Information flow in a distributed security setting
aa r X i v : . [ c s . P L ] J a n INFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING
ANA ALMEIDA MATOS AND JAN CEDERQUISTInstituto de Telecomunica¸c˜oes (SQIG) and Instituto Superior T´ecnico, Lisbon, Portugal e-mail address : [email protected] de Telecomunica¸c˜oes (SQIG) and Instituto Superior T´ecnico, Lisbon, Portugal e-mail address : [email protected]
Abstract.
Information flow security is classically formulated in terms of the absence ofillegal information flows, with respect to a security setting consisting of a single flow policythat specifies what information flows should be permitted in the system. However, thissecurity model does not suit scenarios of distributed and mobile computing where securitypolicies are decentralized and distinct policies might simultaneously apply to differentparts of a program depending on their dynamically changing location. The challenge ofmanaging compliance to heterogeneous security policies is further fledged when migratingprograms conform to varying policies at different points of their executions, as in whendeclassification must be performed.We investigate the security issues that emerge in distributed security settings , whereeach computation domain establishes its own local security policy, and where programsmay exhibit location-dependent behavior. In particular, we study the interplay betweentwo distinct flow policy layers : the declared flow policy , established by the program itself,and the allowed flow policy , established externally to the program by each computationdomain. We refine two security properties that articulate how the behaviors of programscomply to the respective flow policies:
Distributed Non-disclosure , for enabling programsto declare locally scoped flow policies; and
Flow Policy Confinement , for controlling theflow policies that are declared by programs.We present enforcement mechanisms that are based on type and effect systems, rangingfrom purely static mechanisms to hybrid combinations with dynamic migration control, forenforcing the above properties on an expressive ML-like language with concurrent threadsand code migration, and which includes an allowed flow policy construct that dynamicallytests the allowed flow policy of the current context.Finally, we show that the combination of the above two properties guarantees thatactual information flows do not violate the relevant allowed flow policies. To this endwe propose and use the
Distributed Non-Interference property, a natural generalization ofNon-Interference to a distributed security setting that ensures that information flows in aprogram respect the allowed flow policy of the domains where they originate.Received by the editors empty.
Key words and phrases: distributed security setting, information flow, declassification, code mobility,flow policy, distributed non-interference, migration control, global computing.Partially funded by FCT within Project Elven (POCI-01-0145-FEDER-016844), Project 9471 - Refor¸car aInvestiga¸c˜ao, o Desenvolvimento Tecnol´ogico e a Inova¸c˜ao (Project 9471-RIDTI) and by Fundo Comunit´arioEuropeu FEDER. The first author is also partially funded by FCT within Project DeDuCe (PTDC/CCI-COM/32166/2017).
LOGICAL METHODSIN COMPUTER SCIENCE DOI:10.2168/LMCS-??? c (cid:13)
A. Almeida Matos and J. CederquistCreative Commons Introduction
Crucial services of today’s societies, such as health care, energy, communication, trans-portation, finance, security and defense are increasingly supported by and dependent ofthe well-functioning of interconnected networks of computing devices that can be seen asa cyber ecosystem [US 11]. At the same time, the impact of cyber attacks is continuouslyescalating, having become increasingly frequent and widespread, now holding an unprece-dented potential for damage. Indeed, the new possibilities offered by existing distributedcomputing technologies are exploited by parties with hazardous intentions, by means of pro-grams that are able to automatically propagate throughout computation sites, persistentlyoccupy those sites, and set up communication pathways for conducting cyber attacks in aconcerted manner. In other words, they utilize the global computing paradigm, and mustbe tackled using mechanisms that act with at least the same level of sophistication [US 11].The present paper proposes to contribute to this goal by setting the distributed securityproblem in terms of global computing concepts, by means of mechanisms drawn from lan-guage based security.Access control serves a crucial role in cyber-security, by ensuring that access to computerresources is only granted to subjects that hold the required clearances. However, it doesnot offer the necessary refinement for controlling how programs manipulate the informationthat is held by a resource once access to it is granted.
Information flow security regardsthe control of illegal flows of information across resources of different security levels duringprogram execution, such as the prevention of confidentiality violations that are entailedby flows from private to publicly available resources. This kind of program behavior isestablished by means of dependencies that are encoded in programs, and can be detected byemploying information flow analyses. The language-based approach to security has placed alot of attention on the study of information flow properties and enforcement mechanisms ina variety of programming paradigms [SM03]. Information flow properties range in strictnessfrom pure absence of information leaks, known as Non-interference [GM82], to more flexibleproperties that allow for declassification to take place in a controlled manner [SS05].
Distributed security setting.
The specification of information flow policies , or what informa-tion flows should be permitted during program execution [BvDS15], is classically formulatedin terms of a single security setting consisting of a security labeling, that assigns securitylevels to programming language information resources, and a security lattice, that orderssecurity levels according to their degree of confidentiality and/or integrity [Den76]. How-ever, in the context of distributed and mobile computing, security policies are decentralized,and distinct policies might simultaneously apply to different parts of a program depend-ing on their location. Enforcement of confidentiality in networks must therefore deal withdistributed security policies, since different computation domains (or sites ) follow differentsecurity orientations. This issue is particularly challenging when migrating programs aregiven the flexibility to perform declassifying operations, as these might be acceptable or notdepending on the policy of the thread’s current computation domain. For example, migrat-ing programs that were conceived to comply to certain security policies do not necessarilyrespect those of the computational locations they might end up executing at. Furthermore,when programs consist of more than one thread running concurrently, the same programmight need to comply to more than one security policy simultaneously. This problem seemsto be beyond the grasp of single program constructs that can restrict by whom, when, what,
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 3 or where in the program declassification can be performed [SS05], since here the questionis: in which context?
So far, most studies of declassification have been directed towards local computationscenarios, thus overlooking security issues that result from heterogeneous security require-ments. In order to study this problem, we consider as a starting point a distributed securitysetting where each computation domain establishes its own local flow policy in the formof a security lattice. More precisely, we consider a refinement of the notion of flow pol-icy, and study the compliance of programs, consisting of one or more migrating threads,to two distinct information flow policy layers : the declared flow policy , established by theprogram itself, representing a specification mechanism for enabling declassification; the al-lowed flow policy , established externally to the program by each computation domain, asan actual boundary on information leaks that are performed by programs. During compu-tation, both of these flow policies can change dynamically. While the former is changed viadeclassification declarations, the latter is changed via program migrations.
Flow policy awareness.
At the programming language level, we assume that intention to per-form declassification is expressed by means of a purely declarative declassification-enablingconstruct, while inspection of the relevant allowed flow policies is facilitated by means of aflow policy context testing construct that provides the programmer with flow policy aware-ness. Let us take a closer look at the concrete programming constructs that are consideredin this paper for these roles.In order to enable local dynamic changes to the valid flow policy, the programminglanguage may be enriched with a flow declaration construct (flow F in M ) that simplydeclares the flow policy F as valid in its scope M . It is then easy to declare more flexibleflow policy environments for delimited blocks of code, as for instance the part of a programthat is executed by authenticated users:(if authenticated then (flow F permissive in M ) else N ) (1.1)This program declares that flows in M conform to a policy that is extended by F permissive .In other words, M may contain declassifications that comply to F permissive .At the moment that a program is written, it might be hard to anticipate which flowpolicies will be imposed at execution time by the domains where the program will run.In a distributed context with code mobility, the problem becomes more acute, since thecomputation site might change during execution, along with the allowed flow policy withwhich the program must comply. In order to provide programs with some awareness re-garding the flow policy that is ruling in the current computation domain, we introduce the allowed-condition , written (allowed F then M else N ), that tests whether the flow policy F is allowed by the current domain and executes branches M or N accordingly. Programscan then offer alternative behaviors to be taken in case the domains they end up at do notallow declassifications of the kind they intended to perform:(allowed F disclose secret then M else plan B ) (1.2)The allowed-condition brings no guarantees that the plan B of the above program does notdisclose just as much as the M branch. However, misbehaving programs can be rejectedby the domains where they would migrate, so its chances of being allowed to execute areincreased by covering portions of code containing declassifications with appropriate allowed-conditions. A. ALMEIDA MATOS AND J. CEDERQUIST
When moving within a distributed security setting, the allowed-condition makes pro-gram behavior depend on location. As a consequence, new information flows can be encodedusing this language construct, and give rise to a form of illegal flow known as migrationleak , where a program’s location is leaked [AC11].
Modular security properties and enforcement mechanisms.
Separating the problems of declar-ing and of controlling declassification enables the decomposition of security requirementsinto specialized properties that can be defined and enforced independently. Here we treatthe former as an information flow control problem, in the frame of the non-disclosure prop-erty [AB09], while the latter is isolated as the problem of ensuring that declassifications thatare performed by mobile code respect the flow policy that is allowed at the computationdomain where they are performed.The non-disclosure property can be seen as a generalization of Non-interference. It usesinformation provided by the program semantics describing which flow policies are valid atdifferent points of the computation, to ensure that, at each step, all information flows complywith the declared flow policy. The property serves to guarantee consistency between thedeclared flow policies and the actual flows that programs perform. It does not impose anylimit on the usage of declarations. The imposition of one or more levels of control can betreated as an independent problem.Enforcing compliance of declassifications with allowed flow policies of computation do-mains raises new challenges when code moves in a distributed security setting. For instance,a computation domain d might want to impose a limit to the flexibility of the flow declara-tions that it executes, and prevent incoming code from containing:(flow F all is allowed in M ) (1.3)In the above example, the flow declaration validates any declassifications that might occurin M , regardless of what is considered acceptable by d . However, in order to reason aboutwhether this declaration is acceptable, it is necessary to take into consideration what arethe security policies of the domains where this code might run. We formulate the problemof ensuring that programs’ threads can only declare declassifications that comply with theallowed flow policy of the domain where they are performed in terms of confinement withrespect to an allowed flow policy. This property is not concerned with the actual leaks thatare taking place, but only with the declared intentions of enabling a declassification.To sum up, two security properties that articulate the compliance of program behaviorto the respective flow policies are studied in this paper:(1) Distributed Non-disclosure , which requires information leaks that are encoded byprograms to respect the declared flow policies of the context in which they areexecuting, in a language that includes a notion of locality, migration capabilitiesand location-dependent behavior. This property is intended as a tool for enabling the programmer to introduce declassification in the program.(2)
Flow Policy Confinement requires that declassifications that are used by programsrespect the allowed flow policy of the context in which they execute. This propertyformalizes a simple form of declassification control .Both properties can be enforced statically by means of a type and effect system. However,the latter depends on the allowed flow policies of each domain that the program mightmigrate to. This motivates the proposal to shift part of the burden of the declassificationcontrol to runtime, in order to improve efficiency and precision of the mechanism. We
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 5 argue for this shift by presenting mechanisms, centered on migration control, that rangefrom purely static to hybrid combinations with dynamic features.
Declassification control as migration control.
The problem of controlling the use of declassi-fication across a distributed security setting can be reduced to a migration control problem,by preventing programs from migrating to sites if they would potentially violate that site’sallowed flow policy. To achieve this, domains must be able to check incoming code againsttheir own allowed flow policies, ideally assisted by certificates that are carried by the pro-gram, and then decide upon whether those programs should be let in. We thus addressthe technical problem of inferring what are the flexible flow policies that a program mightset up for its own executions. A certificate could consist of information about all the flowpolicies that are declared in the program and are not validated by the allowed-branch of anallowed-condition. We call this flow policy the declassification effect of the program. Then,while the program (allowed F then M else (flow F in N )) (1.4)would have a declassification effect that includes F – meaning that it should only be allowedto run in domains where F is allowed –, the program(allowed F then (flow F in M ) else N ) (1.5)(assuming that M and N have no flow declarations) would have an empty declassificationeffect – meaning that it could be safely allowed to run in any domain.We propose an efficient hybrid mechanism based on statically annotating programs withthe declassification effect of migrating code. This is done by means of an informative typeand effect pre-processing of the program, and is used for supporting runtime decisions. Semantic Validation.
The coherence of the above properties should be supported by showingthat combining Distributed Non-disclosure and Flow Policy Confinement has the intendedmeaning. Ultimately, it is desirable to establish the absence of illegal information flowsfor programs that satisfy both properties. In the presence of a single global allowed flowpolicy, this amounts to classic Non-interference. However, in a distributed security setting,it is necessary to accommodate the reality of that distributed and mobile programs mustobey different security settings at different points of their computation, depending on theirlocation. This raises the question of what are the relevant allowed flow policies that theactual information flows should comply to, in order to be legal. More concretely, whichsite or sites should have a say on the legality of flows performed by a thread that, duringcomputation, reads and writes to resources as it migrates between different sites? Weargue that confidentiality of information that is read at a certain site should be preservedaccording to that site’s allowed flow policy. This idea leads to what we propose as thenatural generalization of Non-interference to a distributed security setting, which we call
Distributed Non-interference property, that ensures that propagation of information respectsthe allowed flow policy of the domains where the information originates.This paper proposes a generalized definition of Non-interference that accommodatesthe reality of that distributed and mobile programs must obey different security settingsat different points of their computation, depending on their location. It is formalized for asimple and general network model where computation domains are units of abstract allowedinformation flow policies.
A. ALMEIDA MATOS AND J. CEDERQUIST
Contributions.
This paper presents a simple language-based framework for studying infor-mation flow security in distributed security settings in the presence of code mobility. In thismodel, computation domains are units of allowed flow policies , which have a scope that islocal to each domain. While the formulation of the security properties is largely language-independent, a concrete language is defined and considered for the purpose of examples andas a target to the proposed enforcement mechanisms. It consists of an expressive distributedhigher-order imperative lambda-calculus with remote thread creation. The latter languagefeature implies in particular that programs might need to comply to more than one dy-namically changing allowed flow policy simultaneously. The main technical contributionsare:(1) A new programming construct (allowed F then M else N ) that tests the flexibilityof the allowed flow policy imposed by the domain where it is currently located andcan act accordingly.(2) A refinement of the Non-disclosure for Networks property [AC11] that is more suit-able for settings where migration is subjective (i.e., cannot be induced by externalthreads), called Distributed Non-disclosure .(3) A new security property, named Flow Policy Confinement , that regards the com-pliance of declassification operations that are performed by programs to the validallowed flow policies where they take place.(4) A comparative study of three enforcement mechanisms for flow policy confinementin the form of migration control mechanisms for deciding whether or not certainprograms should be allowed to execute at each site. These are based on a type andeffect system, and differ on the emphasis that is placed on static and runtime effort:(a) A purely static type and effect system for enforcing flow policy confinement.(b) A type and effect system for checking migrating threads at runtime, that ismore precise than the one in point 4a.(c) A static-time informative pre-processing type and effect system for annotatingprograms with a declassification effect , for a more efficient and precise mecha-nism than the one in point 4b.(5) A new information flow property, named Distributed Non-interference, that natu-rally generalizes classical Non-interference to Distributed security settings.(6) A study of the semantic coherence between the proposed definition of distributedNon-interference and other relevant information flow properties, namely (local) Non-interference, Distributed Non-disclosure and Flow Policy Confinement.This paper revises, unifies and expands work that is presented in the conference arti-cles [Alm09], [AC13], and part of [AC14]. Proofs that make use of techniques that arenot novel to this paper are omitted for space reasons, but are available in the Appendix forconvenience of the reviewer.
Outline of the paper.
We start by defining the formal security and language setting of the pa-per (Section 2). Two main sections follow, dedicated to the security analyses of DistributedNon-disclosure (Section 3) and Flow Policy Confinement (Section 4). In each, the formalproperties are proposed (Subsections 3.1 and 4.1), enforcement mechanisms are presented(Subsections 3.2 and 4.2 to 4.4), and their soundness is proved. In the latter, we study the The new designation for the property highlights the fact that it is intended for distributed securitysettings, independently of whether the underlying memory and communication model is closer to that of afull-fledged network, or is reduced to simply logically distributed computation domains.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 7 efficiency and precision of three type and effect-based mechanisms for enforcing confine-ment by means of migration control, that place different weight over static and run time.We then propose a definition of Distributed Non-interference against which we verify thesemantic coherence between the proposed and other relevant information flow properties,namely (local) Non-interference, Distributed Non-disclosure and Flow Policy Confinement(Section 5). Finally we discuss related work (Section 6) and conclude (Section 7).2.
Distributed Security Setting
Security Setting.
We adopt the classic representation of a security policy as a securitylattice of security levels [Den76], corresponding to security clearances, such as read-accessrights. The lattice defines a flow relation between security levels which determines theirrelative degree of confidentiality. Security levels can then be associated to observable infor-mation holders in the programming language by means of a security labeling , which mapsresources to security levels. Hence, a security lattice represents a baseline information flowpolicy , establishing that information pertaining to resources labeled with l can be legallytransferred to resources labeled with l only if l is at least as confidential as l accordingto the lattice. Other flow policies, which enable additional legal flow directions betweensecurity levels, can be seen as relaxations of the baseline policy. Such flow policies canbe formalized as downward closure operators that collapse security levels of the baselinesecurity lattice into lower ones [AF12].2.1.1. Abstract requirements.Baseline lattice of security levels.
Security levels l, j, k ∈ Lev are assumed to be structuredaccording to their confidentiality by means of an abstract lattice L = h Lev , ⊑ , ⊓ , ⊔ , ⊤ , ⊥i ,where: the partial-order ⊑ , when relating two security levels l , l as l ⊑ l , means that l is at least as confidential as l ; the meet operation ⊓ gives, for any two security levels l , l ,the most confidential security level that is at least as permissive as both l and l ; the joinoperation ⊔ gives, for any two security levels l , l , the least confidential security level thatis at least as restrictive as both l and l ; the highest confidential security level ⊤ is themost restrictive one; and the lowest confidential level ⊥ is the most permissive one.The information flow policy that is represented by the baseline security lattice L assertsas legal those flows that respect the baseline flow relation ⊑ , since when information flowsfrom l to l , its original confidentiality requirements are preserved. Relaxed lattice of security levels.
A downward closure operator on a baseline lattice L = h Lev , ⊑ , ⊓ , ⊔ , ⊤ , ⊥i , is an operator F : Lev → Lev that is monotone, idempotent andrestrictive (for every level l ∈ Lev , F ( l ) ⊑ l ). The image of a downward closure operator F , equipped with the same order relation as L , is a sub-lattice of L , denoted by F ( L ) = h F ( Lev ) , ⊑ F , ⊓ F , ⊔ F , ⊤ F , ⊥ F i , where, for every two security levels l , l ∈ F ( Lev ), and setof security levels I ⊆ F ( Lev ), we have that (i) l ⊑ F l if l ⊑ l ; (ii) ⊓ F I = F ( ⊓ I );(iii) ⊔ F I = ⊔ I ; (iv) ⊤ F = F ( ⊤ ); and (v) ⊥ F = ⊥ .The new more general flow relation ⊑ F that is determined by the flow policy F nowenables the information flows that are allowed by F . A. ALMEIDA MATOS AND J. CEDERQUIST
Lattice of flow policies.
Flow policies
A, F ∈ Flo can be ordered according to their per-missiveness by means of a permissiveness relation , where F F means that F is atleast as permissive as F . We assume an abstract lattice of flow policies that supports apseudo-subtraction operation h Flo , , f , g , ℧ , Ω , ⌣ i , where: the meet operation f gives,for any two flow policies F , F , the strictest policy that allows for both F and F ; thejoin operation g gives, for any two flow policies F , F , the most permissive policy thatonly allows what both F and F allow; the most restrictive flow policy ℧ does not allowany information flows; and the most permissive flow policy Ω that allows all informationflows. Finally, the pseudo-subtraction operation ⌣ between two flow policies F and F represents the most permissive policy that allows everything that is allowed by the first( F ), while excluding all that is allowed by the second ( F ); it is defined as the relativepseudo-complement of F with respect to F , i.e. the greatest F such that F f F F .The lattice of flow policies can be achieved using downward closure operators. Giventhe lattice L , the set of all downward closure operators on Lev form a lattice h Flo , , f , g , ℧ , Ω , ⌣ i , where: (i) F F ⇔ ∀ l ∈ Lev .F ( l ) ⊑ F ( l ); (ii) ( f K )( l ) = l if ∀ F ∈ K.F ( l ) = l ; (iii) ( g K )( l ) = ⊔{ F ( l ) k F ∈ K } ; (iv) ℧ ( l ) = ⊥ ; and (v) Ω( l ) = l ,This lattice can be interpreted as a lattice of relaxations of the original security setting.2.1.2. Concrete example.
The following concrete security setting meets the abstract require-ments defined above and provides helpful intuitions.
Baseline lattice of security levels.
The security levels are the subsets of the principals, l ⊆ Pri , similar to read-access lists. In this setting, security levels are ordered by means of theflow relation ⊇ . Lattice of flow policies.
Flow policies then consist of binary relations on
Pri , which canbe understood as representing additional directions in which information is allowed to flowbetween principals: a pair ( p, q ) ∈ F , most often written p ≺ q , is to be understood as“information may flow from p to q ”. New more permissive security lattices are obtained bycollapsing security levels into possibly lower ones, by closing them with respect to the validflow policy. Writing F F means that F allows flows between at least as many pairsof principals as F . The relation is here defined as F F iff F ⊆ F ∗ (where F ∗ denotesthe reflexive and transitive closure of F ): The meet operation is then defined as f = ∪ ,the join operation is defined as F g F = F ∗ ∩ F ∗ , the top flow policy is given by ℧ = ∅ ,the bottom flow policy is given by Ω = Pri × Pri , and the pseudo-subtraction operationis given by ⌣ = − (set subtraction). Relaxed lattice of security levels.
In order to define ⊑ F we use the notion of F - upwardclosure of a security level l , defined as l ↑ F = { q | ∃ p ∈ l. p F ∗ q } . The F -upward closure of l contains all the principals that are allowed by the policy F to read information labeled l .A more permissive flow relation can now be derived as follows [ML98, AB09]: l ⊑ F l ⇔ ∀ q ∈ l . ∃ p ∈ l : p F ∗ q ⇔ ( l ↑ F ) ⊇ ( l ↑ F )Furthermore, l ⊓ F l = l ∪ l and l ⊔ F l = ( l ↑ F ) ∩ ( l ↑ F ), ⊤ F = ∅ and ⊥ F = Pri . This operation is used for refining the static analysis of the policy-testing construct, and is not a re-quirement of the security properties that are studied here.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 9
Security Levels l, j ∈ Lev
Reference Names a, b ∈ Ref
Flow Policies
A, F ∈ Flo
Thread Names m, n ∈ Nam
Types τ, σ, θ ∈ Typ
Domain Names d ∈ Dom
Values V ∈ Val
Expressions
M, N ∈ Exp
Figure 1: Syntax of basic elements of the languageNotice that ⊑ F extends ⊇ in the sense that ⊑ F is larger than ⊇ and that ⊑ ∅ = ⊇ . Inother words, for the base security lattice (where the flow policy parameter is ℧ ), the flowrelation coincides with reverse inclusion of security levels, while the join operator is simplygiven by ⊔ ∅ = ∩ .2.2. Language Setting.
We now present the basic language requirements to which thetechnical developments of this paper apply. We then define a concrete instance of thelanguage that suits these requirements. It will be used for providing illustrative examples,and as a target for the enforcement mechanisms.2.2.1.
Abstract requirements. Networks are flat juxtapositions of domains , each hostingthe execution of a pool of threads under the governance of a local allowed flow policy.Information is associated to globally accessible references, which are information holdersfor values of a designated type. As threads can move between computation domains duringtheir execution, their location, or current domain, also carries information.The basic elements of the language are summarized in Figure 1. The names of references,threads and domains are drawn from disjoint countable sets a, b ∈ Ref , m, n ∈ Nam , and d ∈ Dom = ∅ , respectively. As mentioned in Subsection 2.1, security levels are associatedto information holders by means of security labelings. We define two labelings: • A reference labeling Σ :
Ref → Lev × Typ , whose left projection Σ : Ref → Lev corresponds to the usual reference security labeling that assigns security levels toreferences, and whose right projection Σ : Ref → Typ corresponds to the typelabeling that determines the type of values that can be assigned to each reference. • A thread security labeling Υ :
Nam → Lev , that assigns security levels to threadnames. This mapping represents the security level of the knowledge of the positionof a thread in the network.The security labelings are used in the security analysis that is performed in Section 3.In the context of examples, the mapping between reference or thread names and theircorresponding security annotations and types may be informally denoted as subscript ofnames.
Threads consist of named expressions (drawn from
Exp ) and run concurrently in pools P : Nam → Exp , which are mappings from thread names to expressions. Threads aredenoted by M m ∈ Exp × Nam , and pools are denoted as sets of threads.
Stores S : Ref → Val , or memories map reference names to values.
