Adedayo Adetoye
CSRG seminar on 27 November 2006 at 16:00
Room 245, School of Computer Science

Enforceable Secure Information Flow Policies

You have downloaded a useful software program to manage your financial investments. This program must connect to the Internet to get some of the information it requires to optimise your investment (say, it has to check share prices, interest rates etc.). Now, this program has access to your private data (financial information, investments, etc) and requires legitimate access to the Internet; how can you be sure that your data is not being stolen by this software? For example, the software might encode your investment plans in legitimate Internet messages and relay it to some attacker across the globe.

The problem is that when software systems have access to confidential data, there is always the possibility that they might deliberately, or through bugs or malice release sensitive information to unauthorised observers. Thus, a key question is whether we can control information flow in software systems. A well understood notion of information flow control is noninterference, which disallows any information from being released to unauthorised observers. However, interesting software often have to reveal some information about secret data as part of their functionality (for example, password authentication and statistical analysis programs). Noninterference is too strong to be useful in such cases: we need a weaker notion, able to express deliberate information disclosure. The problem is now to ensure that partial information release, when allowed, cannot be exploited.

In this talk, I will present a semantics-based framework for deriving extensional information flow properties of programs, such that one may answer questions like: what may an attacker learn about secret program inputs by observing program output? I will also present an enforceable information flow policy framework, against which we can certify programs for secure information flow