Abstract. This paper presents a type system which guarantees that well-typed programs in a procedural programming language satisfy a noninterference security property. With all program inputs and outputs classified at various security levels, the property basically states that a program output, classified at some level, can never change as a result of modifying only inputs classified at higher levels. Intuitively, this means the program does not “leak ” sensitive data. The property is similar to a notion introduced years ago by Goguen and Meseguer to model security in multi-level computer systems [7]. We also give an algorithm for inferring and simplifying principal types, which document the security requirements of programs. 1

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of program analysis. The approach is inspired by (and in the deterministic case equivalent to) the use of partial equivalence relations in specifying binding-time analysis, and is thus able to specify security properties of higher-order functions and "partially confidential data". We also show how the per approach can handle nondeterminism for a first-order language, by using powerdomain semantics and show how probabilistic security properties can be formalised by using probabilistic powerdomain semantics. We illustrate the usefulness of the compositional nature of the security specifications by presenting a straightforward correctness proof for a simple type-based security analysis.

This paper introduces trust analysis for higher-order languages. Trust analysis encourages the programmer to make explicit the trustworthiness of data, and in return it can guarantee that no mistakes with respect to trust will be made at run-time. We present a confluent λ-calculus with explicit trust operations, and we equip it with a trust-type system which has the subject reduction property. Trust information in presented as two annotations of each function type constructor, and type inference is computable in O(n³) time.

Synchronisation is fundamental to concurrent programs. This paper investigates the security of information flow in multi-threaded programs in the presence of synchronisation. We give a small-step operational semantics for a simple shared-memory multi-threaded language with synchronisation, and present a compositional timing-sensitive bisimulation -based confidentiality specification. We propose a type-based analysis improving on previous approaches to reject potentially insecure programs. 1

We consider the problem of proving correctness properties for concurrent systems with features such as higher-order communication and dynamic resource generation. As examples we consider operational models of security and authentication protocols based on the higher-order -calculus. In the setting we propose key features such as nonces/time stamps, encryption /decryption, and key generation can be modelled in a simple and abstract fashion using channel name generation and second-order process communication. A temporal logic is proposed as an appropriate logic to express crucial correctness properties such as secrecy and authenticity. The logic is based on the modal -calculus with only greatest fixed points and universal next-state quantification, extended with first-order features to deal with names, and second-order features including function space constructions to deal with process input and output. A difficulty is that formulas need recursion in both covariant and contravariant po...