A Design for a Security-typed Language with Certi cate-based Declassi cation

This paper presents a calculus that supports informationow security policies and certi cate-based declassi cation. The decentralized label model and its downgrading mechanisms are concisely expressed in the polymorphic lambda calculus with subtyping (System F ). We prove a conditioned version of the noninterference theorem such that authorization for declassi cation is justi ed by digital certi cates from public-key infrastructures. Note to the reviewers: An earlier version of this paper appears in European Symposium on Programming (ESOP), 2005. The main di erence is that the present version (1) contains detailed inference rules and proofs, and (2) formalizes noninterference with xpoints and divergence, (3) implements and typechecks a distributed bank example in the monadic style. Stephen Tse ([email protected]) and Steve Zdancewic ([email protected]). Address: 3330 Walnut Street, CIS Graduate Program, University of Pennsylvania, Philadelphia, PA 19104, US. Phone: 215-898-8560, Fax: 215-898-0587.