Position-trackers T : Nam → Dom , We adopt, from the global computing community, the term networks to designate an interconnectedstructure of computation domains , which consist of hosts where a number of processes compute over resources. map thread names to domain names, and are used to keep track of the locations of threads inthe network. The pool P containing all the threads in the network, the position tracker T that keeps track of their positions, and the store S containing all the references in thenetwork, form configurations h P, T, S i , over which the evaluation relation is defined inthe next subsection. We refer to the pairs h S, T i as states , and pairs h P, T i as threadconfigurations . The flow policies that are allowed by each domain are kept by the allowed-policy mapping W : Dom → Flo from domain names to flow policies.The following basic notations are useful for defining properties and modifications tothe elements of configurations. For a mapping Z , we define dom( Z ) as the domain of agiven mapping Z . We say a name is fresh in Z if it does not occur in dom( Z ). Givenan expression M , we denote by rn( M ) and dn( M ) the set of reference and domain names,respectively, that occur in M . This notation is extended in the obvious way to pools ofthreads. We let fv( M ) be the set of variables occurring free in M . We restrict our attentionto well formed configurations h P, T, S i satisfying the conditions that rn( P ) ⊆ dom( S ), thatdn( P ) ⊆ dom( W ), that dom( P ) ⊆ dom( T ), and that, for every a ∈ dom( S ), rn( S ( a )) ⊆ dom( S ) and dn( S ( a )) ⊆ dom( W ). We denote by { x X } M the capture-avoiding substi-tution of the pseudo-value X for the free occurrences of x in M . The operation of addingor updating the image of an object z to z ′ in a mapping Z is denoted [ z := z ′ ] Z .The ‘ W ⊢ Σ , Υ ’ turnstile gives a security context to the definition of the semantics,making explicit the allowed flow policy of each domain in the network, and the valid referenceand thread labelings. These parameters are fixed, and are not central do this study, so theyare omitted in the rest of the paper, written simply ‘ W ⊢ ’. The reduction relation is atransition relation between (well-formed) configurations d −→ F , which are decorated with thename of the domain d where each step is taking place and the flow policy F declared bythe evaluation context where they are performed. The semantics needs not depend on thisinformation, which is made available for the security analysis. The relation ։ denotes thereflexive closure of the transition relation d −→ F .2.2.2. Concrete object language.
The distributed language that we use is an imperativehigher-order λ -calculus with reference creation, where we include a flow policy declarationconstruct (for directly manipulating flow policies [AB09]) and the new flow policy testerconstruct that branches according to whether a certain flow policy is allowed in the pro-gram’s computing context, obtained by adding a notion of computing domain, to which weassociate an allowed flow policy, and a code migration primitive. Threads are also namedin order to keep track of their position in the network. Programs executing in differentdomains are subjected to different allowed flow policies – this is what distinguishes localcomputations from global computations, and is the main novelty in this language. Weopt for the simplest memory model, assuming memory to be shared by all programs andevery computation domain, in a transparent form. As we will see in Section 3, this al-lows us to focus on the effects of considering a distributed security setting, while avoidingsynchronization issues that are not central to this work. Syntax.
The syntax of expressions, ranged over by
M, N ∈ Exp , is defined in Figure 2. Itis based on an imperative higher order λ -calculus that includes declassification, a context-policy testing construct and remote thread creation. The values of the language are the nilcommand (), variables ranged over by x, y ∈ Var , function abstraction ( λx.M ), boolean
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 11
Values V ::= () | x | ( λx.M ) | tt | ff | a Pseudo-values X ::= V | ( ̺x.X ) Expressions
M, N ::= X | ( M N ) | ( M ; N ) | (! N ) | ( M := N ) | (ref l,θ M ) | (if M then N t else N f ) | (flow F in M ) | (allowed F then N t else N f ) | (thread l M at d )Figure 2: Syntax of expressionsvalues tt and ff , and reference names. Pseudo-values ranged over by X , extend values toinclude recursion, provided by the ( ̺x.X ) construct. Other standard expressions are formedby function application ( M N ), sequential composition ( M ; N ), the dereferencing opera-tion (! M ), assignment ( M := N ), reference creation (ref l,θ M ) and conditional branching(if M then N t else N f ).Reference names are not associated to any security levels or types at the language level(in this aspect we depart from [Alm09]), and make use of the reference labeling Σ that isdefined in Subsection 2.2.1 only during the security analysis. Nevertheless, reference namescan be created at runtime, by a construct that is annotated with a type and security levelthat should be associated with the new reference.The new features of the language are the flow declaration and the allowed-condition.The flow declaration construct is written (flow F in M ), where M is executed in the contextof the current flow policy extended with F ; after termination the current flow policy isrestored, that is, the scope of F is M . The allowed-condition is similar to a standardboolean condition, with the difference that in (allowed F then N t else N f ) the branches N t or N f are executed according to whether or not F is allowed by the site’s allowed flowpolicy.The remote thread creator (thread l M at d ) spawns a new thread with security level l and expression M in domain d , to be executed concurrently with other threads at thatdomain. It functions as a migration construct when the new domain of the created threadis different from that of the parent thread. The security level l is the confidentiality levelthat is associated to the position of the thread in the network.The following example illustrates the usage of the non-standard constructs of the lan-guage:((thread H (allowed F H ≺ L then (flow F H ≺ L in ( x L := (! y H ))) else plan B ) at d )) (2.1)The program creates a remote thread at domain d , tests whether its allowed flow policy al-lows for the flows in F H ≺ L , which informally represents a flow policy that allows informationto flow from level H to level L , and executes the first or second branch accordingly Operational semantics.
In order to define the operational semantics, expressions are repre-sented using evaluation contexts , which specify a call-by-value evaluation order:E ::= [] | (E N ) | ( V E) | (E; N ) | (ref l,θ E) | (! E) | (E := N ) | ( V := E) | (if E then N t else N f ) | (flow F in E) We write E[ M ] to denote an expression where the sub-expression M is placed in the evalu-ation context E, obtained by replacing the occurrence of [] in E by M . The flow policy that W ⊢ h{ E[(( λx.M ) V )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ { x V } M ] m } , T, S i W ⊢ h{ E[(if tt then N t else N f )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ N t ] m } , T, S i W ⊢ h E[(if ff then N t else N f )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ N f ] m } , T, S i W ⊢ h{ E[( V ; N )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ N ] m } , T, S i W ⊢ h{ E[( ̺x.X )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[( { x ( ̺x.X ) } X )] m } , T, S i W ⊢ h{ E[(flow F in V )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ V ] m } , T, S i W ⊢ h{ E[(! a )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ S ( a )] m } , T, S i W ⊢ h{ E[( a := V )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[()] m } , T, [ a := V ] S i W ⊢ h{ E[(ref l,θ V )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ a ] m } , T, [ a := V ] S i , where a fresh in S and Σ( a ) = ( l, θ ) W ( T ( m )) FW ⊢ h{ E[(allowed F then N t else N f )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ N t ] m } , T, S i W ( T ( m )) FW ⊢ h{ E[(allowed F then N t else N f )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[ N f ] m } , T, S i W ⊢ h{ E[(thread l N at d )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[()] m , N n } , [ n := d ] T, S i , where n fresh in T and Υ( n ) = lW ⊢ h P, T, S i d −→ F h P ′ , T ′ , S ′ i h P ∪ Q, T, S i is well formed W ⊢ h P ∪ Q, T, S i d −→ F h P ′ ∪ Q, T ′ , S ′ i Figure 3: Operational semanticsis permitted by the evaluation context E is denoted by ⌈ E ⌉ . It is a lower bound to all theflow policies that are declared by the context: ⌈ [] ⌉ = ℧ ⌈ (flow F in E) ⌉ = F f ⌈ E ⌉ ⌈ E ′ [E] ⌉ = ⌈ E ⌉ when E ′ has no flow declarations The small step operational semantics of the language is defined in Figure 3. Most of therules are standard, except for the allowed-policy mapping W , that parameterizes all rules,and the domain name and flow policy that decorate the transitions. The W parameter isused only by the allowed-condition, to retrieve the allowed flow policy of the domain wherethe condition is executed. Notice that W is never changed. Furthermore, the semanticsdoes not depend on the flow policy that decorates the arrows. Thread names are used intwo situations: When a new thread is created, its new fresh name is added to the position-tracker, associated to the parameter domain. As with reference creation, the security levelthat is associated to the new thread does not influence the semantics, but is used later by the NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 13 security analysis. Thread names are also used when an allowed-condition is performed: thetested flow policy is compared to the allowed flow policy of the site where that particularthread is executing. The last rule establishes that the execution of a pool of threads iscompositional (up to the choice of new names).According to the chosen semantics, dereferencing and assigning to remote references canbe done transparently. In spite of this, since the allowed flow policies are distributed, thebehavior of a program fragment may differ on different machines. As an example, considerthe thread (allowed F then ( y L := 1) else ( y L := 2)) m (2.2)running in a network with domains d and d , where W ( d ) F but W ( d ) F . Thethread will perform different assignments depending on whether T ( m ) = d or T ( m ) = d .In Section 3 we show that these possible behaviors are distinguishable by an informationflow bisimulation relation. This distributed behavior occurs regardless of the chosen memorymodel.One can prove that the semantics preserves well-formedness of configurations, and thata configuration with a single thread has at most one transition, up to the choice of newnames. 3. Controlling Information Flow
As we have seen, the inclusion of the new allowed-condition construct in our programminglanguage has introduced subtle security issues. Indeed, even though the memory model thatwe consider is non-distributed, the allowed construct projects the distributed nature of thesecurity policies into location-dependent program behavior. In other words, the location ofa thread in the network becomes an information flow channel. It is then necessary to clarifywhat information flow dependencies are introduced by the construct, and to sort out whatinformation flows should be allowed or not.In this section we consider the problem of controlling information flow in a language thatincludes the new allowed-condition construct, in the context of a distributed security settingwith concurrent threads and code mobility. Information flows that violate the baselinesecurity policy should conform to declared intentions to perform declassification. To thisend, we define the
Distributed Non-disclosure property, and analyze the security behaviorof the new allowed-condition construct in light of the proposed property. We show that thenew formalization is more permissive and precise than
Non-disclosure for Networks [AC11],and argue for the suitability of the proposed formalization for settings where migrationis subjective (i.e., auto-induced), such as the present one. We present a type and effectsystem for enforcing the property over the concrete language of Subsection 2.2 and establishsoundness of the enforcement mechanism.3.1.
Distributed Non-disclosure.
Non-disclosure states that, at each computation stepperformed by a program, information flows respect the flow policy that is declared by theevaluation context where the step is performed. The property is naturally defined in termsof an information flow bisimulation [SS00, Smi01, BC02, FG95] on concurrent threads.At each execution point, the bisimulation relates the outcomes of each possible step thatis performed over states (stores) that are indistinguishable at a certain observation level,where the notion of indistinguishability is locally tuned to the flow policy that is currentlyvalid for that particular step [AB09]. Low-equality, the formalization of indistinguishability, is thus a crucial aspect of the definition of information flow bisimulations, and should reflectwhat are the observable resources at a given security level.As we will see towards the end of this section, in our setting the position of a thread inthe network can reveal information about the values in the memory. In other words, statesinclude other information holders which are also observable (besides the store), namely theposition of threads in the network. Low-equality must then be generalized accordingly inorder to relate states that include position trackers.
Low equality.
We define a notion of indistinguishability between states that are composedof a store S and a position tracker T , and is parameterized by the corresponding securitylabelings – a reference security labeling Σ and a thread security labeling Υ (for retrievingthe security levels of references and threads). Low-equality is defined relative to a given flowpolicy F and observation label l . Recall, from Sub-subsection 2.2.1, that the flow policy F can be used to determine the permissiveness of the flow relation. Intuitively, two stores aresaid to be low-equal at level l , with respect to a flow policy F , if they coincide in the valuesof all references whose security levels are lower or equal than l (according to F ). Similarly,two position trackers are said to be low-equal at level l , with respect to a flow policy F , ifthey coincide in the location of all thread names whose security levels are lower or equalthan l (according to F ). Low-equality between states is then defined point-wise on storesand position trackers: Definition 3.1 (Low-Equality) . Given a reference security labeling Σ and a thread securitylabeling Υ, low-equality with respect to a flow policy F and a security level l is definedbetween well-labelled stores, position-trackers and states as follows: • S = Σ , Υ F,l S , if { ( a, V ) | ( a, V ) ∈ S & Σ ( a ) ⊑ F l } = { ( a, V ) | ( a, V ) ∈ S & Σ ( a ) ⊑ F l }• T = Σ , Υ F,l T , if { ( n, d ) | ( n, d ) ∈ T & Υ( n ) ⊑ F l } = { ( n, d ) | ( n, d ) ∈ T & Υ( n ) ⊑ F l }• h T , S i = Σ , Υ F,l h T , S i , if S = Σ , Υ F,l S and T = Σ , Υ F,l T .This relation is transitive, reflexive and symmetric. In order to lighten the notation, theparameters Σ and Υ are omitted in the rest of the paper, written simply ‘= F,l ’. Store compatibility.
The language defined in Section 2.2 is a higher-order language, whereprograms can build and execute expressions using values stored in memory. For example,the expression ((! a ) ()) (3.1)can evolve into an insecure program when running on a memory that maps a reference a to a lambda-abstraction whose body consists of an insecure expression. In order to avoidconsidering all such programs insecure, it is necessary to make assumptions concerning thecontents of the memory. Here, memories are assumed to be compatible to the given securitysetting and typing environment, requiring typability of their contents with respect to thetype system that is defined in the next subsection (see Definition 3.6). The assumptionis used in the definition of bisimulation that follows (as well as in subsequent securitydefinitions). NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 15
Information flow Bisimulation.
Intuitively, if a program is shown to be related to itself bymeans of an information flow bisimulation, one can conclude that it has the same behaviorregardless of changes in the high part of the state. In other words, the high part of the statehas not interfered with the low part, i.e., no security leak has occurred. A secure programcan then be defined as one that is related to itself by an information flow bisimulation.Resetting the state arbitrarily at each step of the bisimulation game accounts for changesthat might be induced by threads that are external to the pools under consideration, thusenabling compositionality of the property.Given that we are considering a setting with subjective migration (i.e. only the threaditself can trigger its own migration), changes in the position of threads in a given poolcannot be induced externally to that pool. We can then focus on the behavior of threadswhen coupled with their possible locations in the network, and look at how the behavior ofthread configurations is affected by changes in the high part of the stores. Accordingly, thefollowing information flow bisimulation fixes the position tracker across the bisimulationsteps:
Definition 3.2 ( ≈ W, Σ , Υ , Γ l ) . Given a security level l , a ( W, Σ , Υ , Γ , l )-bisimulation is a sym-metric relation R on thread configurations that satisfies, for all P , T , P , T , and (Σ , Γ)-compatible stores S , S h P , T i R h P , T i and W ⊢ h P , T , S i d −→ F h P ′ , T ′ , S ′ i and h T , S i = F ,l h T , S i , with (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ impliesthat there exist P ′ , T ′ , S ′ such that: W ⊢ h P , T , S i ։ h P ′ , T ′ , S ′ i and h T ′ , S ′ i = ℧ ,l h T ′ , S ′ i and h P ′ , T ′ i R h P ′ , T ′ i Furthermore, S ′ , S ′ are still (Σ , Γ)-compatible. The largest ( W, Σ , Υ , Γ , l )-bisimulation, theunion of all such bisimulations, is denoted ≈ W, Σ , Υ , Γ l .In order to lighten the notation, the parameters Σ and Υ are omitted in the rest ofthe paper, written simply ‘ ≈ W, Γ l ’. For any Γ and l , the set of pairs of thread configurationswhere threads are values is an ( W, Γ , l )-bisimulation. Furthermore, the union of a family of( W, Γ , l )-bisimulations is a ( W, Γ , l )-bisimulation. Consequently, ≈ W, Γ l exists.We briefly recall intuitions that explain the above definition here, and refer the readerto [AC11] for more explanations. The reason why the above bisimulation potentially relatesmore programs than one for Non-interference is the stronger premise h T , S i = F,l h T , S i ,which assumes pairs of states that coincide to a greater extent, thus facilitating the repro-duction of the behavior by the opposite thread configuration. The absence of a condition onthe flow policy of the matching move for P enables all expressions without side-effects (suchas) to be bisimilar, independently of the flow policy that is declared by their evaluation con-texts. Clearly, the relation ≈ W, Γ l is not reflexive since, as only “secure” programs, as definednext, are bisimilar to themselves. For instance, the insecure expression ( b B := (! a A )) is notbisimilar to itself if A F B .We now present a new formalization of the non-disclosure property, defined over threadconfigurations, that is suitable for distributed settings. Definition 3.3 (Distributed Non-disclosure) . A pool of threads P satisfies the DistributedNon-disclosure property with respect to an allowed-policy mapping W , reference labelingΣ, thread labeling Υ and typing environment Γ, if it satisfies h P, T i ≈ W, Γ l h P, T i for all security levels l and position trackers T , T such that dom( P ) = dom( T ) = dom( T ) and T = ℧ ,l T . We then write P ∈ DN D ( W, Σ , Υ , Γ).Distributed Non-disclosure is compositional with respect to set union of pools of threads,up to disjoint naming of threads, and a subjective migration primitive.We are considering a simplistic memory model where all of the network’s memory isaccessible at all times by every process in the network. With this assumption we avoid migration leaks that derive from synchronization behaviors [AC11], but migration leaks canbe encoded nonetheless. The idea is that now a program can reveal information about theposition of a thread in a network by performing tests on the flow policy that is allowed bythat site.
Example 3.4 (Migration Leak) . In the following program, the new thread will be createdat (migrate to) domains d or d depending on the tested high value.if (! a H ) then (thread l (allowed F then ( b L := 1) else ( b L := 2)) at d )else (thread l (allowed F then ( b L := 1) else ( b L := 2)) at d ) (3.2)If the allowed flow policies of these domains differ on whether they allow F , different low-assignments are performed, thus revealing high level information. Therefore, the programis insecure with respect to Distributed Non-disclosure.It should be clear that this property concerns only the matching between flow declara-tions and the leaks that are encoded in the program. It does not restrict the usage of flowdeclarations. For example, (thread l (flow F in ( b := (! a ))) at d ) (3.3)always satisfies Distributed Non-disclosure when F = Ω, even though it violates the allowedflow policy of domain d if Σ ( a ) W ( d ) Σ ( b ). Comparison with Non-Disclosure for Networks.
The definition of Distributed Non-disclosureconsists of a technical refinement of the Non-Disclosure for Networks property [AC11].The main difference is that, while Non-Disclosure for Networks was defined over pools ofthreads, we now define Distributed Non-disclosure over thread configurations. This meansthat, when imposing restrictions on the behaviors of bisimilar pools of threads, the formerdefinition resets the state arbitrarily at each step of the bisimulation game. However, as wehave pointed out, in a context where migration is subjective, resetting the position trackerarbitrarily is unnecessary. In fact, it leads to a property that is overly restrictive. In thefollowing example, program M insec can be a direct leak that is not placed within a flowdeclaration: (thread l (allowed F then () else M insec ) at d ) (3.4)The above program is intuitively secure if W ( d ) F and insecure otherwise, as the bodyof the thread is known to be executed at domain d . This is reflected by Distributed Non-disclosure as proposed in Definition 3.3. However, it is considered insecure by the formerdefinition, as if the allowed-condition is executed over “fresh” thread configurations suchthat the thread is located at a domain where F is not allowed, then the branch with theillegal expression M insec would be executed. Another example of a secure program that isconsidered insecure according to the former definition, but not by Definition 3.3, is a variantof the one in Equation (3.2), where d = d , i.e. where the two branches are syntacticallyequal. NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 17 [ Nil ] Γ ⊢ Σ j,F () : s, unit [ BT ] Γ ⊢ Σ j,F tt : s, bool [ BF ] Γ ⊢ Σ j,F ff : s, bool [ Loc ] Γ ⊢ Σ j,F a : s, Σ ( a ) ref Σ ( a ) [ Var ] Γ , x : τ ⊢ Σ j,F x : s, τ [ Abs ] Γ , x : τ ⊢ Σ j,F M : s, σ Γ ⊢ Σ j ′ ,F ′ ( λx.M ) : s ′ , τ s −−→ j,F σ [ Rec ] Γ , x : τ ⊢ Σ j,F X : s, τ Γ ⊢ Σ j,F ( ̺x.X ) : s, τ [ App ] Γ ⊢ Σ j,F M : s, τ s ′ −−→ j,F σ Γ ⊢ Σ j,F N : s ′′ , τ s.t ⊑ F s ′′ .ws.r, s ′′ .r ⊑ F s ′ .w Γ ⊢ Σ j,F ( M N ) : s ⊔ s ′ ⊔ s ′′ ⊔ h⊥ , ⊤ , s.r ⊔ s ′′ .r i , σ [ Seq ] Γ ⊢ Σ j,F M : s, τ Γ ⊢ Σ j,F N : s ′ , σ s.t ⊑ F s ′ .w Γ ⊢ Σ j,F ( M ; N ) : s ⊔ s ′ , σ [ Ref ] Γ ⊢ Σ j,F M : s, θ s.r, s.t ⊑ F l Γ ⊢ Σ j,F (ref l,θ M ) : s ⊔ h⊥ , l, ⊥i , θ ref l [ Assign ] Γ ⊢ Σ j,F M : s, θ ref l Γ ⊢ Σ j,F N : s ′ , θ s.t ⊑ F s ′ .ws.r, s ′ .r ⊑ F l Γ ⊢ Σ j,F ( M := N ) : s ⊔ s ′ ⊔ h⊥ , l, ⊥i , unit [ Der ] Γ ⊢ Σ j,F M : s, θ ref l Γ ⊢ Σ j,F (! M ) : s ⊔ h l, ⊤ , ⊥i , θ [ Cond ] Γ ⊢ Σ j,F M : s, bool Γ ⊢ Σ j,F N t : s t , τ Γ ⊢ Σ j,F N f : s f , τ s.r ⊑ F s t .w, s f .w Γ ⊢ Σ j,F (if M then N t else N f ) : s ⊔ s t ⊔ s f ⊔ h⊥ , ⊤ , s.r i , τ [Allow] Γ ⊢ Σ j,F N t : s t , τ Γ ⊢ Σ j,F N f : s f , τ j ⊑ F s t .w, s f .w Γ ⊢ Σ j,F (allowed F ′ then N t else N f ) : s t ⊔ s f ⊔ h j, ⊤ , j i , τ [Flow] Γ ⊢ Σ j,F f F ′ N : s, τ Γ ⊢ Σ j,F (flow F ′ in N ) : s, τ [Mig] Γ ⊢ Σ l, ℧ M : s, unit Γ ⊢ Σ j,F (thread l M at d ′ ) : h⊥ , l ⊓ s.w, ⊥i , unit Figure 4: Type and effect system for checking Distributed Non-disclosureDistributed Non-disclosure of Definition 3.3 is strictly weaker than the thread pool-based Definition of Non-disclosure for Networks, in the sense that it considers more programsas secure. In order to formalize this result, we denote by
N DN ( W, Σ , Υ , Γ) the set of poolsof threads that satisfy the former definition:
Proposition 3.5.
N DN ( W, Σ , Υ , Γ) ⊂ DN D ( W, Σ , Υ , Γ) . Type and Effect System.
We now present a type and effect system [LG88] thataccepts programs that satisfy Distributed Non-disclosure, as defined in Sub-subsection 3.1.The typing judgments used in Figure 4 have the formΓ ⊢ Σ j,F M : s, τ meaning that the expression M is typable with type τ and security effect s in the typingcontext Γ : Var → Typ , which assigns types to variables. The turnstile has three parame-ters: (1) the reference labeling Σ; (2) the flow policy declared by the context F , representsthe one that is valid in the evaluation context in which the expression M is typed, andcontributes to the meaning of operations and relations on security levels. (3) the securitylevel j represents the confidentiality level associated to the thread that the expression M ispart of, i.e. the confidentiality level of the location of that thread in the network.The security effect s is composed of three security levels that are referred to by s.r , s.w and s.t (in this order), and can be understood as follows: s.r is the reading effect , an upper-bound on the security levels of the references that are read by M ; s.w is the writing effect ,a lower bound on the references that are written by M ; s.t is the termination effect , anupper bound on the level of the references on which the termination of expression M mightdepend. According to these intuitions, in the type system the reading and terminationlevels are composed in a covariant way, whereas the writing level is contravariant.Types have the following syntax ( t is a type variable): s ∈ Lev × Lev × Lev ::= h s.r, s.w, s.t i τ, σ, θ ∈ Typ ::= t | unit | bool | θ ref l | τ s −−→ j,F σ Typable expressions that reduce to () have type unit , and those that reduce to booleanshave type bool . Typable expressions that reduce to a reference which points to values oftype θ and has security level l have the reference type θ ref l . The security level l is usedto determine the effects of expressions that handle references. Expressions that reduce to afunction that takes a parameter of type τ , that returns an expression of type σ , and with a latent effect s [LG88] have the function type τ s −−→ j,F σ . The latent effect is the security effectof the body of the function, while the latent flow policies are those that are assumed to holdwhen the function is applied to an argument, and the latent security level j of the threadcontaining the expression that appears in the type of expressions that reduce to functions.We use a lattice on security effects, that is obtained from the point-wise compositionof three lattices of the security levels. More precisely: s ⊑ F s ′ def ⇔ s.r ⊑ F s ′ .r & s ′ .w ⊑ F s.w & s.t ⊑ F s ′ .ts ⊔ s ′ def ⇔ h s.r ⊔ s ′ .r, s.w ⊓ s ′ .w, s.t ⊔ s ′ .t i ⊤ = h⊤ , ⊥ , ⊤i ⊥ = h⊥ , ⊤ , ⊥i Our type and effect system applies restrictions to programs in order to enforce compli-ance of all information flows to the flow policy that is declared by each context. This isachieved by parameterizing the flow relation ⊑ F with the flow policy F that parameterizesthe typing judgments. The flow policy is updated by the rule Flow , which allows to typethe body of the flow declaration in a more permissive way. Apart from the parameterizationof the flow relation with the current flow policy, the conditions imposed in the premises,and the update of the security effects in the conclusion, are fairly standard in informationflow type systems and enforce syntactic rules of the kind “no low writes should depend onhigh reads”, both with respect to the values that are read, and to termination behaviorsthat might be derived. We refer the reader to [AC11] for explanations on all of these con-ditions and updates, and focus next on the new aspects that are introduced in order toprevent new forms of information leaks that appear in our distributed security setting (suchas Example 3.4), and that deserve further attention.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 19
In the allowed-condition rule
Allow , the security level j that is associated to eachthread, and represents the confidentiality level of the position of the thread in the network,is used to update the reading and termination effect. This is because the choice of thebranch (which depends on the threads location) can determine the final value and thetermination behavior of the condition. The security level of the thread is also constrainednot to be higher in confidentiality than the level at which the state can be changed (as itcould potentially leak information about the thread’s position) in rule Allow . Finally, inrule
Mig , the confidentiality level of the new thread is used to update the writing effect ofthread creation, which causes a change in the position-tracker.We can now define the compatibility predicate that applies to this particular informationflow analysis:
Definition 3.6 ((Σ , Γ)-Compatibility) . A memory S is said to be (Σ , Γ)- compatible if, forevery reference a ∈ dom( S ), its value S ( a ) satisfies Γ ⊢ Σ j,F S ( a ) : s, Σ ( a ), for every securitylevel j , flow policy F , and security effect s .3.2.1. Soundness.
