Robust declassification

  • Zdancewic S
  • Myers A
  • 33


    Mendeley users who have this article in their library.
  • 118


    Citations of this article.


Security properties based on information flow, such as noninterference, provide strong guarantees that confiden- tiality is maintained. However, programs often need to leak some amount of confidential information in order to serve their intended purpose, and thus violate noninterference. Real systems that control information flow often include mechanisms for downgrading or declassifying information; however, declassification can easily result in the unexpected release of confidential information. This paper introduces a formal model of information flow in systems that include intentional information leaks and shows how to characterize what information leaks. Further, we define a notion of robustness for systems that in- clude information leaks introduced by declassification. Ro- bust systems have the property that an attacker is unable to exploit declassification channels to obtain more confiden- tial information than was intended to be released. We show that all systems satisfying a noninterference-like property are robust; for other systems, robustness involves a nontriv- ial interaction between confidentiality and integrity proper- ties. We expect this model to provide new tools for the char- acterization of information flow properties in the presence of intentional information leaks.

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free