Principles of Secure Information Flow Analysis

In today's world of the Internet, the WorldWide Web, and Google, information is more accessible than ever before. An unfortunate corollary is that it is harder than ever to protect the privacy of sensitive information. In this paper, we explore a technique called secure information flow analysis. Suppose that some sensitive information is stored on a computer system. How can we prevent it from being leaked improperly? Probably the first approach that comes to mind is to limit access to the information, either by using some access control mechanism, or else by using encryption. These are important and useful approaches, of course, but they have a fundamental limitation—they can prevent information from being released, but they cannot prevent it from being propagated. If a program legitimately needs access to a piece of information, how can we be sure that it will not somehow leak the information improperly? Simply trusting the program is dangerous. We might try to monitor its output, but the program could easily disguise the information. Furthermore, after-the-fact detection is often too late. Consider for example a scenario involving e-filing of taxes. I might down-load a tax preparation program from some vendor to my home computer. I could use the program to prepare my tax return, entering my private financial information. The program might then send my tax return to the IRS electronically , encrypting it first to protect its confidentiality. But the program might also send billing information back to the vendor so that I could be charged for the use of the program. How can I be sure that this billing information does not covertly include my private financial information? The approach of secure information flow analysis involves performing a static analysis of the program with the goal of proving that it will not leak sensitive information. If the program passes the analysis, then it can be executed safely. This idea has a long history, going back to the pioneering work of the Dennings in the 1970s [9]. It has since been heavily studied, as can be seen from the survey by Sabelfeld and Myers [22], which cites about 150 papers. Our goal here is not to duplicate that survey, but instead to explain the