e.g., [9], [11]) behavior of programs if the attacker is capable
calculus. They suggest a conservative extension of the analysis of making timing- and probability-sensitive distinctions.
that also enforces noninterference-based confidentiality. Compositionality: A number of further advantages are
Clark et al. [132] propose a high-precision control-flow- associated with both security-type systems and semantics-
sensitive security analysis for a higher-order imperative lan- based security. Compositionality is especially valuable in the
guage. In particular, the analysis traces global flows more context of security properties. While it is folklore in the
accurately than many type systems. For example, it accepts security community that security properties do not compose
as secure the program (cf. [82], [137]), compositionality is fundamental in program-
ming languages. Most type systems and many security con-
(if h = 1 then l := 1 else l := 0); l := 0 ditions (e.g., [11], [17], [72], [90], [138]) are compositional,
which is also secure by both termination-sensitive and ter- which ensures that plugging secure programs into a security-
mination-insensitive interpretations of condition (∗). Yet a preserving context gives a secure program. Compositionality
typical security-type system (e.g., [3]) rejects the program. greatly facilitates correctness proofs for program analyses.
Related use of language-based techniques: There is a
The framework of abstract interpretation [133] is a power-
large body of work on noninterference in the setting of
ful methodology for designing static analyses that are sound
process algebras such as CCS (e.g., [139]), CSP (see [140]
by construction. Malacaria and Hankin [134] develop an
for an overview), π-calculus, the spi calculus, and other event-
information-flow analysis by abstract interpretation in the
based systems (e.g., [83]). Notably, the idea of representing
setting of game semantics [135]. Zanotti [136] proposes an
attackers as view relations is also common in studies of
abstract-interpretation-based security analysis that generalizes
noninterference for process algebra [141]. Compositionality
the security-type system by Volpano et al. [3].
reasoning (e.g., [139], [142]) is an essential part of security
investigations of event-based systems. Type systems are widely
VI. C ONCLUSION used for ensuring confidentiality properties, in the spi calculus
We have argued that standard security practices are not (e.g., [97], [98]), and (variations of) π-calculus (e.g., [91], [92],
capable of enforcing end-to-end confidentiality policies; mech- [143]–[145]). Timing- and probability-sensitive confidentiality
anisms such as access control, encryption, firewalls, digital has been explored by, e.g., Focardi et al. [146] and, e.g.,
signatures, and antivirus scanning do not address the funda- Aldini [147], respectively, for variations of CCS. Lowe [113]
mental problem: tracking the flow of information in computing has explored quantitative information flow for CSP (cf. Sec-
systems. Run-time monitoring of operating-systems calls is tion IV).
similarly of limited use because information-flow policies are Toward a practical security mechanism: If the recent
not properties of a single execution; in general, they require progress in language-based techniques for soundly enforcing
monitoring all possible execution paths. On the other hand, end-to-end confidentiality policies continues, the approach
there is clear evidence of benefits provided by language-based may soon become an important part of standard security
security mechanisms that build on technology for static analy- practice. However, there are three areas where further work
sis and language semantics. In this section, we summarize the is needed:
benefits of security-type systems and semantic-based security • Semantics of information flow are needed for concurrent
models, and emphasize the compositional nature of both. We and distributed systems so that useful end-to-end security
conclude by discussing related and future work. guarantees are provided without ruling out useful, secure
Security-type systems: Type systems are attractive for programs.
implementing static security analyses. It is natural to augment • New type systems or other static analyses are needed,
type annotations with security labels. Type systems allow for for which the notion of a well-formed (typable) program
compositional reasoning, which is a necessity for scalability closely approximates the semantic notion of security.
when applied to larger programs. Many well developed fea- • Certifying compilers are needed for security-typed lan-
tures of type systems have been usefully applied to security guages, because compilers for source languages (such as
analysis. Examples include subtyping (e.g., [3]), polymorphism Jif) are too complex to be part of the trusted computing
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 13
base. However, current security-type systems are not [21] J. B. Dennis and E. C. VanHorn, “Programming semantics for
expressive enough to support a security-typed low-level multiprogrammed computations,” Comm. of the ACM, vol. 9, no. 3,
pp. 143–155, Mar. 1966.
target language. [22] W. A. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and
The inability to express or enforce end-to-end security F. Pollack, “HYDRA: The kernel of a multiprocessor system,” Comm.
of the ACM, vol. 17, no. 6, pp. 337–345, June 1974.
policies is a serious problem with our current computing [23] D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn,
infrastructure, and language-based techniques appear to be H. F. Nielsen, S. Thatte, and D. Winer, “Simple object access protocol
essential to any solution to this problem. (SOAP) 1.1,” http://www.w3.org/TR/SOAP/, May 2000.