The main result of this section, soundness, states that the type systemonly accepts expressions that are secure in the sense of Definition 3.3. In the remainder ofthis section we sketch the main definitions and results that can be used to reconstruct adirect proof of this result. A similar proof is given in detail for a similar language (withoutthe allowed-condition or remote thread creation) in [AC11]. The main difference, besidesthe treatment of new language constructs, is the assumption of memory compatibility thatis introduced in the present work.
Subject Reduction.
In order to establish the soundness of the type system of Figure 4 weneed a Subject Reduction result, stating that the type of a thread is preserved by reduction.When a thread performs a computation step, some of its effects may be performed byreading, updating or creating a reference, and some may be discarded when a branch ina conditional expression is taken. Then the effects of an expression “weaken” along thecomputations. This result is established by Proposition 3.7 below.
Proposition 3.7 (Subject Reduction) . Consider a thread M m such that Γ ⊢ ΣΥ( m ) ,F M : s, τ ,and suppose that W ⊢ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i , for a memory S that is (Σ , Γ) -compatible. Then, there is an effect s ′ such that s ′ ⊑ s and Γ ⊢ ΣΥ( m ) ,F M ′ : s ′ , τ , and S ′ is also (Σ , Γ) -compatible. Furthermore, if P = { N n } , for some expression N and threadname n , then there exists s ′′ such that s ′′ ⊑ s and Γ ⊢ ΣΥ( n ) , ℧ N : s ′′ , unit .Proof. We follow the usual steps [WF94], where the main proof is a case analysis on thetransition W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i . Properties of the Semantics.
If the evaluation of a thread M m differs in the context of twodistinct states while not creating two distinct reference or thread names, this is becauseeither M m is performing a dereferencing operation, which yields different results dependingon the memory, or because M m is testing the allowed policy. Lemma 3.8 (Splitting Computations) . Consider a thread M m such that W ⊢ h{ M m } , T , S i d −→ F h P ′ , T ′ , S ′ i and W ⊢ h{ M m } , T , S i d −→ F ′ h P ′ , T ′ , S ′ i with P ′ = P ′ . Then P ′ = { M ′ m } , P ′ = { M ′ m } for some M ′ and M ′ ,and there exists E such that F = ⌈ E ⌉ = F ′ , where either: • M = E[(! a )] for some reference a , and M ′ = E[ S ( a )] , M ′ = E[ S ( a )] with h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i , or • M = E[(allowed ¯ F then N t else N f )] for some ¯ F , N t , N f , and T ( m ) = T ( m ) with h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i .Proof. By case analysis on the transition W ⊢ h{ M m } , T , S i d −→ F h P ′ , T ′ , S ′ i . Note thatthe only rules that depend on the state are those for the reduction of E[(! a )] and ofE[(allowed F ′ then N t else N f )].We can identify a class of threads that have the property of never performing any changein the “low” part of the memory. These are classified as being “high” according to theirbehavior: Definition 3.9 (Operationally High Threads) . Given a flow policy F and a security level l , a set of threads H is a set of operationally ( W, Σ , Υ , Γ , F, l ) -high threads if the followingholds for all M m ∈ H , and for all states h T, S i where S is (Σ , Γ)-compatible: W ⊢ h{ M m } , T, S i d −→ F ′ h P ′ , T ′ , S ′ i implies h T, S i = F,l h T ′ , S ′ i and P ′ ⊆ H Furthermore, S ′ is still (Σ , Γ)-compatible. The largest set of operationally ( W, Σ , Υ , Γ , F, l )-high threads is denoted by H W, Σ , Υ , Γ F,l . We then say that a thread M m is operationally( W, Σ , Υ , Γ , F, l )-high, if M m ∈ H W, Σ , Υ , Γ F,l .In order to lighten the notation, the parameters Σ and Υ are omitted in the rest of thepaper, written simply ‘operationally ( W, Γ , F, l )-high’ and ‘ H W, Γ F,l ’. Remark that for any W ,Γ, F and l , the set of threads with values as expressions is a set of operationally ( W, Γ , F, l )-high threads. Furthermore, the union of a family of sets of operationally ( W, Γ , F, l )-highthreads is a set of operationally ( W, Γ , F, l )-high threads. Consequently, H W, Γ F,l exists. Noticealso that if F ′ ⊆ F , then H W, Γ F,l ⊆ H W, Γ F ′ ,l . Soundness.
The following result shows that the behavior of typable high threads (i.e. thosewith a high security level) that is location sensitive (i.e. depend on their location) isoperationally high.
Lemma 3.10 (Location Sensitive Typable High Threads) . For a given flow policy F and security levels j and low , consider a thread M m such that Γ ⊢ Σ j,F M : s, τ and M =E[(allowed F ′ then N t else N f )] with j F low . Then, for all allowed-policy mappings W and thread labelings Υ such that Υ( m ) = j , we have that M m ∈ H W, Γ F, low .Proof. By induction on the structure of evaluation context E, making use of the flow re-strictions that are introduced by the corresponding typing rule in each case. Notice thatexpressions that dereference or test the allowed flow policy at a high security level havehigh reading effect (and termination effect for the latter), while those that assign and cre-ate a reference or thread at a low security level have a low writing effect. We show how
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 21 operationally high expressions can be syntactically composed from other operationally highexpressions.
Theorem 3.11 (Soundness of Typing Distributed Non-disclosure) . Consider a pool ofthreads P , an allowed-policy mapping W , a reference labeling Σ , a thread labeling Υ and atyping environment Γ . If for all M m ∈ P there exist s , and τ such that Γ ⊢ ΣΥ( m ) , ℧ M : s, τ ,then P satisfies the Distributed Non-disclosure property, i.e. P ∈ DN D ( W, Σ , Υ , Γ) .Proof. The proof follows the structure presented in [AC11]. The differences in the proofstem mainly from the treatment of the new language constructs (remote thread creationand allowed-condition, instead of suspensive local memory access), and the assumption ofmemory compatibility, that is introduced in the present work. Informally, the steps are thefollowing:(1) We build a syntactic symmetric binary relation between expressions that are typablewith a low termination effect, and whose terminating behaviors do not depend onhigh references. This includes expressions that are typable with a low terminationeffect, and that have just performed a high dereference. The binary relation shouldbe a “kind of” strong bisimulation with respect to the transition relation d −→ F andthe parameterized low-equality = F,l . In particular, it should be such that if theevaluation of two related expressions, in the context of two low-equal stores shouldsplit (see Lemma 3.8), then the resulting expressions are still in the relation.(2) We define a larger symmetric binary relation on all typable expressions that relatesoperationally high threads, and, similarly to the previous one, relates the resultsof the computations of two related expressions that are not operationally high inthe context of two low-equal memories. This includes all typable expressions thathave just performed a high dereference. For non operationally high threads, thebinary relation should again be a “kind of” strong bisimulation with respect to thetransition relation d −→ F and the parameterized low-equality = F,l . The result LocationSensitive Typable High Threads (Lemma 3.10) helps to show that if the evaluationof two related expressions, in the context of two low-equal stores should split (seeSplitting Computations, Lemma 3.8), then the resulting expressions are still in therelation.(3) We exhibit a ( W, Γ , l )-bisimulation on thread configurations that extends the previ-ous one to relate operationally high threads with terminated computations.Soundness is compositional, in the sense that it is enough to verify the typability of eachthread separately in order to ensure Distributed Non-disclosure for the whole network.4. Controlling Declassification
In this section we study the formalization and enforcement of a security property accord-ing to which declassification policies performed by migrating threads must comply to theallowed flow policy of the domain in which they are performed. We formalize the property,named Flow Policy Confinement, with respect to a distributed security setting and justifythe chosen formalization. We study its enforcement by means of three migration controlmechanisms, whose aim is to prevent migration of threads when the declassifications thatthey would potentially perform are not allowed by that domain.
The first enforcement mechanism consists of a purely static type and effect system(Subsection 4.2) for checking confinement. This type system is inherently restrictive, asthe domains where each part of the code will actually compute cannot in general be knownstatically. Furthermore, it requires information about the allowed flow policies of all thedomains in the networks to which analyzed programs might migrate. We therefore presenta more relaxed type and effect system to be used at runtime by the semantics of thelanguage for checking migrating threads for confinement to the allowed flow policy of thedestination domain (Subsection 4.3). Information about the allowed flow policies of thedomains is not required at static time. We show that this simple hybrid mechanism ismore precise than the purely static one. Finally, we propose a yet more precise type andeffect system that statically computes information about the declassification behaviors ofprograms (Subsection 4.4). This information will be used at runtime, by the semantics of thelanguage, to support more efficient runtime checks that control migration of programs. Weconclude by proving that the third annotation-based mechanism is strictly more permissivethan the previous ones, while preserving the meaning of non-annotated programs.4.1.
Flow Policy Confinement.
The property of Flow Policy Confinement states thatthe declassifications that are declared by a program at each computation step comply tothe allowed policy of the domain where the step is performed. In a distributed setting withconcurrent mobile code, programs might need to comply simultaneously to different allowedflow policies that change dynamically. We deal with this difficulty by placing individualrestrictions on each step that might be performed by a part of the program, taking intoaccount the possible location where it might take place.
Memory compatibility.
Similarly to Subsection 3.1, memories are assumed to be compatibleto the given security setting and typing environment, requiring typability of their contentsaccording to the relevant enforcement mechanism. The memory compatibility predicatewill be defined for each security analysis that is performed over the next three subsections(see Definitions 4.4, 4.8 and 4.12). Confined thread configurations.
We define the property by means of a co-inductive relationon thread configurations [AC14]. The location of each thread determines which allowedflow policy it should obey at that point, and is used to place a restriction on the flowpolicies that decorate the transitions. By using thread configurations, the formalization ofthe property is simplified with respect to [AC13], which used the notion of located threads ,and a bisimulation-based definition.
Definition 4.1 (( W, Σ , Γ)-Confined Thread Configurations) . Given an allowed-policy map-ping W , a set CT C of thread configurations is a set of ( W, Σ , Γ)- confined thread configura-tions if it satisfies, for all
P, T , and ( W, Σ , Γ)-compatible stores S : h P, T i ∈ CT C and W ⊢ h P, T, S i d −→ F h P ′ , T ′ , S ′ i implies W ( d ) F and h P ′ , T ′ i ∈ CT C Furthermore, S ′ is still ( W, Σ , Γ)-compatible. The largest set of ( W, Σ , Γ)-confined threadconfigurations is denoted
CT C W, Σ , Γ . For the sake of simplifying the exposition, the compatibility predicate uses three parameters W , Σ andΓ, as they are parameters of the type system used by Definition 4.4, although in Definitions 4.8 and 4.12,the parameter W is not needed. NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 23
For any W , Σ and Γ, the set of thread configurations where threads are values is a set of( W, Σ , Γ)-confined thread configurations. Furthermore, the union of a family of ( W, Σ , Γ)-confined thread configurations is a ( W, Σ , Γ)-confined thread configurations. Consequently,
CT C W, Σ , Γ exists.The property is now formulated for pools of threads. Definition 4.2 (Flow Policy Confinement) . A pool of threads P satisfies Flow PolicyConfinement with respect to an allowed-policy mapping W , reference labeling Σ and typingenvironment Γ, if all thread configurations satisfy h P, T i ∈ CT C W, Σ , Γ . We then write P ∈ F PC ( W, Σ , Γ).Notice that Flow Policy Confinement is parameterized by a particular mapping W fromdomains to allowed flow policies. This means that security is defined relative to W . Anabsolute notion of security holds when W is universally quantified. Properties.
It should be clear that Flow Policy Confinement speaks strictly about what flowdeclarations a thread can do while it is at a specific domain. In particular, it does not restrictthreads from migrating to more permissive domains. It does not deal with informationflows, and offers no assurance that information leaks that are encoded at each point of theprogram do obey the declared flow policies for that point. For example, the program inEquation (3.3) always satisfies flow policy confinement when F = ℧ , regardless of the levelsof references a and b . But, it violates Distributed Non-disclosure if Σ ( a ) F Σ ( b ), as wellas the allowed flow policy of the domain d if Σ ( a ) W ( d ) Σ ( b ).Flow Policy Confinement, formulated for pools of threads according to Definition 4.2, issimilar to the one in [Alm09, AC13], which was formulated for thread configurations. Thepresent one does not fix the initial position of threads that satisfy the property. Furthermore,it is more clearly defined in terms of a co-inductive relation on thread configurations [AC14],while the former version used a bisimulation on located threads . In order to compare thetwo versions of the property, we denote by F PC +LT ( W, Σ , Γ) the set of pools of thread thatare secure, according to the former definition, when coupled with all possible initial positiontrackers. Then, the two versions of the property are equivalent, up to quantification overall possible initial position trackers.
Proposition 4.3.
F PC ( W, Σ , Γ) =
F PC +LT ( W, Σ , Γ) . Static Type and Effect System.
We have seen that in a setting where code canmigrate between domains with different allowed security policies, the computation domainmight change during computation, along with the allowed flow policy that the programmust comply to. This can happen in particular within the branch of an allowed-condition:(allowed F then (thread l (flow F in M ) at d ) else M ) (4.1)In this program, the flow declaration of the policy F is executed only if F has been testedas being allowed by the domain where the program was started. It might then seem thatthe flow declaration is guarded by an appropriate allowed construct. However, by the timethe flow declaration is performed, the thread is already located at another domain, wherethat flow policy might not be allowed. It is clear that a static enforcement of a confinementproperty requires tracking the possible locations where threads might be executing at eachpoint. [ Nil ] W ; Γ ⊢ Σ A () : unit [ BT ] W ; Γ ⊢ Σ A tt : bool [ BF ] W ; Γ ⊢ Σ A ff : bool [ Loc ] W ; Γ ⊢ Σ A a : Σ ( a ) ref [ Var ] W ; Γ , x : τ ⊢ Σ A x : τ [ Abs ] W ; Γ , x : τ ⊢ Σ A M : σW ; Γ ⊢ Σ A ′ ( λx.M ) : τ −→ A σ [ Rec ] W ; Γ , x : τ ⊢ Σ A X : τW ; Γ ⊢ Σ A ( ̺x.X ) : τ [ App ] W ; Γ ⊢ Σ A M : τ −→ A σ W ; Γ ⊢ Σ A N : τW ; Γ ⊢ Σ A ( M N ) : σ [ Seq ] W ; Γ ⊢ Σ A M : τ W ; Γ ⊢ Σ A N : σW ; Γ ⊢ Σ A ( M ; N ) : σ [ Ref ] W ; Γ ⊢ Σ A M : θW ; Γ ⊢ Σ A (ref l,θ M ) : θ ref[ Assign ] W ; Γ ⊢ Σ A M : θ ref W ; Γ ⊢ Σ A N : θW ; Γ ⊢ Σ A ( M := N ) : unit [ Der ] W ; Γ ⊢ Σ A M : θ ref W ; Γ ⊢ Σ A (! M ) : θ [ Cond ] W ; Γ ⊢ Σ A M : bool W ; Γ ⊢ Σ A N t : τW ; Γ ⊢ Σ A N f : τW ; Γ ⊢ Σ A (if M then N t else N f ) : τ [Allow] W ; Γ ⊢ Σ A f F N t : τW ; Γ ⊢ Σ A N f : τW ; Γ ⊢ Σ A (allowed F then N t else N f ) : τ [Flow] W ; Γ ⊢ Σ A N : τ A FW ; Γ ⊢ Σ A (flow F in N ) : τ [Mig] W ; Γ ⊢ Σ W ( d ) M : unit W ; Γ ⊢ Σ A (thread l M at d ) : unit Figure 5: Type and effect system for checking ConfinementFigure 5 presents a new type and effect system [LG88] for statically enforcing confine-ment over a migrating program. The type system guarantees that when operations areexecuted by a thread within the scope of a flow declaration, the declared flow complies tothe allowed flow policy of the current domain. The typing judgments have the form W ; Γ ⊢ Σ A M : τ meaning that the expression M is typable with type τ in the typing context Γ : Var → Typ ,which assigns types to variables, in a context where W is the mapping of domain namesto allowed flow policies. The turnstile has two parameters: (1) the reference labeling Σ, ofwhich only the type labeling Σ , carrying the type of the references, is used; (2) the flowpolicy allowed by the context A , which includes all flow policies that have been positivelytested by the program as being allowed at the computation domain where the expression M is running.Types have the following syntax ( t is a type variable): τ, σ, θ ∈ Typ ::= t | unit | bool | θ ref | τ −→ A σ The syntax is similar to the one used in Sub-subsection 3.2, but is simpler: The securitylevel of references does not appear in the reference types θ ref , while the type function types NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 25 τ −→ A σ includes only the latent allowed flow policy, the one that is assumed to hold whenthe function is applied to an argument.Our type and effect system applies restrictions to programs in order to enforce confine-ment of all flow declarations of a policy F to be performed only once F has been testedto be positively allowed by the domain’s allowed flow policy. This is achieved by meansof the tested allowed flow policy A that parameterizes the typing judgments, and by thecondition A F in the Flow rule. Flow declarations can only be performed if the declaredflow policy is allowed by the flow policy that is tested by the context (
Flow ). Conversely,allowed-conditions relax the typing of the allowed-branch by extending the flow policy thatis tested by the context with the policy that guards the condition (
Allow ).Note that if an expression is typable with respect to an allowed flow policy A , then itis also so for any more permissive allowed policy A ′ .We refer to the enforcement mechanism that consists of statically type checking allthreads in a network according to the type and effect system of Figure 5, with respect tothe allowed flow policies of each thread’s initial domain, using the semantics represented inFigure 3, as Enforcement Mechanism I .To illustrate the restrictions that are imposed by the enforcement mechanism, we mayconsider program (allowed F then (flow F H ≺ L in plan A ) else plan B ) (4.2)where plan A and plan B have no declassifications, and that is running in domain d . Theprogram is typable if W ( d ) f F F H ≺ L . If F F H ≺ L , then the program is always secure.Otherwise, the program is W -secure if W ( d ) F H ≺ L , or if W ( d ) F (thanks to thesemantics of the allowed-condition).We are now in position to define the compatibility predicate that applies to EnforcementMechanism I. Definition 4.4 (( W, Σ , Γ)-Compatibility) . A memory S is said to be ( W, Σ , Γ)- compatible if, for every reference a ∈ dom( S ), its value S ( a ) satisfies the condition W ; Γ ⊢ Σ ℧ S ( a ) : Σ ( a ).4.2.1. Soundness.
In order to establish the soundness of the type system of Figure 5 weneed a Subject Reduction result, stating that types that are given to expressions, alongwith compatibility of memories, are preserved by computation.
Proposition 4.5 (Subject Reduction) . Consider an allowed-policy mapping W and a thread M m such that W ; Γ ⊢ Σ A M : τ , and suppose that W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i ,for a memory S that is ( W, Σ , Γ) -compatible. Then, W ; Γ ⊢ Σ A f W ( T ( m )) M ′ : τ , and S ′ isalso ( W, Σ , Γ) -compatible. Furthermore, if P = { N n } , for some expression N and threadname n , then W ; Γ ⊢ Σ W ( T ′ ( n )) N : unit .Proof. We follow the usual steps [WF94], where the main proof is a case analysis on thetransition W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i . Enforcement Mechanism I guarantees security of networks with respect to confinement,as is formalized by the following result.
Theorem 4.6 (Soundness of Enforcement Mechanism I) . Consider an allowed-policy map-ping W , reference labeling Σ , typing environment Γ , and a thread configuration h P, T i such that for all M m ∈ P there exists τ such that W ; Γ ⊢ Σ W ( T ( m )) M : τ . Then h P, T i is a ( W, Σ , Γ) -confined thread configuration.Proof. We show that the following is a set of ( W, Σ , Γ)-confined thread configurations: C = {h P, T i | ∀ M m ∈ P, ∃ τ . W ; Γ ⊢ Σ W ( T ( m )) M : τ } By induction on the inference of W ; Γ ⊢ Σ W ( T ( m )) M : τ . We use Subject Reduction (Propo-sition 4.5) and a case analysis on the last rule of the corresponding typing proof. Safety and precision.
The following result guarantees that typable threads ca execute untiltermination.
Proposition 4.7 (Safety) . Given an allowed-policy mapping W , consider a closed thread M m such that W ; ∅ ⊢ Σ A M : τ . Then, for any memory S that is ( W, Σ , ∅ ) -compatible andposition-tracker T , either the program M is a value, or W ⊢ h{ M m } , T, S i T ( m ) −−−→ F ′ h{ M ′ m }∪ P, T ′ , S ′ i ,for some F ′ , M ′ , P , T ′ and S ′ .Proof. By induction on the derivation of W ; Γ ⊢ Σ A M : τ .In face of a purely static migration control analysis, some secure programs are boundto be rejected. There are different ways to increase the precision of a type system, thoughthey are all intrinsically limited to what can conservatively be predicted before runtime.For example, for the program(if (! a ) then (thread l (flow F in M ) at d ) else (thread l (flow F in M ) at d )) (4.3)it is in general not possible to predict which branch will be executed (or, in practice, towhich domain the thread will migrate), for it depends on the contents of the memory. Itwill then be rejected if W ( d ) F or W ( d ) F .4.3. Runtime Type Checking.
In this subsection we study a hybrid mechanism for en-forcing confinement, that makes use of a relaxation of the type system of Figure 5, atruntime. Migration is now conditioned by means of a runtime check for typability of mi-grating threads with respect to the allowed flow policy of the destination domain. Thecondition represents the standard theoretical requirement of checking incoming code beforeallowing it to execute in a given machine.The relaxation is achieved by replacing rule
Mig by the one in Figure 6. The newtype system no longer imposes future migrating threads to conform to the policy of theirdestination domain, but only to the most permissive allowed flow policy Ω. The rationaleis that it is only concerned about confinement of the non-migrating parts of the program.This is sufficient, as all threads that are to be spawned by the program will be re-checkedat migration time.The proposed modification to the semantics defined in Figure 3 appears in Figure 6.The migration rule introduces the runtime check that controls migration ( n fresh in T ). NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 27 ...[
Mig ] Γ ⊢ Σ Ω M : unit Γ ⊢ Σ A (thread l M at d ) : unit ... Γ ⊢ Σ W ( d ) N : unit W ⊢ h{ E[(thread l N at d )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[()] m , N n } , [ n := d ] T, S i Figure 6: Top: Relaxed type and effect system for checking Confinement (omitted rules areas in Figure 5). Bottom: Operational semantics with runtime type checking formigration control (omitted rules are as in Figure 3).The idea is that a thread can only migrate to a domain if it respects its allowed flowpolicy. The new remote thread creation rule (our migration primitive), now depends ontypability of the migrating thread. The typing environment Γ (which is constant) is nowan implicit parameter of the operational semantics. If only closed threads are considered,then also migrating threads are closed. The allowed flow policy of the destination site nowdetermines whether or not a migration instruction may be consummated, or otherwise blockexecution.
E.g. , the configuration h{ E[(thread l (flow F in M ) at d )] m } , T, S i (4.4)can only proceed if W ( d ) allows for F ; otherwise it gets stuck.Notice that, thanks to postponing the migration control to runtime, the type systemno longer needs to be parameterized with information about the allowed flow policies ofall domains in the network, which is unrealistic. The only relevant ones are those of thedestination domain of migrating threads.We refer to the enforcement mechanism that consists of statically type checking allthreads in a network according to the type and effect system of Figure 6 (left), with respectto the allowed flow policies of each thread’s initial domain, using the semantics of Figure 6(right), as Enforcement Mechanism II .Notice that Enforcement Mechanism II restricts, on one hand, which programs areaccepted to run, but also trims their possible executions, with respect to a given allowed-policy mapping W . The program in Equation (4.3) illustrates this mechanism, as it istypable according to the relaxed type system (with respect to any W ), but will block at thechoice of the second branch if W ( d ) F .We can now define the compatibility predicate that applies to Enforcement Mecha-nism II. Definition 4.8 (( W, Σ , Γ)-Compatibility) . A memory S is said to be ( W, Σ , Γ)- compatible if, for every reference a ∈ dom( S ), its value S ( a ) satisfies the typing condition Γ ⊢ Σ ℧ S ( a ) : Σ ( a ). As mentioned in Subsection 4.1, for the sake of simplifying the exposition, the compatibility predicateused in Definition 4.1 includes W as a parameter, although it is not used in Definitions 4.8 and 4.12 thatfollow. Soundness.
