Security properties based on information flow, such as noninterference, provide strong guarantees that confidentiality is maintained. However, programs often need to leak some amount of confidential information in order to serve their intended purpose, and thus violate noninterference. Real systems that control information flow often include mechanisms for downgrading or declassifying information; however, declassification can easily result in the unexpected release of confidential information.

Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical.

for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in term of static information---data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running This paper studies language support for run-time principals, a mechanism for specifying information-flow security policies that depend on which principals interact with the system. We establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.

Protecting confidential data in computing environments has long been recognized

Noninterference requires that there is no information flow from sensitive to public data in a given system. However, many systems release sensitive information as part of their intended function and therefore violate noninterference. To control information flow while permitting information release, some systems have a downgrading or declassification mechanism, but this creates the danger that it may cause unintentional information release. This paper shows that a robustness property can be used to characterize programs in which declassification mechanisms cannot be controlled by attackers to release more information than intended. It describes a simple way to provably enforce this robustness property through a type-based compile-time program analysis. The paper also presents a generalization of robustness that supports upgrading (endorsing) data integrity. 1

We explore the logical underpinnings of higher-order, security-typed languages with mutable state. Our analysis is based on a logic of information flow derived from lax logic and the monadic metalanguage. Thus, our logic deals with mutation explicitly, with impurity reflected in the types, in contrast to most higher-order security-typed languages, which deal with mutation implicitly via side-effects. More importantly, we also take a store-oriented view of security, wherein security levels are associated with elements of the mutable store. This view matches closely with the operational semantics of low-level imperative languages where information flow is expressed by operations on the store. An interesting feature of our analysis lies in its treatment of upcalls (low-security computations that include high-security ones), employing an “informativeness ” judgment indicating under what circumstances a type carries useful information. 1

Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple “toy ” programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email system written in the Java language variant Jif. Real-world policies are mapped onto the information flows controlled by the language primitives, and we consider the process and tractability of broadly enforcing security policy in commodity applications. We find that while the language provided the rudimentary tools to achieve low-level security goals, additional tools, services, and language extensions were necessary to formulate and enforce application policy. We detail the design and use of these tools. We also show how the strong guarantees of Jif in conjunction with our policy tools can be used to evaluate security. This work serves as a starting point–we have demonstrated that it is possible to implement real-world systems and policy using security-typed languages. However, further investigation of the developer tools and supporting policy infrastructure is necessary before they can fulfill their considerable promise of enabling more secure systems. 1

items of information have own-ers associated with them. An owner of an item of information may want the system to enforce a policy thatrestricts use of that information; we call such a policy an owned policy. Owned policies can be used in manycontexts, including information flow, access control, and software licensing. In this paper we introduce andstudy a general framework for owned policies. Relationships between security policies for a givensystem may be dependent on system aspects that change between or during system execution. As a re-sult, there may be only partial knowledge of the structure of security policies available when analyz-ing a system statically. We demonstrate that our framework permits static reasoning about owned poli-cies under partial knowledge, and we also exhibit tractability results for the problem of inferring secu-rity policies. 1.

Abstract: Languages-based security promises to be a powerful tool with which provably secure routing applications may be developed. Programs written in these languages enforce a strong policy of non-interference, which ensures that high-security data will not be observable on low-security channels. The information routing security proposed aim to fill the gap between representation and enforcement by implementing and integrating the divers security services needed by policy. Policy is enforced by the run-time compiler and executions based mechanism to information violating routing policy and regulation of security services. Checking the routing requirements of explicit route achieves this result for statements involving explicit route. Unfortunately, such classification is often expressed as an operation within a given program, rather than as part of a policy, making reasoning about the security implications of a policy more difficult. We formalize our approach for a C++ like language and prove a modified form of our non-interference method. We have implemented our approach as an extension to C and provide some of our experience using it to build a secure information routing.

We show that it is feasible and useful to create programming languages with strong security guarantees for secure multiparty computation. We have designed and implemented the Secure Multiparty Computation Language (SMCL), which is a domain-specific programming language for secure multiparty computation. SMCL allows programmers to write programs using secure multiparty computation without expert knowledge on how to design and implement cryptographic protocols. We have proven that programs written in SMCL are immune to a broad range of security threads and confidential information may only be revealed in specific parts of a program, designated by the programmer. We demonstrate the usefulness of SMCL by reporting on how an SMCL program contributed to the first large-scale practical application of secure multiparty computation. Based on our experiences with SMCL we have designed a successor called PySMCL which is a domain-specific language embedded in Python, and will provide even better security guarantees than SMCL. We also