[24] T. Lindholm and F. Yellin, The Java Virtual Machine, Addison-Wesley,
Reading, MA, May 1996.
ACKNOWLEDGMENT [25] J. S. Fritzinger and M. Mueller, “Java security,” Tech. Rep., Sun
Microsystems, Inc., Palo Alto, CA, 1996.
The authors would like to thank M. Hicks for helpful [26] D. S. Wallach, A. W. Appel, and E. W. Felten, “The security archi-
comments and the anonymous reviewers for useful feedback. tecture formerly known as stack inspection: A security mechanism for
language-based systems,” ACM Transactions on Software Engineering
and Methodology, vol. 9, no. 4, pp. 341–378, Oct. 2000.
R EFERENCES [27] R. Wahbe, S. Lucco, T. Anderson, and S. Graham, “Efficient software-
based fault isolation,” in Proc. ACM Symp. on Operating System
[1] J. H. Saltzer, D. P. Reed, and D. D. Clark, “End-to-end arguments in Principles, Dec. 1993, pp. 203–216.
system design,” ACM Transactions on Computer Systems, vol. 2, no. [28] G. Morrisett, D. Walker, K. Crary, and N. Glew, “From System F to
4, pp. 277–288, Nov. 1984. typed assembly language,” ACM TOPLAS, vol. 21, no. 3, pp. 528–569,
[2] J. Palsberg and P. Ørbæk, “Trust in the λ-calculus,” in Proc. Symposium May 1999.
on Static Analysis. Sept. 1995, number 983 in LNCS, pp. 314–329, [29] D. Wagner, Static analysis and computer security: New techniques for
Springer-Verlag. software assurance, Ph.D. thesis, University of California at Berkeley,
[3] D. Volpano, G. Smith, and C. Irvine, “A sound type system for secure 2000.
flow analysis,” J. Computer Security, vol. 4, no. 3, pp. 167–187, 1996. [30] G. C. Necula, “Proof-carrying code,” in Proc. ACM Symp. on
[4] A. C. Myers and B. Liskov, “A decentralized model for information Principles of Programming Languages, Jan. 1997, pp. 106–119.
flow control,” in Proc. ACM Symp. on Operating System Principles,
[31] U. Erlingsson and F. B. Schneider, “SASI enforcement of security
Oct. 1997, pp. 129–142.
policies: A retrospective,” in Proc. of the New Security Paradigm
[5] N. Heintze and J. G. Riecke, “The SLam calculus: programming
Workshop, Sept. 1999, pp. 87–95.
with secrecy and integrity,” in Proc. ACM Symp. on Principles of
[32] D. Evans and A. Twyman, “Flexible policy-directed code safety,” in
Programming Languages, Jan. 1998, pp. 365–377.
Proc. IEEE Symp. on Security and Privacy, May 1999, pp. 32–45.
[6] G. Smith and D. Volpano, “Secure information flow in a multi-
[33] F. B. Schneider, G. Morrisett, and R. Harper, “A language-based
threaded imperative language,” in Proc. ACM Symp. on Principles
approach to security,” in Informatics—10 Years Back, 10 Years Ahead,
of Programming Languages, Jan. 1998, pp. 355–364.
vol. 2000 of LNCS, pp. 86–101. Springer-Verlag, 2000.
