Declassification with Explicit Reference Points

  • Alexander Lux
  • Heiko Mantel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Noninterference requires that public outputs of a program must be completely independent from secrets. While this ensures that secrets cannot be leaked, it is too restrictive for many applications. For instance, the output of a knowledge-based authentication mechanism needs to reveal whether an input matches the secret password. The research problem is to allow such exceptions without giving up too much. Though a number of solutions has been developed, the problem is not yet satisfactorily solved. In this article, we propose a framework to control what information is declassified. Our contributions include a policy language, a semantic characterization of information flow security, and a sound security type system. The main technical novelty is the explicit treatment of so called reference points, which allows us to offer substantially more flexible control of what is released than in existing approaches.


IEEE Computer Society Policy Language Security Policy Memory State Security Condition 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: 3rd IEEE Symposium on Security and Privacy, pp. 11–20. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  2. 2.
    Mantel, H., Sands, D.: Controlled Declassification based on Intransitive Noninterference. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Sabelfeld, A., Sands, D.: Dimensions and Principles of Declassification. In: 18th IEEE Computer Security Foundations Workshop, pp. 255–269. IEEE Computer Society Press, Los Alamitos (2005)CrossRefGoogle Scholar
  4. 4.
    Sabelfeld, A., Myers, A.C.: A Model for Delimited Information Release. In: ISSS 2004, pp. 174–191. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Barthe, G., Cavadini, S., Rezk, T.: Tractable Enforcement of Declassification Policies. In: 21st IEEE Computer Security Foundations Symposium, pp. 83–97. IEEE, Los Alamitos (2008)Google Scholar
  6. 6.
    Bossi, A., Piazza, C., Rossi, S.: Compositional Information Flow Security for Concurrent Programs. Journal of Computer Security 15(3), 373–416 (2007)CrossRefGoogle Scholar
  7. 7.
    Mantel, H., Reinhard, A.: Controlling the What and Where of Declassification in Language-Based Security. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 141–156. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Askarov, A., Sabelfeld, A.: Localized Delimited Release: Combining the What and Where Dimensions of Information Release. In: Workshop on Programming Languages and Analysis for Security, pp. 53–60. ACM Press, New York (2007)Google Scholar
  9. 9.
    Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive Declassification Policies and Modular Static Enforcement. In: 29th IEEE Symposium on Security and Privacy, pp. 339–353. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  10. 10.
    Sabelfeld, A., Sands, D.: A Per Model of Secure Information Flow in Sequential Programs. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 50–59. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Lux, A., Mantel, H.: Who Can Declassify? In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 35–49. Springer, Heidelberg (2009)Google Scholar
  12. 12.
    Askarov, A., Sabelfeld, A.: Gradual Release: Unifying Declassification, Encryption and Key Release Policies. In: 28th IEEE Symposium on Security and Privacy, pp. 207–221. IEEE Computer Society Press, Los Alamitos (2007)Google Scholar
  13. 13.
    Almeida Matos, A., Boudol, G.: On Declassification and the Non-Disclosure Policy. In: 18th IEEE Computer Security Foundations Workshop, pp. 226–240. IEEE Computer Society Press, Los Alamitos (2005)CrossRefGoogle Scholar
  14. 14.
    Broberg, N., Sands, D.: Flow Locks: Towards a Core Calculus for Dynamic Flow Policies. In: Sestoft, P. (ed.) ESOP 2006. LNCS, vol. 3924, pp. 180–196. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Myers, A.C., Liskov, B.: Protecting Privacy using the Decentralized Label Model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)CrossRefGoogle Scholar
  16. 16.
    Zdancewic, S., Myers, A.C.: Robust Declassification. In: 14th IEEE Computer Security Foundations Workshop, pp. 15–23. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  17. 17.
    Askarov, A., Sabelfeld, A.: Tight Enforcement of Information-Release Policies for Dynamic Languages. In: 22nd IEEE Computer Security Foundations Symposium. IEEE Computer Society Press, Los Alamitos (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alexander Lux
    • 1
  • Heiko Mantel
    • 1
  1. 1.Computer ScienceTU DarmstadtGermany

Personalised recommendations