Similarly to what we did in Subsection 4.2, in order to establish thesoundness of the Enforcement Mechanism II we need a Subject Reduction result, statingthat types that are given to expressions, along with compatibility of memories, are preservedby computation.
Proposition 4.9 (Subject Reduction) . Consider a thread M m such that Γ ⊢ Σ A M : τ andsuppose that W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i , for a memory S that is ( W, Σ , Γ) -compatible. Then, Γ ⊢ Σ A f W ( T ( m )) M ′ : τ , and S ′ is also ( W, Σ , Γ) -compatible. Furthermore,if P = { N n } , for some expression N and thread name n , then Γ ⊢ Σ W ( T ′ ( n )) N : unit .Proof. We follow the usual steps [WF94], where the main proof is a case analysis on thetransition W ⊢ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i .Enforcement Mechanism II guarantees security of networks with respect to confinement,as is formalized by the following result. Theorem 4.10 (Soundness of Enforcement Mechanism II) . Consider an allowed-policymapping W , reference labeling Σ , typing environment Γ , and a thread configuration h P, T i such that for all M m ∈ P there exists τ such that Γ ⊢ Σ W ( T ( m )) M : τ . Then h P, T i is ( W, Σ , Γ) -confined.Proof. We show that the following is a set of ( W, Σ , Γ)-confined thread configurations: C = {h P, T i | ∀ M m ∈ P, ∃ τ . Γ ⊢ Σ W ( T ( m )) M : τ } is a set of ( W, Σ , Γ)-confined thread configurations. By induction on the inference ofΓ ⊢ Σ W ( T ( m )) M : τ . We use Subject Reduction (Proposition 4.9) and a case analysis onthe last rule of the corresponding typing proof.4.3.2. Safety, precision and efficiency.
The proposed mechanism does not offer a safetyresult, guaranteeing that program execution never gets stuck. Indeed, the side condition ofthe thread creation rule introduces the possibility for the execution of a thread to block,since no alternative is given. This can happen in the example in Equation (4.1), if theflow policy F is not permitted by the allowed policy of the domain of the branch that isactually executed, then the migration will not occur, and execution will not proceed. Wecan, however, prove that the only way for a program to get stuck is if it triggers an unsafemigration: Proposition 4.11 (Safety (weakened)) . Consider a closed thread M m such that ∅ ⊢ Σ A M : τ .Then, for any allowed-policy mapping W , memory S that is ( W, Σ , ∅ ) -compatible and position-tracker T , either the program M is a value, or: • W ⊢ h{ M m } , T, S i T ( m ) −−−→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i , for some F ′ , M ′ , P , S ′ and T ′ , or • M = E[(thread l N at d )] , for some E , l and d such that ∅ ⊢ ΣΩ N : unit but ∅ 6⊢ Σ W ( d ) N : unit .Proof. By induction on the derivation of Γ ⊢ Σ A M : τ . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 29
In order to have safety, we could design a thread creation instruction that predicts analternative branch for execution in case the side condition fails. We choose not to pursue thisoption, thus minimizing changes to the basic language under consideration. Nevertheless,the condition that was introduced in the semantics of the thread creation sufficed to originatenew forms of information flow leaks, as the event of blockage of a computation can revealinformation about the control flow that led to it. These information leaks can be treated ina similar manner as termination leaks, as in [Alm09], for blockage can be seen as a form ofnon-termination. Such leaks are in fact rejected by the type and effect system of Figure 4,as is discussed further ahead at the end of Section 4.It is worth considering that the example in Equation (4.1) could be reformulated as(thread l (allowed F then (flow F in M ) else M ) at d ) (4.5)in effect using the allowed-condition for encoding such alternative behaviors. Indeed, theprogrammer can increase the chances that the program will terminate successfully by guard-ing flow declarations with the new allowed-condition construct. Our type system does takethat effort into account, by subtracting the tested flow policy when typing the allowed-branch. As a result, programs containing flow declarations that are too permissive accord-ing to a certain domain might still be authorized to execute in it, as long as they occur inthe not-allowed-branch of our new construct which will not be chosen.Returning to the example in Equation (4.3), thanks to the relaxed Mig rule, thisprogram is now always accepted statically by the type system. Depending on the resultof the test, the migration might also be allowed to occur if a safe branch is chosen. Thismeans that Enforcement Mechanism II accepts more secure programs, as well as more secureexecutions of (statically) insecure programs.A drawback with this enforcement mechanism lies in the computation weight of theruntime type checks. This is particularly acute for an expressive language such as the onewe are considering. Indeed, recognizing typability of ML expressions has exponential (worstcase) complexity [Mai90].4.4.
Static Informative Typing for Runtime Effect Checking.
We have seen thatbringing the type-based migration control of programs to runtime allows to increase theprecision of the confinement analysis. This is, however, at the cost of performance. Itis possible to separate the program analysis as to what are the declassification operationsthat are performed by migrating threads, from the safety problem of determining whetherthose declassification operations should be allowed at a given domain. To achieve this, wenow present an informative type system [AF12] that statically calculates a summary ofall the declassification operations that might be performed by a program, in the form of a declassification effect . Furthermore, this type system statically annotates the program withinformation about the declassifying behavior of migrating threads in order to support theruntime decision of whether they can be considered safe by the destination domain. Theaim is to bring the overhead of the runtime check to static time.The typing judgments of the type system in Figure 7 have the form:Γ ⊢ Σ M ֒ → ˆ M : s, τ Comparing with the typing judgments of Subsection 4.3, while the flow policy allowed bythe context parameter is omitted from the turnstile ‘ ⊢ ’, the security effect s represents a flowpolicy which corresponds to the declassification effect : a lower bound to the flow policies that [ Nil I ] Γ ⊢ Σ () ֒ → () : ℧ , unit [ Bt I ] Γ ⊢ Σ tt ֒ → tt : ℧ , bool [ Bf I ] Γ ⊢ Σ ff ֒ → ff : ℧ , bool [ Loc I ] Γ ⊢ Σ a ֒ → a : ℧ , Σ ( a ) ref [ Var I ] Γ , x : τ ⊢ Σ x ֒ → x : ℧ , τ [ Abs I ] Γ , x : τ ⊢ Σ M ֒ → ˆ M : s, σ Γ ⊢ Σ ( λx.M ) ֒ → ( λx. ˆ M ) : ℧ , τ s −→ σ [ Rec I ] Γ , x : τ ⊢ Σ X ֒ → ˆ X : s, τ Γ ⊢ Σ ( ̺x.X ) ֒ → ( ̺x. ˆ X ) : s, τ [ App I ] Γ ⊢ Σ M ֒ → ˆ M : s, τ s ′ −→ σ Γ ⊢ Σ N ֒ → ˆ N : s ′′ , τ ′′ τ τ ′′ Γ ⊢ Σ ( M N ) ֒ → ( ˆ M ˆ N ) : s f s ′ f s ′′ , σ [ Seq I ] Γ ⊢ Σ M ֒ → ˆ M : s, τ Γ ⊢ Σ N ֒ → ˆ N : s ′ , σ Γ ⊢ Σ ( M ; N ) ֒ → ( ˆ M ; ˆ N ) : s f s ′ , σ [ Ref I ] Γ ⊢ Σ M ֒ → ˆ M : s, θ ′ θ θ ′ Γ ⊢ Σ (ref θ M ) ֒ → (ref θ ˆ M ) : s, θ ref [ Der I ] Γ ⊢ Σ M ֒ → ˆ M : s, θ refΓ ⊢ Σ (! M ) ֒ → (! ˆ M ) : s, θ [ Ass I ] Γ ⊢ Σ M ֒ → ˆ M : s, θ ref Γ ⊢ Σ N ֒ → ˆ N : s ′ , θ ′ θ θ ′ Γ ⊢ Σ ( M := N ) ֒ → ( ˆ M := ˆ N ) : s f s ′ , unit [ Cond I ] Γ ⊢ Σ M ֒ → ˆ M : s, bool Γ ⊢ Σ N t ֒ → ˆ N t : s t , τ t Γ ⊢ Σ N f ֒ → ˆ N f : s f , τ f τ t ≈ τ f Γ ⊢ Σ (if M then N t else N f ) ֒ → (if ˆ M then ˆ N t else ˆ N f ) : s f s t f s f , τ t f τ f [Allow I ] Γ ⊢ Σ N t ֒ → ˆ N t : s t , τ t Γ ⊢ Σ N f ֒ → ˆ N f : s f , τ f τ t ≈ τ f Γ ⊢ Σ (allowed F then N t else N f ) ֒ → (allowed F then ˆ N t else ˆ N f ) : s t ⌣ F f s f , τ t f τ f [Flow I ] Γ ⊢ Σ N ֒ → ˆ N : s, τ Γ ⊢ Σ (flow F in N ) ֒ → (flow F in ˆ N ) : s f F, τ [Mig I ] Γ ⊢ Σ M ֒ → ˆ M : s, unit Γ ⊢ Σ (thread l M at d ) ֒ → (thread sl ˆ M at d ) : ℧ , unit Figure 7: Informative type and effect system for obtaining the Declassification Effectare declared in the typed expression. The second expression ˆ M is the result of annotating M . We thus consider an annotated version of the language of Subsection 2.2, where thesyntax of values and expressions (the sets are denoted Val ′ and Exp ′ , respectively) differsonly in the remote thread creation construct, that has an additional policy F as parameter,written (thread Fl M at d ). Also here, only the type labeling component Σ of the referencelabeling is used.Types have the following syntax ( t is a type variable): τ, σ, θ ∈ Typ ::= t | unit | bool | θ ref | τ s −→ σ NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 31
The syntax of types is the same as the one used in Subsections 4.2 and 4.3, except that theflow policy that represents the latent declassification effect is written over the arrow of thefunction type τ s −→ σ .It is possible to relax the type system by matching types that have the same structure,even if they differ in flow policies pertaining to them. We achieve this by overloading to relate types where certain latent effects in the first are at least as permissive as thecorresponding ones in the second. The more general relation ≈ matches types where certainlatent effects differ: Finally, we define an operation f between two types τ and τ ′ such that τ ≈ τ ′ : τ τ ′ iff τ = τ ′ , or τ = θ F −→ σ and τ ′ = θ F ′ −→ σ ′ with F F ′ and σ σ ′ τ ≈ τ ′ iff τ = τ ′ , or τ = θ F −→ σ and τ ′ = θ F ′ −→ σ ′ with σ ≈ σ ′ τ f τ ′ = τ, if τ = τ ′ , or θ F f F ′ −−−→ σ f σ ′ , if τ = θ F −→ σ and τ ′ = θ F ′ −→ σ ′ The relation is used in rules Ref I , Ass I and App I , in practice enabling to associateto references and variables (by reference creation, assignment and application) expressionswith types that contain stricter policies than required by the declared types. The relation ≈ is used in rules Cond I and Allow I in order to accept that two branches of the same testconstruct can differ regarding some of their policies. Then, the type of the test constructcombines both using f , thus reflecting the flow policies in both branches.The declassification effect is constructed by aggregating (using the meet operation)all relevant flow policies that are declared within the program. The effect is updated inrule Flow I , each time a flow declaration is performed, and becomes more permissive asthe declassification effects of sub-expressions are met in order to form that of the parentcommand. However, when a part of the program is guarded by an allowed-condition, someof the information in the declassification effect can be discarded. This happens in rule Allow I , where the declassification effect of the first branch is not used entirely: the partthat will be tested during execution by the allowed-condition is omitted. In rule Mig I , thedeclassification effect of migrating threads is also not recorded in the effect of the parentprogram, as they will be executed (and tested) elsewhere. That information is however usedto annotate the migration instruction.As an example, the thread creation of the program in Equation (4.2), still assuming that plan A and plan B have no declassifications, would be annotated with the declassificationeffect F H ≺ L ⌣ F . In particular, the effect would be ℧ if F F H ≺ L .One can show that the type system is deterministic, in the sense that it assigns to anon-annotated expression a single annotated version of it, a single declassification effect,and a single type.4.4.1. Modified operational semantics, revisited.
By executing annotated programs, the typecheck that conditions the migration instruction can be replaced by a simple declassificationeffect inspection. The new migration rule, presented in Figure 8, is similar to the onein Subsection 4.3, but now makes use of the declassification effect ( n fresh in T ). In theremaining rules of the operational semantics the annotations are ignored. Note that thevalues contained in memories are also assumed to use annotated syntax. W ( d ) s W ⊢ h{ E[(thread sl N at d )] m } , T, S i T ( m ) −−−→ ⌈ E ⌉ h{ E[()] m , N n } , [ n := d ] T, S i Figure 8: Operational semantics with statically annotated programs for runtime migrationcontrol (omitted rules are as in Figure 3)We refer to the mechanism that consists of statically annotating all threads in a networkaccording to the type and effect system of Figure 7, assuming that each thread’s declassifi-cation effect is allowed by its initial domain, while using the semantics of Figure 8 modified,as
Enforcement Mechanism III .It is useful to define a family of functions annot Σ , Γ () : ( Ref → Val ) → ( Ref → Val ′ )which, given a typing environment Γ and a reference labeling Σ, extends the annotationprocess to stores:annot Σ , Γ ( S ) = ˆ S such that dom( S ) = dom( ˆ S ) and ∀ a ∈ dom( S ) , Γ ⊢ Σ S ( a ) ֒ → ˆ S ( a ) : ℧ , Σ ( a )We can now define the compatibility predicate that applies to Enforcement Mechanism III. Definition 4.12 (( W, Σ , Γ)-Compatibility) . A memory ˆ S is said to be ( W, Σ , Γ)- compatible if there exists a non-annotated memory S such that annot Σ , Γ ( S ) = ˆ S .4.4.2. Soundness.
The following proposition ensures that the annotation processing is pre-served by the annotated semantics. This is formulated by stating that after reduction,programs are still well annotated. Since the type system integrates both the annotatingprocess and the calculation of the declassification effect, the formulation of this result isslightly non-standard. More precisely, the following result states that if a program is theresult of an annotation process, with a certain declassification effect and type, then afterone computation step it is still the result of annotating a program, and is given an at leastas strict declassification effect and type.
Proposition 4.13 (Subject Reduction, or Preservation of Annotations) . Consider a thread M m such that Γ ⊢ Σ M ֒ → N : s, τ and suppose that W ⊢ h{ N m } , T, S i d −→ F h{ N ′ m } ∪ P, T ′ , S ′ i ,for a memory S that is ( W, Σ , Γ) -compatible. Then there exist M ′ , s ′ , τ ′ such that s f W ( T ( m )) s ′ , and τ τ ′ , and Γ ⊢ Σ M ′ ֒ → N ′ : s ′ , τ ′ , and S ′ is also ( W, Σ , Γ) -compatible.Furthermore, if P = { N ′′ n } for some expression N ′′ and thread name n , then there exist M ′′ , s ′′ such that W ( T ′ ( n )) s ′′ and Γ ⊢ Σ M ′′ ֒ → N ′′ : s ′′ , unit .Proof. We follow the usual steps [WF94], where the main proof is a case analysis on thetransition W ⊢ h{ N m } , T, S i d −→ F ′ h{ N ′ m } ∪ P, T ′ , S ′ i . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 33
We will now see that the declassification effect can be used for enforcing confinement.
Theorem 4.14 (Soundness of Enforcement Mechanism III) . Consider an allowed-policymapping W , reference labeling Σ , typing environment Γ , and a thread configuration h P, T i such that for all M m ∈ P there exist ˆ M , s and τ such that Γ ⊢ Σ M ֒ → ˆ M : s, τ and W ( T ( m )) s . Then h ˆ P , T i , formed by annotating the threads in h P, T i , is ( W, Σ , Γ) -confined.Proof. We show that the following is a set of ( W, Σ , Γ)-confined thread configurations: C = {h P, T i | ∀ ˆ M m ∈ P, ∃ M, s, τ . Γ ⊢ Σ M ֒ → ˆ M : s, τ and W ( T ( m )) s } By induction on the inference of Γ ⊢ Σ M ֒ → ˆ M : s, τ . We use Subject Reduction (Proposi-tion 4.13) and a case analysis on the last rule of the corresponding typing proof.4.4.3. Safety, precision and efficiency.
The weak safety result is formulated similarly toProposition 4.11:
Proposition 4.15 (Safety (weakened)) . Consider a closed thread M m for which we havethat ∅ ⊢ Σ M ֒ → ˆ M : s, τ . Then, for any allowed-policy mapping W , memory S that is ( W, Σ , ∅ ) -compatible and position-tracker T , either the program ˆ M is a value, or: (1) W ⊢ h{ ˆ M m } , T, S i T ( m ) −−−→ F ′ h{ ˆ M ′ m } ∪ P, T ′ , S ′ i , for some F ′ , ˆ M ′ , P , S ′ and T ′ , or (2) M = E[(thread l N at d )] , for some E , l , d and ˆ s such that ˆ M = E[(thread ˆ sl ˆ N at d )] and ∅ ⊢ Σ N ֒ → ˆ N : ˆ s, τ but W ( d ) ˆ s .Proof. By induction on the derivation of Γ ⊢ Σ M : s, τ .The relaxed type system of Subsection 4.3 for checking confinement, and its informativecounterpart of Figure 7, are strongly related. The following result states that typabilityaccording to latter type system is at least as precise as the former. Proposition 4.16.
If for an allowed policy A and type τ we have that Γ ⊢ Σ A M : τ , thenthere exist N , s and τ ′ such that Γ ⊢ Σ M ֒ → N : s, τ ′ with A s and τ τ ′ .Proof. By induction on the inference of Γ ⊢ Σ A M : τ , and by case analysis on the last ruleused in this typing proof.The converse direction is not true, i.e. Enforcement Mechanism III accepts strictlymore programs than Enforcement Mechanism II. This can be seen by considering the secureprogram (if (! a ) then (! (ref θ M )) else (! (ref θ M ))) (4.6)where θ = τ F −→ σ and θ = τ F −→ σ . This program is not accepted by the type system ofSection 4.3 because it cannot give the same type to both branches of the conditional (thetype of the dereference of a reference of type θ is precisely θ ). However, since the two typessatisfy θ ≈ θ , the informative type system can accept it and give it the type θ f θ .A more fundamental difference between the two enforcement mechanisms lays in thetiming of the computation overhead that is required by each mechanism. While mecha-nism II requires heavy runtime type checks to occur each time a thread migrates, in III thetypability analysis is anticipated to static time, leaving only a comparison between two flow policies to be performed at migration time. The complexity of this comparison dependson the concrete representation of flow policies. In the worst case, that of flow policies asgeneral downward closure operators (see Section 2), it is linear on the number of securitylevels that are considered. When flow policies are flow relations, then it consists on a subsetrelation check, which is polynomial on the size of the flow policies.4.4.4. Preservation of the semantics.
We now prove that the program transformation that isencoded in the type system of Figure 7 preserves the semantics of the input expressions. Tothis end, we define a simulation between pools of threads written in the original languageof Subsection 2.2, and pools of threads written in the language with annotations. Thebehavior of pools of threads of the former should be able to simulate step-by-step thoseof the latter, when operating on memories that are the same, up to the annotations thatdistinguish the two languages (captured by means of the annot Σ , Γ () function.The following simulation on pools of threads relates programs in the annotated languagewhose behavior can be entirely performed by the corresponding program in the original(non-restricted) language. Definition 4.17 ( ∼ W, Σ , Γ ) . A ( W, Σ , Γ)-simulation is a binary relation S on pools of threads,drawn from the original language and the annotated language, respectively, that satisfies,for all thread configurations T and for all memories S, ˆ SP S P and W ⊢ h P , T, ˆ S i d −→ F h P ′ , T ′ , ˆ S ′ i and annot Σ , Γ ( S ) = ˆ S implies that there exist P ′ , S ′ such that: W ⊢ h P , T, S i d −→ F h P ′ , T ′ , S ′ i and annot Σ , Γ ( S ′ ) = ˆ S ′ and P ′ S P ′ The largest ( W, Σ , Γ)-simulation is denoted by ∼ W, Σ , Γ .For any W, Σ , Γ, the set of pairs of thread configurations where threads are values isa ( W, Σ , Γ)-simulation. Furthermore, the union of a family of ( W, Σ , Γ)-simulations is a( W, Σ , Γ)-simulation. Consequently, ∼ W, Σ , Γ exists.We can now check that the annotation process produces expressions that can be simu-lated in the above sense. In other words this means that Enforcement Mechanism III onlyenables behavior of programs that is already present in the original language. Proposition 4.18. If Γ ⊢ Σ M ֒ → N : s, τ , then for all allowed-policy mappings W andthread names m ∈ Nam we have that { M m }∼ W, Σ , Γ { N m } .Proof. We prove that the set B = {h{ M m } , { N m }i | m ∈ Nam and ∃ s, τ . Γ ⊢ Σ M ֒ → N : s, τ } is a ( W, Σ , Γ)-simulation according to Definition 4.17. By case analysis on the proof of W ⊢ h{ M m } , T, S i d −→ F h P ′ , T ′ , S ′ i and of W ⊢ h{ N m } , T, ˆ S i d −→ F h P ′ , T ′ , ˆ S ′ i . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 35
To see that the converse is not true, i.e. that the range of behaviors of migrating programsis restricted with respect to the original language, it is enough to consider the program(thread l (flow Ω in ( a := 1)) at d ) (4.7)which is transformed into (thread Ω l (flow Ω in ( a := 1)) at d ) by the informative type system.This program blocks at the first execution step when W ( d ) = Ω.5. Information Flow Compliance
In this section we clarify the meaning of secure information flow in a distributed securitysetting, by interpreting the allowed flow policy of a domain as an imposition on the in-formation flows that a mobile program is allowed to set up while computing at a givendomain. Using this notion, we propose a natural generalization of Non-interference that es-tablishes the absence of illegal information flows in a distributed security setting. This newproperty, named Distributed Non-interference, states that information flows should respectthe allowed flow policy of the domains where they originate. Finally, Distributed Non-interference is used to validate the semantic coherence between Distributed Non-disclosureand Flow Policy Confinement, the two properties that are studied in the previous two sec-tions. As a consequence, programs that are accepted by enforcement mechanisms for bothproperties, are known to respect Distributed Non-interference.Distributed Non-interference. Informally, a program is said to set up an information flowfrom security level l to security level l if, during computation, information that has con-fidentiality level l can interfere with what is observable at security level l . From thepoint when the information is read by the program, to the point where it’s interference isreflected in the observable state, the program might change location. Which allowed flowpolicy should it comply to? We propose that it should comply to the allowed flow policy A of the domain where the information was read. More precisely, using the notation fromSubsection 2.1, it must hold that l ⊑ A l .The location of a thread thus determines which allowed flow policy it should obey atthat point, and is used to place a restriction on the information flows that are initiated atthat step. In order to formalize this idea by means of a bisimulation, the portion of the statethat is observable, or read, at a domain d is adjusted according to the current allowed flowpolicy that is given by W ( d ), in the first low-equality of the definition. The bisimulationcondition then determines how that information can affect future computation steps, asthe resulting thread configurations must still be bisimilar. In particular, the computationcannot produce pairs of programs that produce distinguishable states. Definition 5.1 ( ∼ W, Σ , Υ , Γ l ) . Given an security level l , a ( W, Σ , Υ , Γ , l )-bisimulation is a sym-metric relation R on thread configurations that satisfies, for all P , T , P , T , and ( W, Σ , Γ)-compatible stores S , S : h P , T i R h P , T i and W ⊢ h P , T , S i d −→ F h P ′ , T ′ , S ′ i and h T , S i = W ( d ) ,l h T , S i with (dom( S ′ ) \ dom( S )) ∩ dom( S ) = ∅ and dom( T ′ ) \ dom( T )) ∩ dom( T ) = ∅ impliesthat there exist P ′ , T ′ , S ′ such that: W ⊢ h P , T , S i ։ h P ′ , T ′ , S ′ i and h T ′ , S ′ i = ℧ ,l h T ′ , S ′ i and h P ′ , T ′ i R h P ′ , T ′ i Furthermore, S ′ , S ′ are still ( W, Σ , Γ)-compatible. The largest ( W, Σ , Υ , Γ , l )-bisimulationis denoted ∼ W, Σ , Υ , Γ l .For any Σ, Υ, l , the set of pairs of thread configurations where threads are valuesis a ( W, Σ , Υ , Γ , l )-bisimulation. Furthermore, the union of a family of ( W, Σ , Υ , Γ , l )-bisimulations is a ( W, Σ , Υ , Γ , l )-bisimulation. Consequently, ∼ W, Σ , Υ , Γ l exists. In orderto lighten the notation, the parameters Σ and Υ are omitted in the rest of the paper,written simply ‘ ∼ W, Γ l ’.Information flows that are initiated at a given step are captured by considering allcomputations that initiate on every possible pair of stores that coincide in the observable(reading) level. This enables compositionality of the property, accounting for the possiblechanges to the store that are induced by external threads. Position trackers of configurationsare fixed across steps within the bisimulation game, reflecting the assumption that changesin the position of a thread can only be induced by the thread itself ( subjective migration).Note that the above relation is not reflexive. In fact, only secure programs are related tothemselves: Definition 5.2 (Distributed Non-interference) . A pool of threads P satisfies DistributedNon-interference with respect to an allowed-policy mapping W , reference and thread label-ings Σ , Υ and typing environment Γ, if it satisfies h P, T i ∼ W, Γ l h P, T i for all security levels l and position trackers T , T such that dom( P ) = dom( T ) = dom( T ) and T = ℧ ,l T . Wethen write P ∈ DN I ( W, Σ , Υ , Γ).Distributed Non-interference is compositional by set union of pools of threads, assumingdisjoint naming of threads and a subjective migration primitive.Non-interference. As expected, local Non-interference follows from Definition 5.2 when net-works are collapsed into a single domain d ∗ , i.e. when Dom = { d ∗ } . The resulting propertyis parameterized by W ( d ∗ ), and coincides with the view of Non-interference as the absenceof information leaks (in the sense defined in Section 2) when W ( d ∗ ) = ℧ . However, herewe adopt the view of Non-interference as the absence of illegal flows , which is relative tothe particular allowed flow policy. This point is further discussed in Section 6.Programs that violate Non-interference, such as the direct leak ( b := (! a )) when runningat d such that Σ ( a ) W ( d ) Σ ( b ) are also insecure with respect to Distributed Non-interference. The same holds for indirect leaks via control and termination.In the following program, information flows from reference a to b via observation of theend domain: (if (! a ) then (thread l (allowed F then ( b := 0) else ()) at d )else (thread l (allowed F then ( b := 1) else ()) at d )) (5.1)In fact, since the position of threads in the network is part of the observable state, a migration leak [AC11] from level Σ ( a ) to level l occurs as soon as the new thread iscreated. The information is read before migration, so the leak is only secure if it is allowedby the policy of the thread’s initial domain.Let us now consider the simpler program(if (! a ) then (thread l ( b := 0) at d ) else (thread l ( b := 1) at d )) (5.2)to be executed at d such that Σ ( a ) ⊑ W ( d ) l (where the migration leak is allowed). Sincethe two threads produce different changes at the level of b , then the program is again secure NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 37 only if the first domain d allows it, i.e. Σ ( a ) ⊑ W ( d ) Σ ( b ). The policy of the new domain d only rules over what happens from the point where the thread enters it. Since the behaviorof the code that actually migrates does not depend on the location of the correspondingthreads, no leak is taking place at this point of the program.Notice that the declassification operations are transparent to the property. In partic-ular, the program in Equation (3.3) violates Distributed Non-interference, regardless of F ,if Σ ( a ) W ( d ) Σ ( b ).5.1. Semantic Coherence.