[7] A. C. Myers, “JFlow: Practical mostly-static information flow control,”
in Proc. ACM Symp. on Principles of Programming Languages, Jan. [34] K. J. Biba, “Integrity considerations for secure computer systems,”
1999, pp. 228–241. Tech. Rep. ESD-TR-76-372, USAF Electronic Systems Division, Bed-
[8] G. Barthe and B. Serpette, “Partial evaluation and non-interference for ford, MA, Apr. 1977, (Also available through National Technical
Information Service, Springfield Va., NTIS AD-A039324.).
object calculi,” in Proc. FLOPS. Nov. 1999, vol. 1722 of LNCS, pp.
53–67, Springer-Verlag. [35] J. S. Fenton, Information Protection Systems, Ph.D. thesis, University
[9] D. Volpano and G. Smith, “Probabilistic noninterference in a concur- of Cambridge, Cambridge, England, 1973.
rent language,” J. Computer Security, vol. 7, no. 2–3, pp. 231–253, [36] J. S. Fenton, “Memoryless subsystems,” Computing J., vol. 17, no. 2,
Nov. 1999. pp. 143–147, May 1974.
[10] J. Agat, “Transforming out timing leaks,” in Proc. ACM Symp. on [37] D. E. Bell and L. J. LaPadula, “Secure computer systems: Mathematical
Principles of Programming Languages, Jan. 2000, pp. 40–53. foundations,” Tech. Rep. MTR-2547, Vol. 1, MITRE Corp., Bedford,
[11] A. Sabelfeld and D. Sands, “Probabilistic noninterference for multi- MA, 1973.
threaded programs,” in Proc. IEEE Computer Security Foundations [38] L. J. LaPadula and D. E. Bell, “Secure computer systems: A
Workshop, July 2000, pp. 200–214. mathematical model,” Tech. Rep. MTR-2547, Vol. 2, MITRE Corp.,
[12] S. Zdancewic and A. C. Myers, “Secure information flow and CPS,” Bedford, MA, 1973, Reprinted in J. of Computer Security, vol. 4, no.
in Proc. European Symposium on Programming. Apr. 2001, vol. 2028 2–3, pp. 239–263, 1996.
of LNCS, pp. 46–61, Springer-Verlag. [39] Department of Defense, Department of Defense Trusted Computer
[13] A. Banerjee and D. A. Naumann, “Secure information flow and pointer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book)
confinement in a Java-like language,” in Proc. IEEE Computer Security edition, Dec. 1985.
Foundations Workshop, June 2002, pp. 253–267. [40] D. E. Denning and P. J. Denning, “Certification of programs for secure
[14] F. Pottier and V. Simonet, “Information flow inference for ML,” in information flow,” Comm. of the ACM, vol. 20, no. 7, pp. 504–513,
Proc. ACM Symp. on Principles of Programming Languages, Jan. 2002, July 1977.
pp. 319–330. [41] D. E. Denning, Cryptography and Data Security, Addison-Wesley,
[15] M. Abadi, A. Banerjee, N. Heintze, and J. Riecke, “A core calculus Reading, MA, 1982.
of dependency,” in Proc. ACM Symp. on Principles of Programming [42] R. J. Feiertag, “A technique for proving specifications are multilevel
Languages, Jan. 1999, pp. 147–160. secure,” Tech. Rep. CSL-109, SRI International Computer Science Lab,
[16] F. Pottier and S. Conchon, “Information flow inference for free,” Menlo Park, California, Jan. 1980.
in Proc. ACM International Conference on Functional Programming, [43] J. McHugh and D. I. Good, “An information flow tool for Gypsy,” in
Sept. 2000, pp. 46–57. Proc. IEEE Symp. on Security and Privacy, Apr. 1985, pp. 46–48.
[17] A. Sabelfeld and D. Sands, “A per model of secure information flow in [44] A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic, “Jif: Java
sequential programs,” Higher Order and Symbolic Computation, vol. information flow,” Software release. http://www.cs.cornell.edu/jif, July
14, no. 1, pp. 59–91, Mar. 2001. 2001.
[18] B. W. Lampson, “A note on the confinement problem,” Comm. of the [45] J. McLean, “A general theory of composition for trace sets closed under
ACM, vol. 16, no. 10, pp. 613–615, Oct. 1973. selective interleaving functions,” in Proc. IEEE Symp. on Security and
[19] D. Dolev and A. Yao, “On the security of public-key protocols,” IEEE Privacy, May 1994, pp. 79–93.
