Spot the Difference: Secure Multi-execution and Multiple Facets

  • Nataliia BielovaEmail author
  • Tamara Rezk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


We propose a rigorous comparison of two widely known dynamic information flow mechanisms: Secure Multi-Execution (SME) and Multiple Facets (MF). Informally, it is believed that MF simulates SME while providing better performance. Formally, it is well known that SME has stronger soundness guarantees than MF.

Surprisingly, we discover that even if we approach them to enforce the same soundness guarantees, they are still different. While modeling them in the same language, we are able to precisely identify the features of the semantics that lead to their differences. In the process of comparing them, we also discovered four new mechanisms that share features of MF and SME. We prove that one of them simulates SME, which was falsely believed to be true for MF.


Security Level Multiple Facet Output Channel Security Environment Secure Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Frank Piessens on valuable feedback on earlier versions of this paper and anonymous reviewers who helped us to improve the paper. This work has been partially supported by the ANR project AJACS ANR-14-CE28-0008.


  1. 1.
    Austin, T., Knowles, K., Flanagan, C.: Typed faceted values for secure information flow in haskell. Technical report UCSC-SOE-14-07, University of California, Santa Cruz (2014)Google Scholar
  2. 2.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: PLAS 2009, pp. 113–124 (2009)Google Scholar
  3. 3.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: PLAS 2010, pp. 3:1–3:12. ACM (2010)Google Scholar
  4. 4.
    Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceeding of the 39th Symposium of Principles of Programming Languages. ACM (2012)Google Scholar
  5. 5.
    Barthe, G., Crespo, J.M., Devriese, D., Piessens, F., Rivas, E.: Secure multi-execution through static program transformation. In: Giese, H., Rosu, G. (eds.) FORTE 2012 and FMOODS 2012. LNCS, vol. 7273, pp. 186–202. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Bauer, L., Ligatti, J., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)Google Scholar
  7. 7.
    Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for a browser model. In: Proceeding of the 5th International Conference on Network and System Security (NSS), pp. 97–104. IEEE (2011)Google Scholar
  8. 8.
    Bielova, N., Rezk, T. Spot the difference: secure multi-execution and multiple facets technical report.
  9. 9.
    Bielova, N., Rezk, T.: A taxonomy of information flow monitors. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 46–67. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_3 CrossRefGoogle Scholar
  10. 10.
    Bolosteanu, I., Garg, D.: Asymmetric secure multi-execution with declassification. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 24–45. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_2 CrossRefGoogle Scholar
  11. 11.
    Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceeding of the 19th ACM Conference on Communications and Computer Security, pp. 748–759 (2012)Google Scholar
  12. 12.
    Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: Proceeding of the Symposium on Security and Privacy, pp. 109–124. IEEE (2010)Google Scholar
  13. 13.
    Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2003)Google Scholar
  14. 14.
    Fenton, J.S.: Memoryless subsystems. Comput. J. 17(2), 143–147 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a Javascript-like language. In: IEEE 28th Computer Security Foundations Symposium, CSF (2015)Google Scholar
  16. 16.
    Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing-and termination-sensitive secure information flow: Exploring a new approach. In: IEEE Symposium on Security and Privacy (SP), pp. 413–428 (2011)Google Scholar
  17. 17.
    Le Guernic, G.: Confidentiality enforcement using dynamic information flow analyses. Ph.D. thesis, Kansas State University and University of Rennes 1 (2007)Google Scholar
  18. 18.
    Ligatti, J., Bauer, L., Walker, D.W.: Enforcing non-safety security policies with program monitors. In: Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 355–373. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Almeida-Matos, A., Fragoso Santos, J., Rezk, T.: An information flow monitor for a core of DOM. In: Maffei, M., Tuosto, E. (eds.) TGC 2014. LNCS, vol. 8902, pp. 1–16. Springer, Heidelberg (2014)Google Scholar
  20. 20.
    Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. In: IEEE 26th Computer Security Foundations Symposium (2013)Google Scholar
  21. 21.
    Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. J. Comput. Secur. 24(1), 39–90 (2016)CrossRefGoogle Scholar
  22. 22.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  23. 23.
    Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)CrossRefGoogle Scholar
  24. 24.
    Santos, J.F., Rezk, T.: An information flow monitor-inlining compiler forsecuring a core of Javascript. In: 29th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection, SEC 2014 (2014)Google Scholar
  25. 25.
    Schmitz, T., Rhodes, D., Austin, T.H., Knowles, K., Flanagan, C.: Faceted dynamic information flow via control and data monads. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 3–23. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_1 CrossRefGoogle Scholar
  26. 26.
    Vanhoef, M., Groef, W.D., Devriese, D., Piessens, F., Rezk, T.: Stateful declassification policies for event-driven programs. In: IEEE 27th Computer Security Foundations Symposium, CSF, pp. 293–307 (2014)Google Scholar
  27. 27.
    Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: IEEE 26th Computer Security Foundations Symposium, pp. 18–32 (2013)Google Scholar
  28. 28.
    Zdancewic, S.A.: Programming languages for information security. Ph.D. thesis, Cornell University (2002)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Université Côte d’Azur, InriaSophia AntipolisFrance

Personalised recommendations