Security properties based on information flow, such as noninterference, provide strong guarantees that confiden- tiality is maintained. However, programs often need to leak some amount of confidential information in order to serve their intended purpose, and thus violate noninterference. Real systems that control information flow often include mechanisms for downgrading or declassifying information; however, declassification can easily result in the unexpected release of confidential information. This paper introduces a formal model of information flow in systems that include intentional information leaks and shows how to characterize what information leaks. Further, we define a notion of robustness for systems that in- clude information leaks introduced by declassification. Ro- bust systems have the property that an attacker is unable to exploit declassification channels to obtain more confiden- tial information than was intended to be released. We show that all systems satisfying a noninterference-like property are robust; for other systems, robustness involves a nontriv- ial interaction between confidentiality and integrity proper- ties. We expect this model to provide new tools for the char- acterization of information flow properties in the presence of intentional information leaks.
Mendeley saves you time finding and organizing research
Choose a citation style from the tabs below