Transactions on Information Theory, vol. 2, no. 29, pp. 198–208, Aug. [46] D. Volpano, “Safety versus secrecy,” in Proc. Symposium on Static
1983. Analysis. Sept. 1999, vol. 1694 of LNCS, pp. 303–311, Springer-Verlag.
[20] B. W. Lampson, “Protection,” in Proc. Princeton Symposium on [47] J. A. Goguen and J. Meseguer, “Security policies and security models,”
Information Sciences and Systems, Princeton University, Mar. 1971, in Proc. IEEE Symp. on Security and Privacy, Apr. 1982, pp. 11–20.
pp. 437–443, Reprinted in Operating Systems Review, vol. 8, no. 1, [48] J. A. Goguen and J. Meseguer, “Unwinding and inference control,” in
pp. 18–24, Jan. 1974. Proc. IEEE Symp. on Security and Privacy, Apr. 1984, pp. 75–86.
14 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 21, NO. 1, JANUARY 2003
[49] E. S. Cohen, “Information transmission in computational systems,” [76] S. Zdancewic and A. C. Myers, “Secure information flow via linear
ACM SIGOPS Operating Systems Review, vol. 11, no. 5, pp. 133–139, continuations,” Higher Order and Symbolic Computation, vol. 15, no.
1977. 2–3, pp. 209–234, Sept. 2002.
[50] E. S. Cohen, “Information transmission in sequential programs,” in [77] F. Pottier and V. Simonet, “Information flow inference for ML,” ACM
Foundations of Secure Computation, R. A. DeMillo, D. P. Dobkin, TOPLAS, 2002, To appear.
A. K. Jones, and R. J. Lipton, Eds., pp. 297–335. Academic Press, [78] V. Simonet, “Fine-grained information flow analysis for a λ-calculus
1978. with sum types,” in Proc. IEEE Computer Security Foundations
[51] J. McLean, “Proving noninterference and functional correctness using Workshop, June 2002, pp. 223–237.
traces,” J. Computer Security, vol. 1, no. 1, pp. 37–58, 1992. [79] M. Abadi and L. Cardelli, A Theory of Objects, Monographs in
[52] G. R. Andrews and R. P. Reitman, “An axiomatic approach to Computer Science. Springer-Verlag, New York, 1996.
information flow in programs,” ACM TOPLAS, vol. 2, no. 1, pp. 56–75, [80] J. McLean, “A general theory of composition for a class of “possibilis-
Jan. 1980. tic” security properties,” IEEE Transactions on Software Engineering,
[53] M. Mizuno and A. Oldehoeft, “Information flow control in a distributed vol. 22, no. 1, pp. 53–67, Jan. 1996.
object-oriented system with statically-bound object variables,” in Proc. [81] D. Sutherland, “A model of information,” in Proc. National Computer
National Computer Security Conference, 1987, pp. 56–67. Security Conference, Sept. 1986, pp. 175–183.
[54] M. Mizuno, “A least fixed point approach to inter-procedural informa- [82] D. McCullough, “Specifications for multi-level security and hook-up
tion flow control,” in Proc. National Computer Security Conference, property,” in Proc. IEEE Symp. on Security and Privacy, Apr. 1987,
1989, pp. 558–570. pp. 161–166.
[55] M. Mizuno and D. Schmidt, “A security flow control algorithm
[83] H. Mantel, “Possibilistic definitions of security – An assembly kit –,”
and its denotational semantics correctness proof,” Formal Aspects of
in Proc. IEEE Computer Security Foundations Workshop, July 2000,
Computing, vol. 4, no. 6A, pp. 727–754, 1992.
pp. 185–199.
[56] J.-P. Banâtre and C. Bryce, “Information flow control in a parallel
language framework,” in Proc. IEEE Computer Security Foundations [84] K. R. M. Leino and R. Joshi, “A semantic approach to secure
Workshop, June 1993, pp. 39–52. information flow,” in Proc. Mathematics of Program Construction,
[57] J.-P. Banâtre, C. Bryce, and D. Le Métayer, “Compile-time detection June 1998, vol. 1422 of LNCS, pp. 254–271.
of information flow in sequential programs,” in Proc. European Symp. [85] A. Sabelfeld and D. Sands, “A per model of secure information flow in
on Research in Computer Security. 1994, vol. 875 of LNCS, pp. 55–73, sequential programs,” in Proc. European Symposium on Programming.
