Confidentiality Policies and Their Extraction from Programs

We examine a well known confidentiality requirement called noninterference and argue that manysystems do not meet this requirement despite maintaining the privacy of its users. We discussa weaker requirement called incident-insensitive noninterference that captures why these systemsmaintain the privacy of its users while possibly not satisfying noninterference. We extend thisrequirement to depend on dynamic information in a novel way. Lastly, we present a methodbased on model checking to extract from program source code the dynamic incident-insensitivenoninterference policy that the given program obeys. This research was partially sponsored by the Army Research Office through grant number DAAD19-02-1-0389(“Perpetually Available and Secure Information Systems”) to Carnegie Mellon University’s CyLab and by a generousgift from the Hewlett-Packard Corporation. The views and conclusions contained in this document are those ofthe authors and should not be interpreted as representing the official policies, either expressed or implied, of anysponsoring institution, the U.S. government, or any other entity.