[Prev][Next][Index][Thread]

Paper announcement: Language-Based Information-Flow Security



We would like to announce the availability of a survey paper on
language-based techniques for the specification and enforcement
of confidentiality properties. The paper is to appear in IEEE
Journal on Selected Areas in Communication.

             Language-Based Information-Flow Security

             Andrei Sabelfeld         Andrew C. Myers

   Current standard security practices do not provide substantial
   assurance that the end-to-end behavior of a computing system
   satisfies important security policies such as confidentiality.  An
   end-to-end confidentiality policy might assert that secret input
   data cannot be inferred by an attacker through the attacker's
   observations of system output; this policy regulates information
   flow.

   Conventional security mechanisms such as access control and
   encryption do not directly address the enforcement of
   information-flow policies. Recently, a promising new approach has
   been developed: the use of programming-language techniques for
   specifying and enforcing information-flow policies.  In this article
   we survey the past three decades of research on information-flow
   security, particularly focusing on work that uses static program
   analysis to enforce information-flow policies.  We give a structured
   view of recent work in the area and identify some important open
   challenges.

   Keywords: Computer security, confidentiality, information flow,
   noninterference, security-type systems, covert channels,
   security policies, concurrency.

Paper available via
http://www.cs.cornell.edu/~andrei/Papers/jsac.ps
http://www.cs.cornell.edu/~andrei/Papers/jsac.pdf

BibTeX file with references made in the survey available via
http://www.cs.cornell.edu/~andrei/Papers/lang-inflow.bib

Comments and suggestions are most welcome.

Best wishes,
Andrei Sabelfeld and Andrew C. Myers