Springer-Verlag. Mar. 1999, vol. 1576 of LNCS, pp. 40–58, Springer-Verlag.
[58] J.-P. Banâtre, C. Bryce, and D. Le Métayer, “An approach to infor- [86] D. Volpano and G. Smith, “Probabilistic noninterference in a con-
mation security in distributed systems,” in Proc. IEEE International current language,” in Proc. IEEE Computer Security Foundations
Workshop on Future Trends in Distributed Computing Systems, 1995, Workshop, June 1998, pp. 34–43.
pp. 384–394. [87] G. Smith, “A new type system for secure information flow,” in Proc.
[59] P. Ørbæk, “Can you trust your data?,” in Proc. TAPSOFT/FASE’95. IEEE Computer Security Foundations Workshop, June 2001, pp. 115–
May 1995, vol. 915 of LNCS, pp. 575–590, Springer-Verlag. 125.
[60] P. Ørbæk and J. Palsberg, “Trust in the λ-calculus,” J. Functional [88] G. Boudol and I. Castellani, “Noninterference for concurrent pro-
Programming, vol. 7, no. 6, pp. 557–591, 1997. grams,” in Proc. ICALP, July 2001, vol. 2076 of LNCS, pp. 382–395.
[61] P. Ørbæk, Trust and Dependence Analysis, Ph.D. thesis, BRICS, [89] G. Boudol and I. Castellani, “Non-interference for concurrent programs
University of Aarhus, Aarhus, Denmark, 1997. and thread systems,” Theoretical Computer Science, vol. 281, no. 1,
[62] D. E. Denning, “A lattice model of secure information flow,” Comm. pp. 109–130, June 2002.
of the ACM, vol. 19, no. 5, pp. 236–243, May 1976. [90] A. Sabelfeld, “The impact of synchronisation on secure information
[63] D. Volpano and G. Smith, “A type-based approach to program security,” flow in concurrent programs,” in Proc. Andrei Ershov International
in Proc. TAPSOFT’97. Apr. 1997, vol. 1214 of LNCS, pp. 607–621, Conference on Perspectives of System Informatics. July 2001, vol. 2244
Springer-Verlag. of LNCS, pp. 227–241, Springer-Verlag.
[64] M. Abadi, “Secrecy by typing in security protocols,” in Proc. [91] K. Honda, V. Vasconcelos, and N. Yoshida, “Secure information
Theoretical Aspects of Computer Software, Sept. 1997, pp. 611–638. flow as typed process behaviour,” in Proc. European Symposium on
[65] S. Zdancewic and A. C. Myers, “Robust declassification,” in Proc. Programming. 2000, vol. 1782 of LNCS, pp. 180–199, Springer-Verlag.
IEEE Computer Security Foundations Workshop, June 2001, pp. 15– [92] K. Honda and N. Yoshida, “A uniform type structure for secure
23. information flow,” in Proc. ACM Symp. on Principles of Programming
[66] R. Joshi and K. R. M. Leino, “A semantic approach to secure Languages, Jan. 2002, pp. 81–92.
information flow,” Science of Computer Programming, vol. 37, no. [93] F. Pottier, “A simple view of type-secure information flow in the pi-
1–3, pp. 113–138, 2000. calculus,” in Proc. IEEE Computer Security Foundations Workshop,
[67] D. Volpano and G. Smith, “Eliminating covert flows with minimum June 2002, pp. 320–330.
typings,” Proc. IEEE Computer Security Foundations Workshop, pp. [94] S. Zdancewic, Programming Languages for Information Security,
156–168, June 1997. Ph.D. thesis, Cornell University, July 2002.
[68] M. Dam and P. Giambiagi, “Confidentiality for mobile code: The [95] A. W. Roscoe, “CSP and determinism in security modeling,” in Proc.
case of a simple payment protocol,” in Proc. IEEE Computer Security IEEE Symp. on Security and Privacy, May 1995, pp. 114–127.