We now show that Distributed Non-interference is coherentwith the properties of Non-interference, Distributed Non-disclosure and Flow Policy Con-finement.While Distributed Non-disclosure establishes a match between the leaks that are per-formed by a program and the declassifications that are declared in its code, Flow PolicyConfinement requires that the declassifications comply to the allowed flow policy of the do-main where they occur. It is thus expected that a notion of Distributed Non-interference,which ensures that leaks respect the relevant allowed flow policies, should follow from thecombination of the other two.
Theorem 5.3.
DN D ( W, Σ , Υ , Γ) ∩ F PC ( W, Σ , Γ) ⊆ DN I ( W, Σ , Υ , Γ) . Proof.
We use Definitions 3.3, 4.2 and 5.2 to show that the set: C = ≈ W, Γ l ∩ CT C W, Σ , Γ × CT C W, Σ , Γ ⊆ ∼ W, Γ l Consider ( h P , T i , h P , T i ) ∈ C , and suppose that W ⊢ h P , T , S i d −→ F h P ′ , T ′ , S ′ i and that T = W ( d ) ,l T . Now consider S such that S = W ( d ) ,l S and dom( S ′ ) − dom( S ) ∩ dom( S ) = ∅ . Since h P , T i ∈ CT C W, Σ , Γ , we know that W ( d ) F and h P ′ , T ′ i ∈ CT C W, Σ , Γ . Becauseof the former, we therefore have that h P , T i = F,l h P , T i . Since h P , T i ≈ W, Γ l h P , T i ,this implies that ∃ P ′ , T ′ , S ′ such that W ⊢ h P , T , S i ։ h P ′ , T ′ , S ′ i and h T ′ , S ′ i = ℧ ,l h T ′ , S ′ i and h P ′ , T ′ i ≈ W, Γ l h P ′ , T ′ i . Since h P , T i ∈ CT C W, Σ , Γ , whether h P ′ , T ′ i resultsfrom zero or one step, we have that h P ′ , T ′ i ∈ CT C W, Σ , Γ . We can then conclude that( h P ′ , T ′ i , h P ′ , T ′ i ) ∈ C .To see that the sets are not equal, consider again the program in Equation (3.3). Whileit is secure regarding Distributed Non-interference if H ⊑ W ( d ) L , if F = ℧ it violatesDistributed Non-disclosure, but respects Flow Policy Confinement; and if F = Ω it respectsDistributed Non-disclosure, but violates Flow Policy Confinement if W ( d ) F .5.2. Enforcement.
While it is possible to design direct enforcement mechanisms for Dis-tributed Non-interference (such as the proof of concept presented in [AC14], the point thatis relevant to this work is that enforcement of Distributed Non-interference can be obtainedby simultaneously enforcing Distributed Non-Disclosure and Flow Policy Confinement, asfollows from Theorem 5.3.It is worth highlighting that, in order to apply the above consideration, the semanticsof programs that are in effect must be the same when enforcing the two properties. Thismeans in particular that if a hybrid mechanism such as Enforcement Mechanisms II and IIIof the previous section is to be used, Distributed Non-disclosure must be ensured for themodified semantics, in order to exclude the emergence of side-channels. It turns out that the type system of Section 3 is still sound with respect to the modified semantics of Figures 6and 8. Indeed, when considering the alternative semantics, the results Subject Reduction,Splitting Computations and Location Sensitive Typable High Threads (prop-iflow-split and(Proposition 3.7 and Lemmas 3.8 and 3.10, respectively), hold unchanged. Also the resultsoutlined in the proof of Soundness (Theorem 3.11) still hold. Intuitively, regardless of thestate, the same remote thread creation always either succeeds or suspends, so the outcomeis the same.The programs of Equation (5.1) and (5.2) would be rejected by the type system ofFigure 4 (Section 3) if Σ ( a ) ℧ Σ ( b ), because the illegal flows would not be matched byan appropriate flow declaration. If written within a flow declaration that allows informationto flow from Σ ( a ) to Σ ( b ), and when starting at a domain d , then the program wouldbe rejected by the type systems of Figures 5 and 6 (Section 4) if F W ( d ) because theprogram would be declaring intent of performing a declassification that is not allowed bythe domain where it would take place. Returning to the program of Equation (3.3), it wouldbe rejected by the type system of Figure 4 if Σ ( a ) F Σ ( b ), and by that of Figure 5 if F W ( d ). When running under Enforcement Mechanisms II and III, it would suspend atthe point of remote thread creation if F W ( d ).6. Related work and Discussion
Distributed security setting.
This paper is founded on a distributed computation model inwhich domains are units of security policies [BCGL02], in the sense that behaviors thattake place at the same domain are subjected to the same security policy: the allowed flowpolicy. Other dimensions that have been considered for the semantics of domains includethe unification of communication (the behavior of communication between entities is de-termined by their location) [CG98, HR02, SWP99], of mobility (entire domains move as ablock) [FGL +
96, CG98, VC99], of failures (failure in a domain affect the entities that arelocated there in a similar way) [Ama97, FGL +
96] or of memory access (completion of mem-ory accesses depends on location) [SY97]. Formal distributed security settings have beenstudied over the generic notion of programmable domain [SS03], which offers expressivityto equip each domain with means to encode and enforce its own policies. Besides security,these distributed policies may regard other goals such as failure resilience, resource manage-ment and correctness of mobile code. Particular attention has been given to various formsof programmable membranes [Bou05], where computing power and policy specification isexplicitly associated to the boundaries of computation domains, akin to firewalls (discussedfurther ahead under the topic
Controlling code mobility ). Policies that are associated todomains can more specifically be expressed as mathematical objects of different degree ofexpressiveness, such as types or finite automata [MV05, HMR03, GHS05, HRY05].Domains’ security assurances can be differentiated as security levels, in the context ofcontrolling information flows. Myers and Liskov’s Decentralized Label Model (DLM) [ML98,ML00] provides a way of expressing decentralized labels (referred to as policies, in a differentuse of the word) that extend the concrete setting of security levels as sets of principals, bydistributing them according to ownership. Zdancewic et. al [ZZNM02] propose in Jif/Splita technique for automatically partitioning programs by placing code and data onto hostsin accordance with DLM labels in the source code. Jif/Split assigns to each host arbitrarytrust levels that are granted by the same principals of the system. It ensures that if a host
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 39 is subverted, the only data whose confidentiality or integrity is threatened during execu-tion of a part of the program, is data owned by principals that trust that host. Chong et.al [CLM +
07] present Swift as a specialization of this idea for Web applications. Zheng andMyers [ZM06] address the issue of how availability of domains (hosts) might affect informa-tion flows in a distributed computation. Here the label on a host represents the strengthof the policies that the host is trusted to enforce. Fournet et. al [FLGR09, FP11] presenta compiler that produces distributed code where communications are implemented usingcryptographic mechanisms, and ensures that all confidentiality and integrity properties arepreserved, despite the presence of active adversaries. While associating security levels todomains is a step towards considering heterogeneous security status, in the above worksthese levels are understood with respect to a single flow policy.The Fabric programming system [LAGM17], incorporates information flow methodsinto a platform for distributed computation over shared persistent data. Host nodes arerepresented by principals, who can declare trust in other principals, from which a globaltrust lattice is derived. The goal is to ensure that the security of a principal does notdepend on any part of the system that it considers to be an adversary. Nothing is assumedabout the behavior of nodes, which can be malicious. This is compatible with a distributedsecurity setting in which the policies of each node are unknown. However, enforcement ofinformation flow control for mobile code is done with respect to a global policy, bounded bythe provider label of that code. Most recently, FlowFence [FPR +
16] addresses informationflow security in the Internet of Things (IoT). Based on an evaluation of representativeexamples of existing IoT frameworks, it advocates and supports differentiation of policiesdefined by both producers and consumers of apps, specifying the permissible flows thatgovern their data, against which the declared app’s flow policies are checked. Thoughnot formally defined, policies are described as sets of flow rules between taint labels (datatags) and sinks (sensitive data outlets), stating which data can flow to which sinks. Thepaper presents the Opacified Computation model, for enforcing source to sink informationflow control as declared by consumers’ policies. To our knowledge, the work presented inthis paper (which includes [Alm09, AC13, AC14]) is the only one that studies formallyinformation flow security in the presence of distributed allowed flow policies.
Information flow and locality.
Information flow security for location-aware programs hasbeen studied in the absence of a distributed security setting. Mantel and Sabelfeld [MS03]provide a type system for preserving confidentiality for different kinds of channels establishedover a publicly observable medium in a distributed setting. Interaction between domainsis restricted to the exchange of values (no code mobility), and the security setting is notdistributed. Castagna, Bugliesi and Craffa study Non-interference for a purely functionaldistributed and mobile calculus [CBC02]. In these works no declassification mechanismsare contemplated. Our previous work that is closest to this one [AC11] studies insecureinformation flows that are introduced by mobility in the context of a stateful distributedlanguage that includes flow declarations. In the computation model that is considered, do-mains are memory access units. Threads own references that move along with them duringmigration, which gives rise to migration leaks that result from memory synchronizationissues: non-local read and write access fail, and thus may reveal information about thelocation of a thread. Considering a shared global state in this paper allows us to makeevident the distributed nature of the security setting, from which distributed behavior ofprograms emerges, while factoring out the technicalities of dealing with distributed and/or mobile references. In this context, migration leaks appear as a result of inspection of theallowed flow policy, since information about current policy can carry information about thelocation itself.The Fabric programming language [LAGM17] supports mobile code, allowing to dynam-ically combine code from multiple sources. Programs use remote calls to explicitly transferexecution to a different node, by means of a mechanism of function shipping. Stores are dis-tributed into storage nodes, and code into worker nodes, which as said earlier are principals.Access to a store by a worker implies an information flow channel, referred to as a read chan-nel that could have connections to the concept of migration leaks [AC11]. The distributedcomputation model is not formally defined, so there is no formal account of the new formsof leaks in isolation, nor how they to the migration leaks discussed earlier [Alm09, AC11].When seen as a means for running code under different allowed flow policies, andin particular more permissive ones, analogies can be drawn between migration and thenotion of declassification as a flow declaration. Similarities extend to the fact that thereis a lexical scope to the migrating code, as there is for the flow declaration. However,differences between the two are more fundamentally expressed through the distinct roles ofthe flow policies that concern them: while a declared flow policy represents an intention toperform a leak (declassification) that is rejected by the strictest baseline security lattice, anallowed flow policy that is held by a domain represents a limit that should not be crossed.This distinction is embodied by the formulation of two independent security propertiesthat relate to each of the two flow policies: Distributed Non-disclosure, that places norestriction on the usage of declassification enabling constructs by the programmer, andFlow Policy Confinement, which does not speak of information flows but solely of whetherdeclassification is allowed to be performed by a particular thread at a particular domain.At a more technical level, migration has expression in the semantics of the language, witha potential impact on the observable state (eg. via the allowed flow policy), while theflow declaration is used solely with specification purposes. Furthermore, in the consideredlanguage setting, domains cannot be nested into different shades of allowed flow policies,and code cannot move in and out of a flow declaration.
Enabling and controlling declassification.
Sabelfeld and Sands survey the literature regard-ing the subject of declassification [SS05], from the perspective of that all declassifica-tion mechanisms provide some sort of declassification control. Mechanisms that enablechanges in the policy are included in this study. Declassification mechanisms are thenclassified according to four main dimensions for control: what information should be re-leased [SM04, LZ05], when it should be allowed to happen [CM04], who should be autho-rized to use it [MSZ06], and where in the program it can be stated [MS04, BS06, HTHZ05]or a combination of thereof [BCR08]. The lexical scoping of the flow declaration couldbe seen to place it under the “where” category. However, it was proposed [AB09] as ameans to enable the expression of declassification (as opposed to attempt to control it)within an information flow control framework. In that view, our type system for enforcingnon-disclosure is best understood as a verification of accordance between code and policyspecification in the form of flow declaration. More recently Broberg et al. [BvDS15] pro-posed a unifying framework for reasoning about dynamic policies, according to which theterm ‘declassification’ is a particular case of dynamic policy change that is traditionallydata oriented. Dynamic policy specification mechanisms are analysed through a structureof three control levels:
Level 0 , defining which set of flow relations can be used;
Level 1 , NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 41 describing how the active flow relation changes during execution; and
Level 2 , restrictingwhich policy changes may occur. Using this classification, mechanisms that are designed toenable declassification, such as the flow policy declaration, operate at Level 1, while thosefor controlling (in the sense of restricting) its use, such as migration control, operate atLevel 2.It is helpful to see declassification control as dependent on the context in which it mayoccur (formalized as meta information that is argument to a meta policy [BvDS15]). FlowPolicy Confinement captures semantically the requirement that declassification betweencertain levels can only occur within computation domains that allow it. Chong and My-ers [CM04] associate declassification policies to variables as a way of restricting the sequenceof levels through which they can be downgraded, provided some conditions are satisfied.Control is then specified for each data item, and policies cannot be tested by the program.Conditions are used in the definition of a generalized non-interference property to markthe steps where declassification occurs, in order to allow information release only if theyare satisfied. The Jif language [Mye99, ML00, CMVZ09], founded on the aforementionedDLM [ML98, ML00], offers a separate concept of authority which regulates which declassifi-cations are allowed. The acts-for relation, describing delegation of trust between principals,is expressed similarly to a flow policy. A delegation operation enables programmers to ex-tend the acts-for hierarchy in the scope of an expression. Its mechanics is similar to ourflow declaration, in that the program can change the valid flow policy. However, its purposeis to express control over the use of downgrading, which must be robust [ZM01, MSZ06],i.e. take place via declassify operations and be trusted by the principals whose policies arerelaxed. Also the use of delegation is controlled in order to ensure permission from thedelegating principal [TZ07]. Hicks et al. [HKMH06] introduce, in a featherweight versionof Jif, the possibility of restricting changes to the acts-for policy to the use of declassifierfunctions that are specified in a global and static policy. The Paralocks and Paragon policyspecification languages [BS10, BvDS13] operate over a lock state, by opening or closinglocks that guard information flows. As Paragon offers the possibility to place locks onpolicies, it is possible to define multiple layers of control, which can simultaneously expressdeclassification enabling and restriction.Declassification control criteria can be largely orthogonal to information flow legality,and can be captured semantically by means of security properties whose concerns are distinctfrom those of information flow properties. Boudol and Kolund˘zija [BK07] use standard ac-cess control primitives to control the access level of programs that perform declassificationsin the setting of a local language, ensuring that a program can only declassify informationthat it has the right to read. Besides presenting a standard information-flow security result(soundness of the proposed enforcement mechanism regarding Non-disclosure), they formal-ize a separate access control result that implies the property that a secure program doesnot attempt to read a reference for which it does not hold the appropriate reading clear-ance. This approach was adopted to control declassification in a calculus for multipartysessions with delegation, and enforced by means of a type system that guarantees both ses-sion safety and a form of access control [CCDCR10]. In order to achieve robustness in thepresence of run-time principals, Tse and Zdancewic [TZ07] use a system of capabilities formaking declassification and endorsement depend on a run-time authority. Downgrading op-erations of information that is owned by a principal require that the principal has grantedthe appropriate capabilities. While a type-safety result is proven, the enforced propertyis not formalized. Arden et al. [ALM15, AM16] propose the Flow-Limited Authorization
Model (FLAM) [ALM15], a logic for reasoning about trust and information flow policiesin which these two concepts are unified. The model allows to control how delegations andrevocations may affect authorization decisions. It is formally shown to enforce a new robustauthorization security condition, which rejects leaks that are present in earlier work.
Dynamic information flow policies.
Security policies can in be used in the role of declarationsthat capture security relevant behavior, or of security requirements, both of which canchange during program execution. In the present work we use dynamic instances of bothforms of flow polices: declared flow policies as a declassification enabling mechanism, that isset up by the program to delimit different lexical scopes within which different patterns offlows that break the basic global policy can be established; distributed allowed flow policies,coupled with the notion of thread location, that govern what each thread is allowed todo, and can change dynamically (in relation to that thread to that thread) along with themigration of the thread. Returning to the terminology of Broberg et al. [BvDS15], these tworoles would correspond to specification mechanisms of control Level 1 and 2, respectively.Dynamic security polices can be seen as being under the responsibility of an authority.In the present work, the units of authority are locations, and their policies take the form ofallowed flow policies. Jif’s acts-for relation of the DLM [ML98, ML00, CMVZ09] (referred-toabove), represents a policy that defines the current global run-time authority and is shapedby multiple principals. The acts-for policy is dynamic, as it can be extended via delegationwithin a lexical scope [TZ07]. Authority can be expressed over language objects in the formof dynamic security labels, while the underlying security lattice remains fixed [ZM04, TZ07].Hicks et al. [HTHZ05] consider a generalization of the global acts-for policy scenario thatcopes with asynchronous updates during run-time. This policy is closer to the concept ofallowed flow policy as external to the program’s own policies, and is studied in a simplernon-distributed context, in the absence of declassification. Swamy et al. [SHTZ06] use role-based allowed policies where membership and delegation of roles can change dynamically.Programming languages can provide constructs for interacting with flow policies us-ing operations for changing the policy, or for being aware of the current flow policy, inorder to adapt its behavior accordingly. Boudol and Kolund˘zija’s test l then M else N instruction[BK07], that tests whether the access level l is granted by the context, is used tocontrol the access level of programs that perform declassifications. Broberg and Sands, use flow locks [BS06] to selectively provide access to memory locations. They introduce flexibleconstructs for manipulating locks, namely open and close. Extending the idea of the flowlocks, the expressive policy languages Paralocks and Paragon [BS10, BvDS13] introducesthe ability to express policies modelling roles (in the style of role-based access control) andrun-time principals and relations. The language includes creation of new actors via newactorforall, and open and close for changing the current policy. This language includes a whencommand is a conditional which executes one of two branches depending on the state ofa particular lock. Both dynamic and static tests to the authority’s policy are supportedin Jif, via the switch-label and the actsFor ), and have been formally studied in relatedmodels that include dynamic labels [ZM07] and dynamic principals [TZ07].Enforcing dynamic (allowed) flow policies raises the challenge of that, even whenthey change synchronously with the program (i.e. are deterministically determined byit [DHS15]), it is not in general known, for each program point, what policy will apply atexecution time. Here we proposed solutions in the realm of migration control, by preventinga thread that can perform an action to migrate to a domain where that action is disallowed. NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 43
Inversely, in [HTHZ05], where the allowed policy can change asynchronously, updates tothe policy that would be inconsistent with the executing program (said to “violate” theprogram’s policy), are considered illegal. Swamy et. al [SHTZ06] use database-style trans-actions which, when a change in policy is inconsistent with some of the flows in the program,can roll it back to a consistent state.
Controlling code mobility.
A variety of formal distributed computation models have beendesigned with the purpose of studying mechanisms for controlling code mobility. Theserange from type systems for statically controlling migration as an access control mech-anism [MV05, HMR03, HRY05], to runtime mechanisms that are based on the conceptof programmable membranes [Bou05]. The later are a specialization of the aforemen-tioned programmable domains for performing automatic checks to migrating code, withthe aim of controlling the movements of entities across the boundaries of the domain.This control can be performed by processes that interact with external and internal pro-grams [LS00, SS03, Bou05], and can implement specialized type systems or other automaticverification mechanisms [GHS05].In the present work we abstract away from the particular machinery that implementsthe migration control checks, and express declaratively, via the language semantics, thecondition that must be satisfied for the boundary transposition to be allowed. The de-classification effect can be seen as a certificate that moves with code in order to aid itsverification, similarly to the proof-carrying code model [Nec97]. However, as we have seen,checking the validity of the declassification effect is not simpler than checking the programagainst a concrete allowed policy (as presented in Subsection 4.3). The concept of trustcan be used to lift the checking requirements of code whose history of visited domains pro-vides enough assurance [GHS05, MV05]. These ideas could be applied to the present work,assisting the decision of trusting the declassification effect, otherwise leading to a full typecheck of the code.Migration control has recently been applied in the context of building practical securedistributed systems that perform information flow and declassification control. As men-tioned earlier, in Fabric [LAGM17], mobile code is subject to run-time verification. Besidesprovider-bounded information flow checking, this includes validation of trust between thecaller and callee nodes. Since running the code depends on the success of these checks, theyamount to a form of migration control.
Hybrid mechanisms and information flow policies.
Hybrid mechanisms for enforcing infor-mation flow policies have been subject of active interest for over a decade (see other detailedreviews [MC11, BBJ16]).The idea of associating a runtime type analysis to the semantics of programs for control-ling declassification was put forward as a proof-of-concept [Alm09], and further developedin the hybrid mechanisms of the present and work. Both are presented as abstract anal-ysis predicates that condition a migration instruction. Mechanisms that interact in morecomplex ways with the semantics of the program could be defined by means of a monitor,such as Askarov and Sabelfeld’s for embedding an on-the-fly static analysis in a lock-stepinformation flow monitor [AS09]. Focusing on the expressivity of the analyses, the formerwork [Alm09] considers a similar language as the one studied here, with local thread cre-ation and a basic goto migration instruction. A notion of declassification was inferred atruntime, using a coarser informative type and effect system. Future migrations were not taken into account when analyzing the declassifications that could occur at the target site,so the program (thread l (thread l (flow F in M ) at d ) at d ) (6.1)would be rejected if F was not allowed by W ( d ). The three enforcement mechanisms ofSection 4 are more refined, as they only reject it if F is not allowed by W ( d ) by the controlmechanism associated to d . Enforcement Mechanism II is the closest to the former work,but uses a more permissive “checking” type system. Enforcement Mechanism III uses atype and effect system for statically calculating declassification effects that is substantiallymore precise than the former work, thanks to the matching relations and operations that ituses. This enables to take advantage of the efficiency of flow policy comparisons.Other previous work explores the usefulness of employing informative type and effectsystems in building hybrid security analysis mechanisms [AF12]. There, the term ‘declassi-fication effect’ represents a conservative approximation of the illegal information flows (asopposed to the declassification policies, investigated here) that are set up by the program,inferred by means of a dependency analysis, in the form of downward closure operators thatrepresent information flow policies. The advantages of determining these policies staticallyin order to efficiently verify runtime compliance to dynamic security policies analyses isillustrated, for an expressive core-ML language, in the context of asynchronous dynamicupdates to a local allowed flow policy. Delft et al. [DHS15] also advocate for the advantagesof separating the dependency analysis and policy enforcement in the context of a hybridmechanism, in order to enforce compliance to dynamic policies. Dependencies between re-sources that are established by a program in a simple while language with output channelsare extracted by means of a more precise and generic flow-sensitive type system [HS06], inthe form of a mapping from each program variables to its (conservatively approximated)set of dependencies (variables).In FlowFence [FPR +
16] both application producers and consumers can declare theirinformation flow policies. These policies are compared using operations such as intersectionand subtraction, that are reminiscent (the formal definitions are not presented) of thepseudo-subtraction operation and permissiveness relation defined in Subsection 2.1, whichwas mainly used in calculating the declassification effect in Figure 7. Our declassificationeffect of a program can be seen as the least permissive policy that the program complies to,and can therefore declare in its manifest .7.
