Andrei Sabelfeld - From theory to practice of information flow control

Information flow control has been extensively studied for applications in traditional programming languages and for abstract models of communicating systems. Recently, information flow control has received more attention as a means to enforce data confidentiality and integrity for web applications. The web has high potential to leverage the promise of information flow control because of the necessity to control the propagation of information in tightly integrated web components that mix code from trusted and untrusted sources. These lectures overview information flow foundations, focusing on formalizing security policies for integrity, confidentiality and intentional information release (declassification), and present highlights of practical applications of information flow technology, where static and dynamic enforcement techniques are combined to track information flow in web applications.

Readings:

  • A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 21(1):5-19, January 2003 (pdf).
  • A. Sabelfeld and D. Sands. Declassification: Dimensions and Principles. Journal of Computer Security, 17:5(517-548), IOS Press. Jan. 2009 (pdf).
  • D. Hedin and A. Sabelfeld. Information-Flow Security for a Core of JavaScript. In Proceedings of the IEEE Computer Security Foundations Symposium, Harvard University, Cambridge MA, June 25-27, 2012 (pdf).