Foundations Workshop, July 2000, pp. 233–244.
[96] R. P. Reitman, Information flow in parallel programs: An axiomatic
[69] P. Giambiagi, “Confidentiality for implementations of security proto-
approach, Ph.D. thesis, Cornell University, 1978.
cols,” Unpublished manuscript, Feb. 2002.
[70] D. Volpano and G. Smith, “Verifying secrets and relative secrecy,” [97] M. Abadi, “Secrecy by typing in security protocols,” J. ACM, vol. 46,
no. 5, pp. 749–786, Sept. 1999.
in Proc. ACM Symp. on Principles of Programming Languages, Jan.
2000, pp. 268–276. [98] M. Abadi and B. Blanchet, “Secrecy types for asymmetric commu-
[71] S. Zdancewic, L. Zheng, N. Nystrom, and A. C. Myers, “Untrusted nication,” in Proc. Foundations of Software Science and Computation
hosts and confidentiality: Secure program partitioning,” in Proc. ACM Structure. Apr. 2001, vol. 2030 of LNCS, pp. 25–41, Springer-Verlag.
Symp. on Operating System Principles, Oct. 2001, pp. 1–14. [99] E. Sumii and B. Pierce, “Logical relations for encryption,” in Proc.
[72] A. Sabelfeld and H. Mantel, “Static confidentiality enforcement for IEEE Computer Security Foundations Workshop, June 2001, pp. 256–
distributed programs,” in Proc. Symposium on Static Analysis. Sept. 269.
2002, vol. 2477 of LNCS, pp. 376–394, Springer-Verlag. [100] P. Thiemann, “Enforcing security properties by type specialization,” in
[73] D. Clark, S. Hunt, and P. Malacaria, “Quantitative analysis of the Proc. European Symposium on Programming. Apr. 2001, vol. 2028 of
leakage of confidential data,” in Quantitative Aspects of Programming LNCS, Springer-Verlag.
Languages—Selected papers from QAPL 2001. 2002, vol. 59 of Elec- [101] P. C. Kocher, “Timing attacks on implementations of Diffie-Hellman,
tronic Notes in Theoretical Computer Science, Elsevier. RSA, DSS, and other systems,” in Proc. CRYPTO’96. 1996, vol. 1109
[74] A. Di Pierro, C. Hankin, and H. Wiklicky, “Approximate non- of LNCS, pp. 104–113, Springer-Verlag.
interference,” in Proc. IEEE Computer Security Foundations Workshop, [102] J. McLean, “Security models and information flow,” in Proc. IEEE
June 2002, pp. 1–17. Symp. on Security and Privacy, May 1990, pp. 180–187.
[75] H. Barendregt, The Lambda Calculus, Its Syntax and Semantics, North- [103] J.W. Gray III, “Probabilistic interference,” in Proc. IEEE Symp. on
Holland, 1984. Security and Privacy, May 1990, pp. 170–179.
SABELFELD AND MYERS: LANGUAGE-BASED INFORMATION-FLOW SECURITY 15
[104] P. Syverson and J. W. Gray III, “The epistemic representation of [131] C. Bodei, P. Degano, H. Riis Nielson, and F. Nielson, “Static analysis
information flow security in probabilistic systems,” in Proc. IEEE for secrecy and non-interference in networks of processes,” in Proc.
Computer Security Foundations Workshop, June 1995, pp. 152–166. PACT’01. Sept. 2001, vol. 2127 of LNCS, pp. 27–41, Springer-Verlag.
[105] K. G. Larsen and A. Skou, “Bisimulation through probabilistic testing,” [132] D. Clark, C. Hankin, and S. Hunt, “Information flow for Algol-like
Information and Computation, vol. 94, no. 1, pp. 1–28, Sept. 1991. languages,” Journal of Computer Languages, 2002, To appear.
[106] A. C. Myers and B. Liskov, “Complete, safe information flow with [133] P. Cousot and R. Cousot, “Abstract interpretation: A unified lattice
decentralized labels,” in Proc. IEEE Symp. on Security and Privacy, model for static analysis of programs by construction or approximation
May 1998, pp. 186–197. of fixpoints,” in Proc. ACM Symp. on Principles of Programming
[107] M. Abadi and A. D. Gordon, “A calculus for cryptographic protocols: Languages, Jan. 1977, pp. 238–252.