Conclusions and Future work
In this work we considered a simple network model of a distributed security setting, andprovided a thorough study of information flow issues that arise within it. Adopting thestandpoint of separating the enabling and controlling facets of declassification, we definedand studied two security properties that are related to declassification: Distributed non-disclosure, which regards the compliance of information leaks to declassification declarationsin the code, and Flow Policy Confinement, which regards compliance of those declarations tothe allowed flow policies of each site. For each, we proposed mechanisms for enforcing them,ranging from purely static to hybrid approaches. Finally, we tied up the both properties andrespective mechanisms by showing that, in combination, they imply a generalization of Non-interference. We propose this property, which we refer to as Distributed Non-interference,as a baseline information flow property that is adequate for distributed security settings.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 45
We showed how the problem of migration control can be applied to that of declassifi-cation control. By comparing three related enforcement mechanisms, we argued that theconcept of declassification effect offers advantages in achieving both precision and efficiency.We believe that similar mechanisms can be applied in other contexts. This new securityeffect can be associated at runtime to a program, containing information about the declas-sifying environments (or of other behavior of interest) that can potentially be establishedby that program. It is flexible enough to allow programs containing operations that areforbidden at certain sites to be considered secure nevertheless, as long as these operationsare guarded by an appropriate context testing construct. The techniques that were studiedare largely independent of the declassification mechanism that is used, which testifies tohow a layer of control can be added to the most permissive declassification mechanisms.We expect that our language framework can be easily adapted to studying other lan-guage constructs and settings, security properties and enforcement mechanisms. We endwith a few notes on possible lines for future work: • In our model, domains are the sole authorities of security policy, which must berespected by migrating threads when executing at each domain. The model can berefined to enable migrating programs to establish a security policy over how theirinformation should be handled, possibly in a setting where references can movealong with threads [AC11]. The concern would be to prevent information that iscarried by programs from becoming accessible to others with more permissive flowpolicies. • It is known that when considering a distributed memory model (where accessibilityto remote references depends on location), memory synchronization issues can leadto migration leaks [AC11]. In other words, distribution of memory access can beused to reveal information about location. The present paper shows that migrationleaks can also result from a distributed security setting combined with a programconstruct for inspecting the domain’s flow policies. Other forms of distribution(as for instance failure or communication-based distribution) and migration (eg.ambient migration [CG98]) could create other forms of dependencies. Studying themwould bring a better understanding of indirect possibilities of leaking informationabout the location of entities in networks. • The property of Flow Policy Confinement is perhaps the simplest form of imposingcompliance of declassifications to distributed allowed flow policies. It would beinteresting to consider properties with more complex (and restrictive) concerns,possibly taking into account the history of domains that a thread has visited whendefining secure code migrations. For instance, one might want to forbid threadsfrom moving to domains with more favorable allowed flow policies. The enforcementof such a property would be easily achieved, using the abstractions of this paper,by introducing a condition on the allowed flow policies of origin and destinationdomains. • We have considered a new instance of the problem of enforcing compliance of declas-sifications to a dynamically changing allowed flow policy: In our setting, changesin the allowed flow policy result from migration of programs during execution in asynchronous way. Lifting the assumption of that the domain’s allowed flow policiesare static, towards allowing them to change asynchronously with program execu-tion would more realistically capture full policy dynamicity, but would be outside the realm of migration control. Other mechanisms are therefore in demand for thescenario of a dynamic and distributed security setting. • As a more long term aim, and having in mind recent developments in the areaof providing built-in security by construction into the IoT [FPR + References [AB09] A. Almeida Matos and G. Boudol. On declassification and the non-disclosure policy.
Journalof Computer Security , 17(5):549–597, 2009.[AC11] A. Almeida Matos and J. Cederquist. Non-disclosure for distributed mobile code.
MathematicalStructures in Computer Science , 21(6), 2011.[AC13] A. Almeida Matos and J. Cederquist. Informative types and effects for hybrid migration control.In
Runtime Verification - 4th International Conference. Proceedings , volume 8174 of
LNCS ,pages 21–39. Springer, 2013.[AC14] A. Almeida Matos and J. Cederquist. Distributed noninterference. In
Proceedings of the 201422Nd Euromicro International Conference on Parallel, Distributed, and Network-Based Pro-cessing , PDP ’14, pages 760–764, Washington, DC, USA, 2014. IEEE Computer Society.[AF12] A. Almeida Matos and J. Fragoso Santos. Typing illegal information flows as program effects. In
Proceedings of the 7th Workshop on Programming Languages and Analysis for Security , pages1–12. ACM, 2012.[Alm09] A. Almeida Matos. Flow-policy awareness for distributed mobile code. In
Proceedings of CON-CUR 2009 - Concurrency Theory , volume 5710 of
Lecture Notes in Computer Science , pages177–188. Springer, 2009.[ALM15] O. Arden, J. Liu, and A. C. Myers. Flow-limited authorization. In
Proceedings of the 2015 IEEE28th Computer Security Foundations Symposium , CSF ’15, pages 569–583. IEEE ComputerSociety, 2015.[AM16] O. Arden and A. C. Myers. A calculus for flow-limited authorization. In , pages 135–147, 2016.[Ama97] R. M. Amadio. An asynchronous model of locality, failure, and process mobility. In D. Gar-lan and D. Le M´etayer, editors,
Coordination Languages and Models , pages 374–391, Berlin,Heidelberg, 1997. Springer Berlin Heidelberg.[AS09] A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamiclanguages. In
Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium ,CSF ’09, pages 43–59. IEEE Computer Society, 2009.[BBJ16] F. Besson, N. Bielova, and T. P. Jensen. Hybrid monitoring of attacker knowledge. In
CSF ,pages 225–238. IEEE Computer Society, 2016.[BC02] G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems.
Theoretical Computer Science , 281(1–2):109–130, 2002.[BCGL02] G. Boudol, I. Castellani, F. Germain, and M. Lacoste. Analysis of formal models of distributionand mobility: state of the art. Technical report, Project Mikado Deliverable D1.1.1, 2002.[BCR08] G. Barthe, S. Cavadini, and T. Rezk. Tractable enforcement of declassification policies. In
CSF ,pages 83–97. IEEE Computer Society, 2008.[BK07] G. Boudol and M. Kolundzija. Access Control and Declassification. In
Computer Network Se-curity , volume 1 of
CCIS , pages 85–98. Springer-Verlag, 2007.[Bou05] G. Boudol. A generic membrane model. In
IST/FET International Workshop on Global Com-puting , volume 3267 of
LNCS , pages 208–222. Springer, 2005.[BS06] N. Broberg and D. Sands. Flow locks: Towards a core calculus for dynamic flow policies.In
Programming Languages and Systems. 15th European Symposium on Programming, ESOP2006 , volume 3924 of
LNCS . Springer Verlag, 2006.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 47 [BS10] N. Broberg and D. Sands. Paralocks: Role-based information flow control and beyond. In
Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Pro-gramming Languages , POPL ’10, pages 431–444. ACM, 2010.[BvDS13] N. Broberg, B. van Delft, and D. Sands. Paragon for practical programming with information-flow control. In
Proceedings of the 11th Asian Symposium on Programming Languages andSystems - Volume 8301 , pages 217–232, Berlin, Heidelberg, 2013. Springer-Verlag.[BvDS15] N. Broberg, B. van Delft, and D. Sands. The anatomy and facets of dynamic policies. In
CSF .IEEE Computer Society, 2015.[CBC02] S. Crafa, M. Bugliesi, and G. Castagna. Information flow security for boxed ambients. In
Workshop on Foundations of Wide Area Network Computing , volume 66 of
ENTCS , pages76–97. Elsevier, 2002.[CCDCR10] S. Capecchi, I. Castellani, M. Dezani-Ciancaglini, and T. Rezk. Session types for access andinformation flow control. In
Proceedings of the 21st International Conference on ConcurrencyTheory , CONCUR’10, pages 237–252, Berlin, Heidelberg, 2010. Springer-Verlag.[CG98] L. Cardelli and A. D. Gordon. Mobile ambients. In
Foundations of Software Science and Com-putation Structures , pages 140–155. Springer Berlin Heidelberg, 1998.[CLM +
07] S. Chong, J. Liu, A. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applicationsvia automatic partitioning. In
Proceedings of 21st ACM Symposium on Operating SystemsPrinciples . ACM, 2007.[CM04] S. Chong and A. C. Myers. Security policies for downgrading. In
Proceedings of the 11th ACMconference on Computer and communications security . ACM Press, 2004.[CMVZ09] S. Chong, A. C. Myers, K. Vikram, and L. Zheng. Jif reference manual, 2009.[Den76] D. E. Denning. A lattice model of secure information flow.
Communications of the ACM ,19(5):236–243, 1976.[DHS15] B. Delft, S. Hunt, and D. Sands. Very static enforcement of dynamic policies. In
Proceedingsof the 4th International Conference on Principles of Security and Trust - Volume 9036 , pages32–52. Springer-Verlag New York, Inc., 2015.[FG95] R. Focardi and R. Gorrieri. A classification of security properties for process algebras.
Journalof Computer Security , 3(1):5–33, 1995.[FGL +
96] C. Fournet, G. Gonthier, J. Levy, L. Maranget, and D. R´emy. A calculus of mobile agents.In U. Montanari and V. Sassone, editors,
CONCUR ’96: Concurrency Theory , pages 406–421,Berlin, Heidelberg, 1996. Springer Berlin Heidelberg.[FLGR09] C. Fournet, G. Le Guernic, and T. Rezk. A security-preserving compiler for distributed pro-grams. In
Proceedings of the 16th ACM Conf. on Computer and Communications Security .ACM, 2009.[FP11] C. Fournet and J. Planul. Compiling information-flow security to minimal trusted com-puting bases. In
Proceedings of the 20th European Conference on Programming Languagesand Systems: Part of the Joint European Conferences on Theory and Practice of Software ,ESOP’11/ETAPS’11, pages 216–235, Berlin, Heidelberg, 2011. Springer-Verlag.[FPR +
16] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, and A. Prakash. Flowfence:Practical data protection for emerging iot application frameworks. In , pages 531–548. USENIX Association, 2016.[GHS05] D. Gorla, M. Hennessy, and V. Sassone. Security policies as membranes in systems for globalcomputing. In
Foundations of Global Ubiquitous Computing, FGUC 2004 , ENTCS, pages 23–42.Elsevier, 2005.[GM82] J. A. Goguen and J. Meseguer. Security policies and security models. In , pages 11–20. IEEE Computer Society, 1982.[HKMH06] B. Hicks, D. King, P. D. McDaniel, and M. Hicks. Trusted declassification: high-level policyfor a security-typed language. In
PLAS , pages 65–74. ACM, 2006.[HMR03] M. Hennessy, M. Merro, and J. Rathke. Towards a behavioural theory of access and mobilitycontrol in distributed systems. In
Proceedings of the 6th Int. Conf. on Foundations of SoftwareScience and Computation Structures and European Conf. on Theory and Practice of Software ,pages 282–298. Springer-Verlag, 2003.[HR02] M. Hennessy and J. Riely. Resource access control in systems of mobile agents.
Inf. Comput. ,173(1):82–120, February 2002. [HRY05] M. Hennessy, J. Rathke, and N. Yoshida. safedpi: a language for controlling mobile code.
ActaInformatica , 42(4):227–290, Dec 2005.[HS06] S. Hunt and D. Sands. On flow-sensitive security types. In
Conference Record of the 33rd ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages , POPL ’06, pages79–90. ACM, 2006.[HTHZ05] M. Hicks, S. Tse, B. Hicks, and S. Zdancewic. Dynamic updating of information-flow policies.In
Workshop on Foundations of Comp. Security , pages 7–18, 2005.[LAGM17] J. Liu, O. Arden, M. D. George, and A. C. Myers. Fabric: Building open distributed systemssecurely by construction.
Journal of Computer Security , 25(4-5):367–426, 2017.[LG88] J. M. Lucassen and D. K. Gifford. Polymorphic effect systems. In , pages 47–57. ACM Press, 1988.[LS00] F. Levi and D. Sangiorgi. Controlling interference in ambients. In
POPL ’00: Proceedings ofthe 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages , pages352–364. ACM, 2000.[LZ05] P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In
Proceedings ofthe 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages . ACMPress, 2005.[Mai90] H. G. Mairson. Deciding ml typability is complete for deterministic exponential time. In
Proceed-ings of the 17th ACM SIGPLAN-SIGACT symposium on Principles of programming languages ,POPL ’90, pages 382–401. ACM, 1990.[MC11] S. Moore and S. Chong. Static analysis for efficient hybrid information-flow control. In
Pro-ceedings of the 2011 IEEE 24th Computer Security Foundations Symposium , CSF ’11, pages146–160. IEEE Computer Society, 2011.[ML98] A. C. Myers and B. Liskov. Complete, safe information flow with decentralized labels. In , pages 186–197. IEEE ComputerSociety, 1998.[ML00] A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model.
ACM Trans.on Soft. Engineering and Methodology , 9(4):410–442, 2000.[MS03] H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed and multi-threaded programs.
Journal of Computer Security , 11(4):615–676, 2003.[MS04] H. Mantel and D. Sands. Controlled declassification based on intransitive noninterference. In
Programming Languages and Systems: Second Asian Symposium , volume 3302 of
Lecture Notesin Computer Science . Springer-Verlag, 2004.[MSZ06] A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification and qualifiedrobustness.
Journal of Computer Security , 14(2):157–196, 2006.[MV05] F. Martins and V.T. Vasconcelos. History-based access control for distributed processes. In
Proceedings of TGC’05 , LNCS. Springer-Verlag, 2005.[Mye99] A. C. Myers. JFlow: Practical mostly-static information flow control. In
Proceedings of the 26thACM SIGPLAN-SIGACT symposium on Principles of programming languages , pages 228–241.ACM Press, 1999.[Nec97] G. C. Necula. Proof-carrying code. In
Proceedings of the 24th ACM Symposium on Principlesof Programming Languages , pages 106–119. ACM, 1997.[SHTZ06] N. Swamy, M. Hicks, S. Tse, and S. Zdancewic. Managing policy updates in security-typedlanguages. In
CSFW , pages 202–216. IEEE Computer Society, 2006.[SM03] A. Sabelfeld and A. C. Myers. Language-based information-flow security.
IEEE Journal onSelected Areas in Communications , 21(1):5–19, 2003.[SM04] A. Sabelfeld and A. Myers. A model for delimited information release. In
International Sym-posium on Software Security (ISSS’03) , volume 3233 of
LNCS . Springer-Verlag, 2004.[Smi01] G. Smith. A new type system for secure information flow. In
CSFW’01: 14th IEEE ComputerSecurity Foundations Workshop . IEEE Computer Society, 2001.[SS00] A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In
CSFW’00: 13th IEEE Computer Security Foundations Workshop , pages 200–215. IEEE Com-puter Society, 2000.[SS03] A. Schmitt and J.-B. Stefani. The m-calculus: a higher-order distributed process calculus.
SIGPLAN Not. , 38(1):50–61, 2003.
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 49 [SS05] A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In . IEEE Computer Society, 2005.[SWP99] P. Sewell, P. T. Wojciechowski, and B. C. Pierce. Location-independent communication for mo-bile agents: A two-level architecture. In
Internet Programming Languages , pages 1–31. SpringerBerlin Heidelberg, 1999.[SY97] T. Sekiguchi and A. Yonezawa. A calculus with code mobility. In
FMOODS’97: IFIP TC6WG6.1 international workshop on Formal methods for open object-based distributed systems ,pages 21–36. Chapman & Hall, 1997.[TZ07] S. Tse and S. Zdancewic. Run-time principals in information-flow type systems.
ACM Trans-actions on Programming Langanguages and Systems , 30(1):6, 2007.[US 11] US Department of Homeland Security. Enabling distributed security in cyberspace – buildinga healthy and resilient cyber ecosystem with automated collective action.
US GovernmentDocuments and Publications , 2011.[VC99] J. Vitek and G. Castagna. Seal: A framework for secure mobile computations. In H. E. Bal,B. Belkhouche, and L. Cardelli, editors,
Internet Programming Languages , pages 47–77, Berlin,Heidelberg, 1999. Springer Berlin Heidelberg.[WF94] Andrew K. Wright and Matthias Felleisen. A syntactic approach to type soundness.
Informna-tion and Computation , 115(1):38–94, 1994.[ZM01] S. Zdancewic and A. C. Myers. Robust declassification. In
Proceedings of the 14th IEEE Work-shop on Computer Security Foundations , CSFW ’01, pages 12–23. IEEE Computer Society,2001.[ZM04] L. Zheng and A. Myers. Dynamic security labels and noninterference. In
Proceedings 2nd Work-shop on Formal Aspects in Security and Trust , pages 27–40. Springer, 2004.[ZM06] L. Zheng and A. C. Myers. Making distributed computation trustworthy by construction. Tech-nical Report TR2006-2040, Cornell University, 2006.[ZM07] L. Zheng and A. Myers. Dynamic security labels and static information flow control.
Interna-tional Journal of Information Security , 6(2):67–84, March 2007.[ZZNM02] S. Zdancewic, L. Zheng, N. Nystrom, and A. Myers. Secure program partitioning.
ACM Trans-actions on Computer Systems , 20(3):283–328, 2002.
This Appendix contains the proofs of the technical results that are omitted or sketchedin the paper.
Appendix A. Proofs for ‘Controlling Information Flow’
A.1.
Formalization of Distributed Non-disclosure.
In [AC11] Non-disclosure is de-fined for networks, considering a distributed setting with code mobility, by means of abisimulation on pools of threads. In this paper we used a bisimulation on thread configu-rations. We prove that the new definition is weaker than the first.
Definition on pools of threads.
In order to compare the precision of Non-Disclosure forNetworks with Distributed Non-disclosure as proposed here, we recall the definition of theformer, using the notations of the present paper.
Definition A.1 ( ˙ ≈ W, Σ , Υ , Γ l ) . Given a security level l , a ( W, Σ , Υ , Γ , l )-bisimulation is asymmetric relation R on pools of threads that satisfies, for all P , P , and for all (Σ , Γ)-compatible stores S , S : P R P and W ⊢ h P , T , S i d −→ F h P ′ , T ′ , S ′ i and h T , S i = Σ , Υ F,l h T , S i with dom( S ′ ) − dom( S ) ∩ dom( S ) = ∅ and dom( T ′ ) − dom( T ) ∩ dom( T ) = ∅ impliesthat there exist P ′ , T ′ , S ′ such that: W ⊢ h P , T , S i ։ h P ′ , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ ℧ ,l h T ′ , S ′ i and P ′ R P ′ Furthermore, S ′ , S ′ are still (Σ , Γ)-compatible. The largest ( W, Σ , Υ , Γ , l )-bisimulation, theunion of all such bisimulations, is denoted ˙ ≈ W, Σ , Υ , Γ l .For any Σ, Υ, Γ and l , the set of pairs of thread configurations where threads are valuesis an ( W, Σ , Υ , Γ , l )-bisimulation. Furthermore, the union of a family of ( W, Σ , Υ , Γ , l )-bisimulations is a ( W, Σ , Υ , Γ , l )-bisimulation. Consequently, ˙ ≈ W, Σ , Υ , Γ l exists. Definition A.2 (Non-disclosure for Networks) . A pool of threads P satisfies the Non-disclosure for Networks property with respect to an allowed-policy mapping W , a referencelabeling Σ, a thread labeling Υ and a typing environment Γ, if it satisfies P ˙ ≈ W, Σ , Υ , Γ l P forall security levels l . We then write P ∈ N DN ( W, Σ , Υ , Γ).
Comparison.
Definition 3.3 is strictly weaker than the thread pool-based Definition A.2, inthe sense that it considers more programs as secure. This is formalized by the followingproposition.
Proposition A.3 (Proposition 3.5) . N DN ( W, Σ , Υ , Γ) ⊂ DN D ( W, Σ , Υ , Γ) .Proof. We consider P in N DN ( W, Σ , Υ , Γ), i.e. P is such that for all security levels l wehave P ˙ ≈ W, Σ , Υ , Γ l P according to Definition A.1. Given any pair of position trackers T , T such that dom( P ) = dom( T ) = dom( T ) and T = Σ , Υ ℧ ,l T , we prove that for all levels l wehave h P, T i ≈ W, Σ , Υ , Γ l h P, T i according to Definition 3.3. To this end, we consider the set N = {hh P , T i , h P , T ii | dom( P ) = dom( T ) = dom( T ) and T = Σ , Υ ℧ ,l T and P ˙ ≈ W, Σ , Υ , Γ l P } NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 51 and prove that N ⊆ ≈ W, Σ , Υ , Γ l (according to Definition 3.3).Assume that hh P , T i , h P , T ii ∈ N , and suppose that for any given (Σ , Γ)-compatiblememories S , S we have W ⊢ h P , T , S i d −→ F h P ′ , T ′ , S ′ i and h T , S i = Σ , Υ F,l h T , S i , withdom( S ′ ) − dom( S ) ∩ dom( S ) = ∅ and dom( T ′ ) − dom( T ) ∩ dom( T ) = ∅ . Then, byDefinition A.1 there exist P ′ , T ′ , S ′ such that W ⊢ h P , T , S i ։ h P ′ , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ ℧ ,l h T ′ , S ′ i and P ′ R P ′ Furthermore, S ′ , S ′ are still (Σ , Γ)-compatible. It is now easy to see that hh P ′ , T ′ i , h P ′ , T ′ ii ∈ N . The example in Equation (3.4) shows that N DN ( W, Σ , Υ , Γ) = DN D ( W, Σ , Υ , Γ).A.2.
Type system.
A.2.1.
Subject Reduction.
In order to establish the soundness of the type system of Figure 4we need a Subject Reduction result, stating that types that are given to expressions arepreserved by computation. To prove it we follow the usual steps [WF94]. In the following,
Pse is the set of pseudo-values, as defined in Figure 2.
Remark A.4. (1) If X ∈ Pse and Γ ⊢ Σ j,F X : s, τ , then for all security levels j ′ , flow policies F ′ andsecurity effects s ′ , we have that Γ ⊢ Σ j ′ ,F ′ X : s ′ , τ .(2) For any flow policies F, F ′ , such that F ′ F , we have that Γ ⊢ Σ j,F M : τ impliesΓ ⊢ Σ j,F ′ M : τ . Lemma A.5. (1) If Γ ⊢ Σ j,F M : s, τ and x / ∈ dom(Γ) then Γ , x : σ ⊢ Σ j,F M : s, τ . (2) If Γ , x : σ ⊢ Σ j,F M : s, τ and x / ∈ fv( M ) then Γ ⊢ Σ j,F M : s, τ .Proof. By induction on the inference of the type judgment.
