A semantic approach to secure information ow

A classic problem in security is that of checking that a program has secure information ow. Informally, this problem is described as follows: Given a program with variables partitioned into two disjoint sets of “high-security” and “low-security” variables, check whether observations of the low-security variables reveal any information about the initial values of the high-security variables. Although the problem has been studied for serveral decades, most previous approaches have been syntactic in nature, often using type systems and compiler data ow analysis techniques to analyze program texts. This paper presents a considerably di erent approach to check secure information ow, based on a semantic characterization. A semantic approach has several desirable features. Firstly, it gives a more precise characterization of security than that provided by most previous approaches. Secondly, it applies to any programming constructs whose semantics are de nable; for instance, the introduction of nondeterminism and exceptions poses no additional problems. Thirdly, it can be used for reasoning about indirect leaking of information through variations in program behavior (e.g., whether or not the program terminates). Finally, it can be extended to the case where the highand low-security variables are de ned abstractly, as functions of actual program variables. The paper illustrates the use of the characterization with several examples and discusses how it can be applied in practice. c © 2000 Elsevier Science B.V. All rights reserved.