The Spi calculus,” Information and Computation, vol. 148, no. 1, pp. [134] P. Malacaria and C. Hankin, “Non-deterministic games and program
1–70, Jan. 1999. analysis: An application to security,” in Proc. IEEE Symp. on Logic in
[108] P. Giambiagi, “Secrecy for mobile implementations of security pro- Computer Science, 1999, pp. 443–452.
tocols,” Licentiate Thesis, Royal Institute of Technology, Stockholm, [135] S. Abramksy and G. McCusker, “Game semantics,” in Logic and
Oct. 2001. Computation: Proc. 1997 Marktoberdorf Summer School, U. Berger
[109] D. Volpano, “Secure introduction of one-way functions,” in Proc. IEEE and H. Schwichtenberg, Eds., NATO Science Series. Springer-Verlag,
Computer Security Foundations Workshop, July 2000, pp. 246–254. 1998.
[110] P. Laud, “Semantics and program analysis of computationally secure [136] M. Zanotti, “Security typings by abstract interpretation,” in Proc.
information flow,” in Proc. European Symposium on Programming. Symposium on Static Analysis. Sept. 2002, vol. 2477 of LNCS, pp.
Apr. 2001, vol. 2028 of LNCS, pp. 77–91, Springer-Verlag. 360–375, Springer-Verlag.
[111] A. Di Pierro, C. Hankin, and H. Wiklicky, “Probabilistic confinement [137] D. McCullough, “Noninterference and the composability of security
in a declarative framework,” in Declarative Programming—Selected properties,” in Proc. IEEE Symp. on Security and Privacy, May 1988,
papers from AGP 2000. 2001, vol. 48 of Electronic Notes in Theoretical pp. 177–186.
Computer Science, Elsevier. [138] A. Sabelfeld, Semantic Models for the Security of Sequential and Con-
[112] A. Di Pierro, C. Hankin, and H. Wiklicky, “Analysing approximate current Programs, Ph.D. thesis, Chalmers University of Technology
confinement under uniform attacks,” in Proc. Symposium on Static and Gothenburg University, Gothenburg, Sweden, May 2001.
Analysis. Sept. 2002, vol. 2477 of LNCS, pp. 310–325, Springer-Verlag. [139] R. Focardi and R. Gorrieri, “A classification of security properties for
[113] G. Lowe, “Quantifying information flow,” in Proc. IEEE Computer process algebras,” J. Computer Security, vol. 3, no. 1, pp. 5–33, 1995.
Security Foundations Workshop, June 2002, pp. 18–31. [140] P. Ryan, “Mathematical models of computer security—tutorial lec-
[114] C. E. Shannon and W. Weaver, The Mathematical Theory of Commu- tures,” in Foundations of Security Analysis and Design, R. Focardi and
nication, University of Illinois Press, 1963. R. Gorrieri, Eds., vol. 2171 of LNCS, pp. 1–62. Springer-Verlag, 2001.
[115] H. Mantel and A. Sabelfeld, “A generic approach to the security [141] P. Ryan and S. Schneider, “Process algebra and non-interference,” in
of multi-threaded programs,” in Proc. IEEE Computer Security Proc. IEEE Computer Security Foundations Workshop, June 1999, pp.
Foundations Workshop, June 2001, pp. 126–142. 214–227.
[116] H. Mantel and A. Sabelfeld, “A unifying approach to the security of [142] H. Mantel, “On the composition of secure systems,” in Proc. IEEE
distributed and multi-threaded programs,” J. Computer Security, 2002, Symp. on Security and Privacy, May 2002, pp. 81–94.
To appear. [143] P. Sewell and J. Vitek, “Secure composition of untrusted code:
[117] J. H. Saltzer and M. D. Schroeder, “The protection of information in Wrappers and causality types,” in Proc. IEEE Computer Security
computer systems,” Proc. of the IEEE, vol. 63, no. 9, pp. 1278–1308, Foundations Workshop, July 2000, pp. 269–284.