Lemma A.6 (Substitution) . If Γ , x : σ ⊢ Σ j,F M : s, τ and Γ ⊢ Σ j ′ ,F ′ X : s ′ , σ then Γ ⊢ Σ j,F { x X } M : s, τ .Proof. By induction on the inference of Γ , x : τ ⊢ Σ j,F M : s, σ , and by case analysis on thelast rule used in this typing proof, using the previous lemma. Let us examine the casesrelated to the new language constructs: Mig:
Here M = (thread l ¯ M at ¯ d ) and we have that Γ , x : σ ⊢ Σ l, ℧ ¯ M : ¯ s, τ , with τ = unit and ¯ s = h⊥ , l ⊔ s.w, ⊥i . By induction hypothesis, then Γ ⊢ Σ l, ℧ { x X } ¯ M : ¯ s, τ .Therefore, by rule Mig , Γ ⊢ Σ j,F (thread l { x X } ¯ M at ¯ d ) : s, τ . Flow:
Here M = (flow ¯ F in ¯ M ), Γ , x : σ ⊢ Σ j,F f ¯ F ¯ M : s, τ . By induction hypothesis,Γ ⊢ Σ j,F f ¯ F { x X } ¯ M : s, τ . Then, by Flow , we have Γ ⊢ Σ j,F (flow ¯ F in { x X } ¯ M ) : s, τ . Allow:
Here M = (allowed ¯ F then N t else N f ) and we have Γ , x : σ ⊢ Σ j,F N t : s t , τ andΓ , x : σ ⊢ Σ j,F N f : s f , τ with j ⊑ F s t .w, s f .w and s = s t ⊔ s f ⊔ h j, ⊤ , j i . By induc-tion hypothesis, Γ , x : σ ⊢ Σ j,F { x X } N t : s t , τ and Γ , x : σ ⊢ Σ j,F { x X } N f : s f , τ .Therefore, by rule Allow , we have that Γ , x : σ ⊢ Σ j,F (allowed ¯ F then { x X } N t else { x X } N f ) : s, τ . Lemma A.7 (Replacement) . If Γ ⊢ Σ j,F E[ M ] : s, τ is a valid judgment, then the proof gives M a typing Γ ⊢ Σ j,F f ⌈ E ⌉ M : ¯ s, ¯ τ for some ¯ s and ¯ τ such that ¯ s ⊑ s . In this case, if Γ ⊢ Σ j,F f ⌈ E ⌉ N : ¯ s ′ , ¯ τ with ¯ s ′ ⊑ ¯ s , then Γ ⊢ Σ j,F E[ N ] : s ′ , τ , for some s ′ such that s ′ ⊑ s .Proof. By induction on the structure of E. Let us examine the case of the flow declaration,which is the only non-standard evaluation context: E[ M ] = (flow F ′ in ¯E[ M ]): By Flow , we have Γ ⊢ Σ j,F f F ′ ¯E[ M ] : s, τ . By inductionhypothesis, the proof gives M a typing Γ ⊢ Σ j,F f F ′ f ⌈ ¯E ⌉ M : ˆ s, ˆ τ , for ˆ s, ˆ τ such thatˆ s ⊑ s . Also by induction hypothesis, Γ ⊢ Σ j,F f F ′ ¯E[ N ] : s ′ , τ , for some s ′ such that s ′ ⊑ s . Then, again by Flow , we have Γ ⊢ Σ j,F (flow F ′ in ¯E[ N ]) : s ′ , τ .We check that the type of a thread is preserved by reduction, while its effects “weaken”. Proposition A.8 (Subject Reduction – Proposition 3.7) . Consider a thread M m such that Γ ⊢ ΣΥ( m ) ,F M : s, τ , and suppose that W ⊢ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i , for a memory S that is (Σ , Γ) -compatible. Then, there is an effect s ′ such that s ′ ⊑ s and Γ ⊢ ΣΥ( m ) ,F M ′ : s ′ , τ , and S ′ is also (Σ , Γ) -compatible. Furthermore,if P = { N n } , for some expression N and thread name n , then there exists s ′′ such that s ′′ ⊑ s and Γ ⊢ ΣΥ( n ) , ℧ N : s ′′ , unit .Proof. Suppose that M = ¯E[ ¯ M ] and W ⊢ Σ , Υ h{ ¯ M m } , T, S i d −→ ¯ F h{ ¯ M ′ m } ∪ P ′ , ¯ T ′ , ¯ S ′ i . Westart by observing that this implies F = ¯ F f ⌈ ¯E ⌉ , M ′ = ¯E[ ¯ M ′ ], P = P ′ , ¯ T ′ = T ′ and ¯ S ′ = S ′ .We can assume, without loss of generality, that ¯ M is the smallest in the sense that there isno ˆE , ˆ M , ˆ N such that ˆE = [] and ˆE[ ˆ M ] = ¯ M for which we can write W ⊢ Σ , Υ h{ ˆ M m } , T, S i d −→ ˆ F h{ ˆ M ′ m } ∪ P, T ′ , S ′ i .By Replacement (Lemma A.7), we have Γ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ ¯ M : ¯ s, ¯ τ in the proof of Γ ⊢ ΣΥ( m ) ,F ¯E[ ¯ M ] : s, τ , for some ¯ s and ¯ τ . We proceed by case analysis on the transition W ⊢ Σ , Υ h{ ¯ M m } , T, S i d −→ ¯ F h{ ¯ M ′ m } ∪ P, T ′ , S ′ i , and prove that if S ′ = S then: • There is an effect ¯ s ′ such that ¯ s ′ ⊑ ¯ s and Γ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ ¯ M ′ : ¯ s ′ , ¯ τ . Furthermore, forevery reference a ∈ dom( S ′ ) implies Γ ⊢ Σˆ j, ˆ F S ′ ( a ) : ˆ s, Σ ( a ), for every security levelˆ j , flow policy ˆ F and security effect ˆ s . • If P = { N n } for some expression N and thread name n , then there is an effect ¯ s ′′ such that ¯ s.w ⊑ ¯ s ′′ .w and a thread name d ′ such that Γ ⊢ ΣΥ( n ) , ℧ N : ¯ s ′′ , unit . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 53
We present only the cases corresponding to reductions of the non-standard language con-structs: ¯ M = (allowed F ′ then N t else N f ): Suppose that W ( d ) F ′ (the other case isanalogous). Here we have ¯ M ′ = N t , S = S ′ and P = ∅ . By Allow , we have thatΓ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ N t : s t , ¯ τ , where s t ⊑ ¯ s . ¯ M = (flow F ′ in V ): Here we have ¯ M ′ = V , S = S ′ and P = ∅ . By rule Flow , wehave that Γ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ f F ′ V : ¯ s, τ . and by Remark A.4, we have Γ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ V : ¯ s, ¯ τ . ¯ M = (thread k N at d ′ ): Here we have ¯ M ′ = (), P = { N n } for some thread name n , S = S ′ and T ′ ( n ) = d . By Mig , we have that Γ ⊢ ΣΥ( n ) , ℧ N : ˆ s, unit , with s.w ⊑ ˆ s.w and ¯ τ = unit , and by Nil we have that Γ ⊢ ΣΥ( m ) ,F f ⌈ ¯E ⌉ () : ¯ s, unit .By Replacement (Lemma A.7), we can finally conclude that Γ ⊢ ΣΥ( m ) ,F ¯E[ ¯ M ′ ] : s ′ , τ , forsome s ′ ⊑ s .A.2.2. Basic Properties.Properties of the Semantics.
One can show that if a thread is able to perform a step in onememory, while creating a new thread (or not), when executing on a low-equal memory itcan also perform a step and produce a low-equal result, while creating a new thread (ornot).
Lemma A.9 (Guaranteed Transitions) . Consider an allowed-policy mapping W , a thread M m and two states h T , S i , h T , S i such that W ⊢ h{ M m } , T , S i d −→ F h P ′ , T ′ , S ′ i , and forsome F ′ we have h T , S i = Σ , Υ F f F ′ , low h T , S i . Then: • If P ′ = { M ′ m } , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then there exist M ′ , T ′ and S ′ such that W ⊢ h{ M m } , T , S i d −→ F h{ M ′ m } , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i . • If P ′ = { M ′ m , N n } for some expression N and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then there exist M ′ , T ′ and S ′ such that we have W ⊢ h{ M m } , T , S i d −→ F h{ M ′ m , N n } , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i .Proof. By case analysis on the proof of W ⊢ h{ M m } , T , S i d −→ F h P ′ , T ′ , S ′ i . In most cases,this transition does not modify or depend on the state h T , S i , and we may let P ′ = P ′ and h T ′ , S ′ i = h T , S i . M = E[(allowed A then N t else N f )] and W ( T ( m )) A : Here, P ′ = { E[ N t ] m } , F = ⌈ E ⌉ , and h T ′ , S ′ i = h T , S i . There are two possible cases: • If W ( T ( m )) A , then W ⊢ h{ M m } , T , S i d −→ F h{ N tm } , T , S i . • If W ( T ( m )) A , then W ⊢ h{ M m } , T , S i d −→ F h{ N f m } , T , S i . Clearly, in both cases, by assumption, h T , S i = Σ , Υ F f F ′ , low h T , S i .The case where W ( T ( m )) A is analogous. M = E[(thread k N at d ′ )]: Here, for a thread name n , P ′ = { E[()] m , N n } , F = ⌈ E ⌉ , T ′ = T ∪ { n d ′ } , and S ′ = S . Since we assume that n / ∈ dom( T ), wealso have that W ⊢ h{ M m } , T , S i d −→ F h{ E[()] m , N n } , T ∪ { n d ′ } , S i . Clearly, h T ∪ { n d ′ } , S i = Σ , Υ F f F ′ , low h T ∪ { n d ′ } , S i . Effects.
Lemma A.10 (Update of Effects) . (1) If Γ ⊢ Σ j,F E[(! a )] : s, τ then Σ ( a ) ⊑ s.r . (2) If Γ ⊢ Σ j,F E[( a := V )] : s, τ , then s.w ⊑ Σ ( a ) . (3) If Γ ⊢ Σ j,F E[(ref l,θ V )] : s, τ , then s.w ⊑ l . (4) If Γ ⊢ Σ j,F E[(thread l M at d ′ )] : s, τ , then s.w ⊑ l . (5) If Γ ⊢ Σ j,F E[(allowed F then N t else N f )] : s, τ , then j ⊑ s.r, s.t .Proof. By induction on the structure of E.
High Expressions.
Some expressions can be easily classified as “high” by the type system,which only considers their syntax. These cannot perform changes to the “low” memorysimply because their code does not contain any instruction that could perform them. Sincethe writing effect is intended to be a lower bound to the level of the references that theexpression can create or assign to, expressions with a high writing effect can be said to be syntactically high : Definition A.11 (Syntactically High Expressions) . An expression M is syntactically (Σ , Γ , j, F, l )-high if there exists s, τ such that Γ ⊢ Σ j,F M : s, τ with s.w F l . The expression M is a syn-tactically (Σ , Γ , j, F, l )-high function if there exists j ′ , F ′ , s, τ, σ such that Γ ⊢ Σ j ′ ,F ′ M : ⊥ , τ s −−→ j,F σ with s.w F l .Syntactically high expressions have an operationally high behavior. Lemma A.12 (High Expressions) . If M is a syntactically (Σ , Γ , j, F, l ) -high expression,and Υ is such that Υ( m ) = j , then, for all allowed-policy mappings W , the thread M m isan operationally ( W, Σ , Υ , Γ , F, l ) -high thread.Proof. We show that, for any given allowed-policy mapping W , if Υ( m ) = j , then the set { M m | ∃ j . M is syntactically (Σ , Γ , j, F, l ) -high } is a set of operationally ( W, Σ , Υ , Γ , F, l )-high threads, i.e.: if M is syntactically (Σ , Γ , j, F, l )-high, that is if there exists s, τ such that Γ ⊢ Σ j,F M : s, τ with s.w F l , and, for somepolicy mapping W and all states h T, S i such that S is (Σ , Γ)-compatible, if W ⊢ Σ , Υ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i then h T, S i = Σ , Υ F,l h T ′ , S ′ i . This is enough since,by Subject Reduction (Theorem A.8), M ′ is syntactically (Σ , Γ , j, F, l )-high and S ′ is still NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 55 (Σ , Γ)-compatible, and if P = { N n } for some expression N and thread name n , then byRemark A.4 also N is syntactically (Σ , Γ , k, F, l )-high for some k . We proceed by cases onthe proof of the transition W ⊢ Σ , Υ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i . The lemma istrivial in all the cases where h T, S i = h T ′ , S ′ i . M = E[(thread k N at d ′ )]: Here P = { N n } for some thread name n , S ′ = S , T ′ = [ n := d ′ ] T and Υ( n ) = k . By Update of Effects (Lemma A.10), s.w ⊑ k . Thisimplies k F l , thus Υ( n ) F l , hence T ′ = Σ , Υ F,l T .A.2.3. Soundness.Behavior of “Low”-Terminating Expressions.
According to the intended meaning of thetermination effect, the termination or non-termination of expressions with low terminationeffect should only depend on the low part of the state. In other words, two computations ofa same typable thread running under two “low”-equal states should either both terminateor both diverge. In particular, this implies that termination-behavior of these expressionscannot be used to leak “high” information when composed with other expressions (viatermination leaks).We aim at proving that any typable thread M m that has a low-termination effect alwayspresents the same behavior according to a strong bisimulation on low-equal states: if twocontinuations M m and M m of M m are related, and if M m can perform an execution stepover a certain state, then M m can perform the same low changes to any low-equal statein precisely one step, while the two resulting continuations are still related. This impliesthat any two computations of M m under low-equal states should have the same “length”,and in particular they are either both finite or both infinite. To this end, we design areflexive binary relation on expressions with low-termination effects that is closed under thetransitions of Guaranteed Transitions (Lemma A.9).The inductive definition of T Σ , Γ j,F, low is given in Figure 9. Notice that it is a symmetricrelation. In order to ensure that expressions that are related by T Σ , Γ j,F, low perform the samechanges to the low memory, its definition requires that the references that are created orwritten using (potentially) different values are high. Remark A.14.
If for Σ, Γ, j , F and low we have M T Σ , Γ j,F, low M and M ∈ Val , then M ∈ Val .From the following lemma one can conclude that the relation T Σ , Γ j,F, low relates the possibleoutcomes of expressions that are typable with a low termination effect, and that perform ahigh read over low-equal memories. Lemma A.15. If Γ ⊢ Σ j,F E[(! a )] : s, τ with s.t ⊑ F low and Σ ( a ) F f ⌈ E ⌉ low , then for anyvalues V , V ∈ Val such that Γ ⊢ Σ j, ℧ V i : ⊥ , θ we have E[ V ] T Σ , Γ j,F, low E[ V ] .Proof. By induction on the structure of E.
E[(! a )] = (flow F ′ in E [(! a )]): By rule
Flow we have Γ ⊢ Σ j,F f F ′ V : s, τ . By in-duction hypothesis E [ V ] T jF f F ′ , low E [ V ], so we conclude by Replacement (Lemma A.7) Definition A.13 ( T Σ , Γ j,F, low ) . We have that M T Σ , Γ j,F, low M if Γ ⊢ Σ j,F M : s , τ andΓ ⊢ Σ j,F M : s , τ for some s , s and τ with s .t ⊑ F low and s .t ⊑ F low and one ofthe following holds: Clause 1: M and M are both values, or Clause 2: M = M , or Clause 3: M = ( ¯ M ; ¯ N ) and M = ( ¯ M ; ¯ N ) where ¯ M T Σ , Γ j,F, low ¯ M , or Clause 4: M = (ref l,θ ¯ M ) and M = (ref l,θ ¯ M ) where ¯ M T Σ , Γ j,F, low ¯ M , and l F low , or Clause 5: M = (! ¯ M ) and M = (! ¯ M ) where ¯ M T Σ , Γ j,F, low ¯ M , or Clause 6: M = ( ¯ M := ¯ N ) and M = ( ¯ M := ¯ N ) with ¯ M T Σ , Γ j,F, low ¯ M , and¯ N T Σ , Γ j,F, low ¯ N , and ¯ M , ¯ M both have type θ ref l for some θ and l such that l F low ,or Clause 7: M = (flow F ′ in ¯ M ) and M = (flow F ′ in ¯ M ) with ¯ M T Σ , Γ j,F f F ′ , low ¯ M .Figure 9: The relation T Σ , Γ j,F, low and Clause 7. Therefore ¯ s.t ⊑ F low , and since Σ ( a ) F f E low implies Σ ( a ) F f E low , then by induction hypothesis we have E [ V ] T Σ , Γ j,F, low E [ V ]. By Replacement(Lemma A.7) and Clause 8 we can conclude.We can now prove that T Σ , Γ j,F, low behaves as a “kind of” strong bisimulation: Proposition A.16 (Strong Bisimulation for Low-Termination) . Consider a given allowed-policy mapping W , reference labeling Σ , thread labeling Υ , typingenvironment Γ , flow policy F , security level low , two expressions M and M and threadname m . If, for states h T , S i , h T , S i with S , S being (Σ , Γ) -compatible we have that: M T Σ , ΓΥ( m ) ,F, low M and W ⊢ h{ M m } , T , S i d −→ F ′ h P ′ , T ′ , S ′ i and h T , S i = Σ , Υ F f F ′ , low h T , S i , with (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then there exist P ′ , T ′ and S ′ such that W ⊢ h{ M m } , T , S i d −→ F ′ h P ′ , T ′ , S ′ i and M ′ T Σ , Γ j,F, low M ′ and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i Furthermore, if P ′ = { M ′ m } then P ′ = { M ′ m } , if P ′ = { M ′ m , N n } for some thread N n and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ then P ′ = { M ′ m , N n } , and S ′ , S ′ are still (Σ , Γ) -compatible.Proof. By case analysis on the clause by which M T Σ , Γ j,F, low M , and by induction on thedefinition of T Σ , Γ j,F, low . In the following, we use Subject Reduction (Theorem A.8) to guaranteethat the termination effect of the expressions resulting from M and M is still low withrespect to low and F . This, as well as typability (with the same type) for j , F and low , isa requirement for being in the T Σ , Γ j,F, low relation. Clause 2:
Here M = M . By Guaranteed Transitions (Lemma A.9), then: NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 57 • If P ′ = { M ′ m } , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then there ex-ist M ′ , T ′ and S ′ such that W ⊢ h{ M m } , T , S i d −→ F ′ h{ M ′ m } , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i . There are two cases to consider: M ′ = M ′ : Then we have M ′ T Σ , Γ j,F, low M ′ , by Clause 2 and Subject Reduc-tion (Theorem A.8). M ′ = M ′ : Then by Splitting Computations (Lemma 3.8) we have twopossibilities:(1) there exist E and a such that M ′ = E[ S ( a )], F ′ = ⌈ E ⌉ , M ′ =E[ S ( a )], h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i . Since S ( a ) = S ( a ), we have that Σ ( a ) F f F ′ low . Therefore, M ′ T Σ , Γ j,F, low M ′ , byLemma A.15 above.(2) there exists E such that M ′ = E[(allowed ¯ F then N t else N f )], F ′ = ⌈ E ⌉ , and T ( m ) = T ( m ) with h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i .Since T ( m ) = T ( m ), we have Υ( m ) = j F low , and by Update ofEffects (Lemma A.10) we have j ⊑ F s.t , so s.t F low , which contradictsthe assumption. • If P ′ = { M ′ m , N n } for some expression N and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then for some M , l and d we have M = E[(thread l M at d )], and there ex-ist M ′ , T ′ and S ′ such that W ⊢ h{ M m } , T , S i d −→ F h{ M ′ , N n } , T ′ , S ′ i and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i . By Splitting Computations (Lemma 3.8), neces-sarily M ′ m = M ′ m . Then we have M ′ T Σ , Γ j,F, low M ′ , by Clause 2 and SubjectReduction (Theorem A.8). Clause 7:
Here we have M = (flow ¯ F in ¯ M ) and M = (flow ¯ F in ¯ M ) and¯ M T Σ , Γ j,F f ¯ F, low ¯ M . There are two cases. ¯ M can compute: In this case we have M ′ = (flow ¯ F in ¯ M ′ ) with W ⊢ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m } , T ′ , S ′ i with F ′ = ¯ F f F ′′ . To use the induction hypothesis, thereare three possible cases: • If ¯ P ′ = { ¯ M ′ m } , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then thereexist ¯ M ′ , T ′ and S ′ such that W ⊢ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m } , T ′ , S ′ i with ¯ M ′ T Σ , Γ j,F f ¯ F, low ¯ M ′ and h T ′ , S ′ i = Σ , Υ F f F ′ f ¯ F , low h T ′ , S ′ i . Notice that h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i . • If ¯ P ′ = { ¯ M ′ m , N n } for some expression N and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then there exist ¯ M ′ , T ′ , S ′ such that W ⊢ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m , N n } , T ′ , S ′ i with ¯ M ′ T Σ , Γ j,F f ¯ F, low ¯ M ′ and h T ′ , S ′ i = Σ , Υ F f F ′ f ¯ F , low h T ′ , S ′ i . Notice that we have h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i .In all three cases, we use Clause 7 and Subject Reduction (Theorem A.8) toconclude. ¯ M is a value: In this case P ′ = { ¯ M m } , F ′ = ℧ and h T ′ , S ′ i = h T , S i . Then¯ M ∈ Val by Remark A.14, so W ⊢ h{ M m } , T , S i d −→ F ′ h{ ¯ M m } , T , S i . Weconclude using Clause 1 and Subject Reduction (Theorem A.8).We have seen in Remark A.14 that when two expressions are related by T Σ , Γ j,F, low andone of them is a value, then the other one is also a value. From a semantic point of view,when an expression has reached a value it means that it has successfully completed itscomputation. We will now see that when two expressions are related by T Σ , Γ j,F, low and one ofthem is unable to resolve into a value, in any sequence of unrelated computation steps, thenthe other one is also unable to do so. We shall use the notion of derivative of an expression M : Definition A.17 (Derivative of an Expression) . Given an expression M , we say that M ′ is a ( W, Σ , Υ , Γ , j )-derivative of M if and only if • M ′ = M , or • there exist m such that Υ( m ) = j , F , d , P , two states h T , S i and h T ′ , S ′ i suchthat S , S ′ are (Σ , Γ)-compatible, and a derivative M ′′ of M such that: W ⊢ h{ M ′′ m } , T , S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i Definition A.18 (Non-resolvable Expressions) . An expression M is ( W, Σ , Γ)-non-resolvable,denoted M † W, Σ , Υ , Γ j , if there is no ( W, Σ , Υ , Γ , j )-derivative M ′ of M such that M ′ ∈ Val . Lemma A.19. If M T Σ , Γ j,F, low N for some F , low and j , then M † W, Σ , Υ , Γ j implies N † W, Σ , Υ , Γ j .Proof. Let us suppose that ¬ N † W, Σ , Υ , Γ j . That means that there exists a finite number ofstates h T , S i , . . . , h T n , S n i , and h T ′ , S ′ i , . . . , h T ′ n , S ′ n i , of expressions N , . . . , N n and ofthread names m , . . . , m n with Υ( m ) = . . . = Υ( m n ) = j and W ⊢ h{ N m } , T , S i −→ h{ N m } ∪ P , T ′ , S ′ i and W ⊢ h{ N m } , T , S i −→ h{ N m } ∪ P , T ′ , S ′ i and... W ⊢ h{ N m n n } , T n , S n i −→ h{ N m n n } ∪ P n , T ′ n , S ′ n i and S , . . . , S n , S ′ , . . . , S ′ n are (Σ , Γ)-compatible, and such that N n ∈ Val . By StrongBisimulation for Low-Termination (Proposition A.16), we have that there exists a finitenumber of states h ¯ T ′ , ¯ S ′ i , . . . , h ¯ T ′ n , ¯ S ′ n i , of expressions M , . . . , M n , and of pools of threads P , . . . , P n such that W ⊢ h{ M m } , T , S i −→ h{ M m } ∪ ¯ P , ¯ T ′ , ¯ S ′ i and W ⊢ h{ M m } , T , S i −→ h{ M m } ∪ ¯ P , ¯ T ′ , ¯ S ′ i and... W ⊢ h{ M m n n − } , T n , S n i −→ h{ M m n n } ∪ ¯ P n , ¯ T ′ n , ¯ S ′ n i NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 59 such that ¯ S ′ , . . . , ¯ S ′ n are (Σ , Γ)-compatible and: M T Σ , Γ j,F, low N , and . . . , and M n T Σ , Γ j,F, low N n By Remark A.14, we then have that M n ∈ Val . Since M n is a ( W, Σ , Υ , Γ , j )-derivative of M , we conclude that ¬ M † W, Σ , Γ j .The following lemma deduces operational “highness” of threads from that of its sub-expressions. Lemma A.20 (Composition of High Expressions) . Suppose that M is typable with respectto Σ , Γ , j and F . Then, for all allowed-policy mappings W : (1) If M = ( M M ) and either • M † W, Σ , Υ , Γ j and M m ∈ H W, Σ , Υ , Γ F,l , or • M m , M m ∈ H W, Σ , Υ , Γ F,l and M is a syntactically (Σ , Γ , j, F, l ) -high function,then M m ∈ H W, Σ , Υ , Γ F,l . (2) If M = (if M then M t else M f ) and M m , M tm , M f m ∈ H W, Σ , Υ , Γ F, low , then M m ∈H W, Σ , Υ , Γ F, low . (3) If M = (ref l,θ M ) and l F low and M m ∈ H W, Σ , Υ , Γ F, low , then M m ∈ H W, Σ , Υ , Γ F, low . (4) If M = ( M ; M ) and either • M † W, Σ , Υ , Γ j and M m ∈ H W, Σ , Υ , Γ F, low , or • M m , M m ∈ H W, Σ , Υ , Γ F, low ,then M m ∈ H W, Σ , Υ , Γ F, low . (5) If M = ( M := M ) and M has type θ ref l with l F low and either • M † W, Σ , Υ , Γ j and M m ∈ H W, Σ , Υ , Γ F, low , or • M m , M m ∈ H W, Σ , Υ , Γ F, low ,then M m ∈ H W, Σ , Υ , Γ F, low . (6) If M = (flow F ′ in M ) and M m ∈ H W, Σ , Υ , Γ F, low , then M m ∈ H W, Σ , Υ , Γ F, low . (7) If M = (allowed F then M t else M f ) and M tm , M f m ∈ H W, Σ , Υ , Γ F, low , then M m ∈H W, Σ , Υ , Γ F, low . Lemma A.21. If M T Σ , ΓΥ( m ) ,F, low M for some Σ , Υ , Γ , F , low and m , then M m ∈H W, Σ , Υ , Γ F,l , implies M m ∈ H W, Σ , Υ , Γ F,l .Proof.
By induction on the definition of M T Σ , Γ j,F, low M , using Lemma A.19. Clause 7:
Here we have M = (flow F ′ in ¯ M ) and M = (flow F ′ in ¯ M ) with¯ M T Σ , Γ j,F f F ′ , low ¯ M . Clearly we have that ¯ M ∈ H W, Σ , Υ , Γ F, low , so by induction hypothesisalso ¯ M ∈ H W, Σ , Υ , Γ F, low . Therefore, by Composition of High Expressions (Lemma A.20)we have that M ∈ H W, Σ , Υ , Γ F, low . Behavior of Typable Low Expressions.