Sept. 1975. [144] M. Hennessy and J. Riely, “Information flow vs resource access in
[118] G. Morrisett, Compiling with Types, Ph.D. thesis, Carnegie Mellon the asynchronous pi-calculus (extended abstract),” in Proc. ICALP’00.
University, Dec. 1995, Published as CMU Tech Report CMU-CS-95- July 2000, vol. 1853 of LNCS, pp. 415–427, Springer-Verlag.
226. [145] D. Duggan, “Cryptographic types,” in Proc. IEEE Computer Security
[119] J. Agat, Type Based Techniques for Covert Channel Elimination and Foundations Workshop, June 2002, pp. 238–252.
Register Allocation, Ph.D. thesis, Chalmers University of Technology [146] R. Focardi, R. Gorrieri, and F. Martinelli, “Information flow analysis
and Gothenburg University, Gothenburg, Sweden, Dec. 2000. in a discrete-time process algebra,” in Proc. IEEE Computer Security
[120] A. Appel, Compiling with Continuations, Cambridge University Press, Foundations Workshop, July 2000, pp. 170–184.
1992. [147] A. Aldini, “Probabilistic information flow in a process algebra,” in
[121] D. Kozen, “Language-based security,” in Proc. Mathematical Founda- Proc. CONCUR’01. Aug. 2001, vol. 2154 of LNCS, pp. 152–168,
tions of Computer Science. Sept. 1999, vol. 1672 of LNCS, pp. 284– Springer-Verlag.
298, Springer-Verlag.
[122] M. A. Sheldon and D. K. Gifford, “Static dependent types for first class
modules,” in Proc. Lisp and Functional Programming, June 1990, pp. Andrei Sabelfeld received the Ph.D. degree in com-
20–29. puter science from Chalmers University of Technol-
[123] H. Xi and F. Pfenning, “Dependent types in practical programming,” ogy and Gothenburg University, Gothenburg, Swe-
in Proc. ACM Symp. on Principles of Programming Languages, Jan. den, in 2001.
1999, pp. 214–227. He is a Research Associate in the Computer Sci-
[124] J. Agat and D. Sands, “On confidentiality and algorithms,” in Proc. ence Department, Cornell University, Ithaca, NY. His
IEEE Symp. on Security and Privacy, May 2001, pp. 64–77. research has developed the link between two areas
[125] F. Nielson, H. Riis Nielson, and C. Hankin, Principles of Program of computer science: programming languages and
Analysis, Springer-Verlag, 1999. computer security. He has pursued the certification
[126] C. Bodei, P. Degano, H. Riis Nielson, and F. Nielson, “Security analysis of confidentiality according to established principles
using flow logics,” in Current Trends in Theoretical Computer Science, of programming languages.
G. Paun, G. Rozenberg, and A. Salomaa, Eds., pp. 525–542. World
Scientific, 2000.
[127] C. Bodei, P. Degano, F. Nielson, and H. Riis Nielson, “Static analysis
of processes for no read-up and no write-down,” in Proc. Foundations
of Software Science and Computation Structure. Apr. 1999, number Andrew C. Myers received the Ph.D. degree in
1578 in LNCS, pp. 120–134, Springer-Verlag. computer science from the Massachusetts Institute
[128] C. Bodei, P. Degano, F. Nielson, and H. Riis Nielson, “Static analysis of Technology, Cambridge, in 1999.
for the π-calculus with applications to security,” Information and He is an Assistant Professor in the Computer
Computation, vol. 168, pp. 68–92, 2001. Science Department, Cornell University, Ithaca, NY.
[129] L. Cardelli and A. D. Gordon, “Mobile ambients,” in Proc. Foundations His research interests include computer security, pro-
of Software Science and Computation Structure. Apr. 1998, vol. 1378 gramming languages, and distributed object systems.
of LNCS, pp. 140–155, Springer-Verlag. His work on language-based information flow has
[130] F. Nielson, H. Riis Nielson, R. R. Hansen, and J. G. Jensen, “Validating focused on systems and languages that are expres-
firewalls in mobile ambients,” in Proc. CONCUR’99. 1999, number sive and practical.
1664 in LNCS, pp. 463–477, Springer-Verlag.