In this second phase of the proof, we consider thegeneral case of threads that are typable with any termination level. As in the previoussubsection, we show that a typable expression behaves as a strong bisimulation, providedthat it is operationally low. For this purpose, we make use of the properties identifiedfor the class of low-terminating expressions by allowing only these to be followed by low-writes. Conversely, high-terminating expressions can only be followed by high-expressions(see Definitions 3.9 and A.11).The following result shows that the behavior of typable high threads (i.e. those with ahigh security level) that are location sensitive (i.e. depend on their location) is operationallyhigh.
Lemma A.22 (Location Sensitive Typable High Threads – Lemma 3.10) . For a givenflow policy F and security level low , consider a thread M m such that Γ ⊢ Σ j,F M : s, τ and M = E[(allowed F ′ then N t else N f )] with j F low . Then, for all allowed-policy mappings W and thread labelings Υ such that Υ( m ) = j , we have that M m ∈ H W, Γ F, low .Proof. By induction on the structure of E, using Update of Effects (Lemma A.10) andHigh Expressions (Lemma A.12). Consider that we have M = E[ M ], where M =(allowed F ′ then N t else N f ). E[ M ] = M : Then, by
Allow , we have Γ ⊢ Σ j,F (allowed F ′ then N t else N f ) : s, τ where Γ ⊢ Σ j,F N t : s t , τ , Γ ⊢ Σ j,F N f : s f , τ and j ⊑ F s t .w, s f .w . This means s t .w, s f .w F low , so by High Expressions (Lemma A.12), then N tm , N f m ∈ H W, Σ , Υ , Γ F, low .By Composition of High Expressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (E [ M ] M ): Then by rule
App we have that Γ ⊢ Σ j,F E [ M ] : s , τ s ′ −−→ F,j σ and Γ ⊢ Σ j,F M : s ′′ , τ with s .r ⊑ F s ′ .w and s .t ⊑ F s ′′ .w . By Update of Effects(Lemma A.10) we have j ⊑ s .r , which implies that j ⊑ F s .r and s .r F low .Therefore, s ′ .w F low , which means that E [ M ] is a syntactically (Σ , Γ , j, F, low )-high function, and M is syntactically (Σ , Γ , j, F, low )-high. By High Expressions(Lemma A.12) we have M m ∈ H W, Σ , Υ , Γ F, low . By induction hypothesis E [ M ] m ∈H W, Σ , Υ , Γ F, low . Then, by Lemma A.20, M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = ( V E [ M ]): Then by
App we have Γ ⊢ Σ j,F V : s , τ s ′ −−→ F,j σ and Γ ⊢ Σ j,F E [ M ] : s ′′ , τ with s ′′ .r ⊑ F s ′ .w and s .t ⊑ F s ′′ .w . By Update of Effects (Lemma A.10)we have j ⊑ s ′′ .r , which implies that j ⊑ F s ′′ .r and s ′′ .r F low . Therefore, s ′ .w F low , which means that V is a syntactically (Σ , Γ , j, F, low )-high function.By induction hypothesis E [ M ] m ∈ H W, Σ , Υ , Γ F, low . Then, by Composition of High Ex-pressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (if E [ M ] then M t else M f ): Then by
Cond we have that Γ ⊢ Σ j,F E [ M ] : s , bool , and Γ ⊢ Σ j,F M t : s ′ , τ and Γ ⊢ Σ j,F M f : s ′′ , τ with s .r ⊑ F s ′ .w, s ′ .w . ByUpdate of Effects (Lemma A.10) we have j ⊑ s .r , which implies that j ⊑ F s .r and s .r F low . Therefore, s ′ .w, s ′ .w F low , so by High Expressions (Lemma A.12) NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 61 we have M tm , M tm ∈ H W, Σ , Υ , Γ F, low . By induction hypothesis E [ M ] m ∈ H W, Σ , Υ , Γ F, low .Then, by Composition of High Expressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (E [ M ]; M ): Then by
Seq we have that Γ ⊢ Σ j,F E [ M ] : s , τ and Γ ⊢ Σ j,F M : s ′ , τ ′ with s .t ⊑ F s ′ .w . By Update of Effects (Lemma A.10) we have j ⊑ s .t ,which implies that j ⊑ F s .t and s .t F low . Therefore, s ′ .w F low , and by HighExpressions (Lemma A.12) we have M m ∈ H W, Σ , Υ , Γ F, low . By induction hypothesisE [ M ] m ∈ H W, Σ , Υ , Γ F, low . Then, by Composition of High Expressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (ref l,θ E [ M ]): Then by
Ref we have that Γ ⊢ Σ j,F E [ M ] : s , θ with s .t ⊑ F l . By Update of Effects (Lemma A.10) we have j ⊑ s .t , which impliesthat j ⊑ F s .t and s .t F low . Therefore, l F low , and by induction hypothesisE [ M ] m ∈ H W, Σ , Υ , Γ F, low . Then, by Composition of High Expressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (! E [ M ]): Easy, by induction hypothesis. E[ M ] = (E [ M ] := M ): Then by
Assign we have Γ ⊢ Σ j,F E [ M ] : s , θ ref ¯ l and Γ ⊢ Σ j,F M : s ′ , τ with s .t ⊑ F s ′ .w and s .r ⊑ F ¯ l . By Update of Effects(Lemma A.10) we have j ⊑ s .r , which implies that j ⊑ F s .r and s .r F low .Therefore, ¯ l F low and s ′ .w F low . Hence, by High Expressions (Lemma A.12)we have M m ∈ H W, Σ , Υ , Γ F, low . By induction hypothesis E [ M ] m ∈ H W, Σ , Υ , Γ F, low . Then, byComposition of High Expressions (Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = ( V := E [ M ]): Then by
Assign we have Γ ⊢ Σ j,F V : s , θ ref ¯ l and Γ ⊢ Σ j,F E [ M ] : s ′ , τ with s ′ .r ⊑ F ¯ l . By Update of Effects (Lemma A.10) we have j ⊑ s ′ .r ,which implies that j ⊑ F s ′ .r and s ′ .r F low . Therefore, ¯ l F low , and by induc-tion hypothesis E [ M ] m ∈ H W, Σ , Υ , Γ F, low . Then, by Composition of High Expressions(Lemma A.20), M m ∈ H W, Σ , Υ , Γ F, low . E[ M ] = (flow F ′ in E [ M ]): Then by
Flow we have Γ ⊢ Σ j,F f F ′ E [ M ] : s , τ .By induction hypothesis E [ M ] m ∈ H W, Σ , Υ , Γ F f F ′ , low , which implies E [ M ] m ∈ H W, Σ , Υ , Γ F, low .Then, by Composition of High Expressions (Lemma A.20), we conclude that M m ∈H W, Σ , Υ , Γ F, low .We now design a binary relation on expressions that uses T Σ , Γ j,F, low to ensure that high-terminating expressions are always followed by operationally high ones. The definition of R W, Σ , Υ , Γ j,F, low is given in Figure 10. Notice that it is a symmetric relation. In order to ensure thatexpressions that are related by R W, Σ , Υ , Γ j,F, low perform the same changes to the low memory, itsdefinition requires that the references that are created or written using (potentially) differentvalues are high, and that the body of the functions that are applied are syntactically high. Remark A.24. If M T Σ , Γ j,F, low M , then M R W, Σ , Υ , Γ j,F, low M .The above remark is used to prove the following lemma. Definition A.23 ( R W, Σ , Υ , Γ j,F, low ) . We have that M R W, Σ , Υ , Γ j,F, low M if Γ ⊢ Σ j,F M : s , τ andΓ ⊢ Σ j,F M : s , τ for some Γ, s , s and τ and one of the following holds: Clause 1’: M m , M m ∈ H W, Σ , Υ , Γ F, low , for all allowed-policy mappings W , or Clause 2’: M = M , or Clause 3’: M = (if ¯ M then ¯ N t else ¯ N f ) and M = (if ¯ M then ¯ N t else ¯ N f ) with¯ M R W, Σ , Υ , Γ j,F, low ¯ M , and ¯ N tm , ¯ N f m ∈ H W, Σ , Υ , Γ F, low , or Clause 4’: M = ( ¯ M ¯ N ) and M = ( ¯ M ¯ N ) with ¯ M R W, Σ , Υ , Γ j,F, low ¯ M , and ¯ N m , ¯ N m ∈H F, low , and ¯ M , ¯ M are syntactically (Σ , Γ , j, F, low )-high functions, or Clause 5’: M = ( ¯ M ¯ N ) and M = ( ¯ M ¯ N ) with ¯ M T Σ , Γ j,F, low ¯ M , and¯ N R W, Σ , Υ , Γ j,F, low ¯ N , and ¯ M , ¯ M are syntactically (Σ , Γ , j, F, low )-high functions, or Clause 6’: M = ( ¯ M ; ¯ N ) and M = ( ¯ M ; ¯ N ) with ¯ M R W, Σ , Υ , Γ j,F, low ¯ M , and ¯ N m ∈H W, Σ , Υ , Γ F, low , or Clause 7’: M = ( ¯ M ; ¯ N ) and M = ( ¯ M ; ¯ N ) with ¯ M T Σ , Γ j,F, low ¯ M , or Clause 8’: M = (ref l,θ ¯ M ) and M = (ref l,θ ¯ M ) with ¯ M R W, Σ , Υ , Γ j,F, low ¯ M , and l F low , or Clause 9’: M = (! ¯ M ) and M = (! ¯ M ) with ¯ M R W, Σ , Υ , Γ j,F, low ¯ M , or Clause 10’: M = ( ¯ M := ¯ N ) and M = ( ¯ M := ¯ N ) with ¯ M R W, Σ , Υ , Γ j,F, low ¯ M , and¯ N m , ¯ N m ∈ H W, Σ , Υ , Γ F, low , and ¯ M , ¯ M both have type θ ref l for some θ and l such that l F low , or Clause 11’: M = ( ¯ M := ¯ N ) and M = ( ¯ M := ¯ N ) with ¯ M T Σ , Γ j,F, low ¯ M , and¯ N R W, Σ , Υ , Γ j,F, low ¯ N , and ¯ M , ¯ M both have type θ ref l for some θ and l such that l F low , or Clause 12’: M = (flow F ′ in ¯ M ) and M = (flow F ′ in ¯ M ) with ¯ M R W, Σ , Υ , Γ j,F f F ′ , low ¯ M . Figure 10: The relation R W, Σ , Υ , Γ j,F, low Lemma A.25. If M R W, Σ , Υ , ΓΥ( m ) ,F, low M , for some Σ , Υ , Γ , F , low and m , then M m ∈H W, Σ , Υ , Γ F, low implies M m ∈ H W, Σ , Υ , Γ F, low .Proof. By induction on the definition of M R W, Σ , Υ , ΓΥ( m ) ,F, low M , using Lemma A.21.We have seen in Splitting Computations (Lemma 3.8) that two computations of thesame expression can split only if the expression is about to read a reference that is givendifferent values by the memories in which they compute. In Lemma A.26 we saw thatthe relation T Σ , Γ j,F, low relates the possible outcomes of expressions that are typable with alow termination effect. Finally, from the following lemma one can conclude that the aboverelation R W, Σ , Υ , Γ j,F, low relates the possible outcomes of typable expressions in general. NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 63
Lemma A.26. If Γ ⊢ Σ j,F E[(! a )] : s, τ with l F f ⌈ E ⌉ low , then for any values V , V ∈ Val such that Γ ⊢ Σ j,F V i : θ we have E[ V ] R W, Σ , Υ , Γ j,F, low E[ V ] .Proof. By induction on the structure of E using Replacement (Lemma A.7), Lemma A.15,Lemma A.12.
E[(! a )] = (flow F ′ in E [(! a )]): By rule
Flow we have Γ ⊢ Σ j,F f F ′ V : s, τ . By in-duction hypothesis E [ V ] T jF f F ′ , low E [ V ], so we conclude by Replacement (Lemma A.7)and Clause 12’.We now state a crucial result of the paper: the relation T Σ , Γ j,F, low is a “sort of” strongbisimulation. Proposition A.27 (Strong Bisimulation for Typable Low Threads) . Consider a given allowed-policy mapping W , reference labeling Σ , thread labeling Υ , typingenvironment Γ , flow policy F , security level low , two expressions M and M and threadname m such that M m / ∈ H Σ , Υ , Γ F, low . If, for states h T , S i , h T , S i with S , S being (Σ , Γ) -compatible we have that there exist d, F ′ , P ′ , T ′ , S ′ such that M R W, Σ , Υ , ΓΥ( m ) ,F, low M and W ⊢ h{ M m } , T , S i d −→ F ′ h P ′ , T ′ , S ′ i and h T , S i = Σ , Υ F f F ′ , low h T , S i , with (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then there exist P ′ , T ′ and S ′ such that W ⊢ h{ M m } , T , S i d −→ F ′ h P ′ , T ′ , S ′ i and M ′ R W, Σ , Υ , Γ j,F, low M ′ and h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i Furthermore, if P ′ = { M ′ m } then P ′ = { M ′ m } , if P ′ = { M ′ m , N n } for some thread N n and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ then P ′ = { M ′ m , N n } , and S ′ , S ′ are still (Σ , Γ) -compatible.Proof. By case analysis on the clause by which M R W, Σ , Υ , Γ j,F, low M , and by induction onthe definition of R W, Σ , Υ , Γ j,F, low . In the following, we use Subject Reduction (Theorem A.8) toguarantee typability (with the same type) for j , low and F , which is a requirement for beingin the R W, Σ , Υ , Γ j,F, low relation. We also use the Strong Bisimulation for Low Termination Lemma(Lemma A.16). Lemma A.19 is used to prove the cases for Clauses 5’, 7’ and 11’. Clause 2’:
Here M = M . By Guaranteed Transitions (Lemma A.9), then: • If P ′ = { M ′ m } , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then there exist M ′ , T ′ and S ′ such that W ⊢ Σ , Υ h{ M m } , T , S i d −→ F ′ h{ M ′ m } , T ′ , S ′ i with h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i . There are two cases to consider: M ′ = M ′ : Then we have M ′ T Σ , Γ j,F, low M ′ and S ′ , S ′ still (Σ , Γ)-compatible,by Clause 2’ and Subject Reduction (Theorem A.8). M ′ = M ′ : Then by Splitting Computations (Lemma 3.8) we have twopossibilities:(1) there exists E and a such that M ′ = E[ S ( a )], F ′ = ⌈ E ⌉ , M ′ =E[ S ( a )], h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i . Since S ( a ) = S ( a ), we have that Σ ( a ) F f F ′ low . Therefore, M ′ R W, Σ , Υ , Γ j,F, low M ′ , byLemma A.26 above. (2) there exists E such that M ′ = E[(allowed ¯ F then N t else N f )], F ′ = ⌈ E ⌉ , and T ( m ) = T ( m ) with h T ′ , S ′ i = h T , S i and h T ′ , S ′ i = h T , S i .Since T ( m ) = T ( m ), we have Υ( m ) = j F low , and by Lemma A.22we have M ∈ H W, Σ , Υ , Γ F, low , which contradicts our assumption. • If P ′ = { M ′ m , N n } , for some expression N and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then for some M , l and d we have M = E[(thread l M at d )], and there exist M ′ , T ′ and S ′ such that we have W ⊢ Σ , Υ h{ M m } , T , S i d −→ F ′ h{ M ′ m , N n } , T ′ , S ′ i and with h T ′ , S ′ i = Σ , Υ F f F ′ , low h T ′ , S ′ i where M ′ = M ′ . Then we have M ′ T Σ , Γ j,F, low M ′ and S ′ , S ′ are still (Σ , Γ)-compatible, by Clause 2’ and Subject Reduction (The-orem A.8).
Clause 12’:
Here M = (flow F ′ in ¯ M ) and M = (flow F ′ in ¯ M ) with ¯ M R jF f F ′ , low ¯ M . We can assume that ¯ M m / ∈ H W, Σ , Υ , Γ F f F ′ , low , since otherwise ¯ M m ∈ H W, Σ , Υ , Γ F, low and byComposition of High Expressions (Lemma A.20) M m ∈ H W, Σ , Υ , Γ F, low . There are thentwo possibilities: • If P ′ = { M ′ m } , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ , then W ⊢ Σ , Υ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m } ∪ P, T ′ , S ′ i with F ′ = ¯ F f F ′′ , for some P . By in-duction hypothesis, we have that W ⊢ Σ , Υ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m } , T ′ , S ′ i ,and M ′ R jF f ¯ F , low M ′ , and S ′ , S ′ still (Σ , Γ)-compatible, and also h T ′ , S ′ i = Σ , Υ F f ¯ F , low h T ′ , S ′ i . Notice that h T ′ , S ′ i = Σ , Υ F, low h T ′ , S ′ i . We use Subject Re-duction (Theorem A.8) and Clause 12’ to conclude. • If P ′ = { M ′ m , N n } for some expression N and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then W ⊢ Σ , Υ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m , N n } ∪ P, T ′ , S ′ i with F ′ = ¯ F f F ′′ . By induction hypothesis, we have that W ⊢ Σ , Υ h{ ¯ M m } , T , S i d −−→ F ′′ h{ ¯ M ′ m , N n } , T ′ , S ′ i , and M ′ R jF f ¯ F , low M ′ , and S ′ , S ′ still (Σ , Γ)-compatible,and also h T ′ , S ′ i = Σ , Υ F f ¯ F , low h T ′ , S ′ i . Notice that h T ′ , S ′ i = Σ , Υ F, low h T ′ , S ′ i . Weuse Subject Reduction (Theorem A.8) and Clause 12’ to conclude. Behavior of Sets of Typable Threads.
To conclude the proof of the Soundness Theorem, itremains to exhibit an appropriate bisimulation on thread configurations.
Definition A.28 ( A W, Σ , Υ , Γ low ) . Given an allowed-policy mapping W , a reference labeling Σ,a thread labeling Υ, a typing environment Γ and a security level low , the relation A W, Σ , Υ , Γ low is inductively defined as follows: a ) M m ∈ H W, Σ , Υ , Γ ℧ , low { M m } A W, Σ , Υ , Γ low ∅ b ) M m ∈ H W, Σ , Υ , Γ ℧ , low ∅ A W, Σ , Υ , Γ low { M m } c ) M R W, Σ , Υ , ΓΥ( m ) , ℧ , low M { M m } A W, Σ , Υ , Γ low { M m } d ) P A W, Σ , Υ , Γ low P Q A W, Σ , Υ , Γ low Q P ∪ Q A W, Σ , Υ , Γ low P ∪ Q Proposition A.29.
Given an allowed-policy mapping W , a reference labeling Σ , a threadlabeling Υ , a typing environment Γ and a security level low , for all allowed-policy mappings W the relation B W, Σ , Υ , Γ low = { ( h P , T i , h P , T i ) | P A W, Σ , Υ , Γ low P and T = Σ , Υ ℧ ,l T } is a ( W, Σ , Υ , Γ , l ) -bisimulation according to Definition 3.2.Proof. It is easy to see, by induction on the definition of A W, Σ , Υ , Γ low , that the relation B W, Σ , Υ , Γ low is symmetric. We show, by induction on the definition of A W, Σ , Υ , Γ low , that if h P , T i B W, Σ , Υ , Γ low h P , T i and if for any given (Σ , Γ)-compatible stores S , S such that h T , S i = Σ , Υ F, low h T , S i we have W ⊢ Σ , Υ h P , T , S i d −→ F h P ′ , T ′ , S ′ i , and (dom( S ′ ) − dom( S )) ∩ dom( S ) = ∅ and (dom( T ′ ) − dom( T )) ∩ dom( T ) = ∅ , then there exist T ′ , P ′ and S ′ such that W ⊢ Σ , Υ h P , T , S i ։ h P ′ , T ′ , S ′ i and h P ′ , T ′ i B W, Σ , Υ , Γ low h P ′ , T ′ i and h T ′ , S ′ i = Σ , Υ ℧ , low h T ′ , S ′ i . Furthermore, S ′ , S ′ are still (Σ , Γ)-compatible.
Rule a ): Then P = { M m } , P = ∅ , and M m ∈ H W, Σ , Υ , Γ ℧ , low . Therefore, P ′ ⊆ H W, Σ , Υ , Γ G, low ,and h T ′ , S ′ i = Σ , Υ ℧ , low h T , S i and S ′ is still (Σ , Γ)-compatible. We have that W ⊢ Σ , Υ h P , T , S i ։ h P , T , S i and by transitivity h T ′ , S ′ i = Σ , Υ ℧ , low h T , S i . By Rulesa) and d), we have P ′ A W, Σ , Υ , Γ low ∅ . Then, h P ′ , T ′ i B W, Σ , Υ , Γ low h∅ , T ′ i . Rule b ) isanalogous. Rule c ): Then P = { M m } and P = { M m } , and we have M R W, Σ , Υ , ΓΥ( m ) , ℧ , low M . If M m ∈ H W, Σ , Υ , Γ ℧ , low , then by Rule a), we have that P ′ A W, Σ , Υ , Γ low ∅ and h T ′ , S ′ i = Σ , Υ ℧ , low h T ′ , S ′ i . Also, by Lemma A.25, we have that M m ∈ H W, Σ , Υ , Γ ℧ , low , so by Rule b) ∅ A W, Σ , Υ , Γ low P . By Rule d), we have P ′ A W, Σ , Υ , Γ low P . Then, h P ′ , T ′ i B W, Σ , Υ , Γ low h P ′ , T ′ i .If M m / ∈ H W, Σ , Υ , Γ ℧ , low , there are two cases to be considered: P ′ = { M ′ m } : Then by Strong Bisimulation for Typable Low Threads (Propo-sition A.27) there exist T ′ , M ′ and S ′ such that W ⊢ Σ , Υ h{ M m } , T , S i d −→ F ′ h{ M ′ m } , T ′ , S ′ i with M ′ R W, Σ , Υ , ΓΥ( m ) , ℧ , low M ′ , and h T ′ , S ′ i = Σ , Υ ℧ , low h T ′ , S ′ i and S ′ , S ′ are still (Σ , Γ)-compatible. Then, by Rule c), { M ′ m } A W, Σ , Υ , Γ low { M ′ m } .Then, h{ M ′ m } , T ′ i B W, Σ , Υ , Γ low h{ M ′ m } , T ′ i . P ′ = { M ′ m , N n } : We proceed as in the previous case to conclude that thereexists M ′ m such that { M ′ m } A W, Σ , Υ , Γ low { M ′ m } . By Subject Reduction (The-orem A.8), by Lemma A.5, and by Clause 2’ we have N R W, Σ , Υ , ΓΥ( n ) , ℧ , low N , andso by Rule c) we have { N n } A W, Σ , Υ , Γ low { N n } . Therefore, by Rule d), we have { M ′ m , N n } A W, Σ , Υ , Γ low { M ′ m , N n } . Then, h{ M ′ m , N n } , T ′ i B W, Σ , Υ , Γ low h{ M ′ m , N n } , T ′ i . Rule d ): Then P = ¯ P ∪ ¯ Q and P = ¯ P ∪ ¯ Q , with ¯ P A W, Σ , Υ , Γ low ¯ P and ¯ Q A W, Σ , Υ , Γ low ¯ Q .Suppose that W ⊢ Σ , Υ h ¯ P , T , S i d −→ F h ¯ P ′ , T ′ , S ′ i – the case where ¯ Q reduces isanalogous. By induction hypothesis, there exist T ′ , ¯ P ′ and S ′ such that W ⊢ Σ , Υ h ¯ P , T , S i ։ h ¯ P ′ , T ′ , S ′ i with ¯ P ′ A W, Σ , Υ , Γ low ¯ P ′ , and h T ′ , S ′ i = Σ , Υ ℧ , low h T ′ , S ′ i and S ′ , S ′ are still (Σ , Γ)-compatible. Then, we have W ⊢ Σ , Υ h ¯ P ∪ ¯ Q , T , S i ։ h ¯ P ′ ∪ ¯ Q , T ′ , S ′ i , and by Rule d) we have ¯ P ′ ∪ ¯ Q A W, Σ , Υ , Γ low ¯ P ′ ∪ ¯ Q . Then, h ¯ P ′ ∪ ¯ Q , T ′ i B W, Σ , Υ , Γ low h ¯ P ′ ∪ ¯ Q , T ′ i . Appendix B. Proofs for ‘Controlling Declassification’
B.1.
Formalization of Flow Policy Confinement.
In [Alm09, AC13] Flow Policy Con-finement is defined for networks, considering a distributed setting with code mobility, bymeans of a bisimulation on located threads . In this paper we define Flow Policy Confine-ment for pools of threads without fixing the initial position of threads, and is based on abisimulation on thread configurations. We prove that the two variations of the definitionare equivalent.
Definition on located threads.
The property is defined co-inductively on sets of locatedthreads, consisting of pairs h d, M m i that carry information about the location d of a thread M m . The location of each thread determines which allowed flow policy it should obey atthat point, and is used to place a restriction on the flow policies that decorate the transi-tions: at any step, they should comply to the allowed flow policy of the domain where thethread who performed it is located. Definition B.1 (( W, Σ , Γ)-Confined Located Threads) . Given an allowed-policy mapping W , a set of ( W, Σ , Γ)- confined located threads is a set
CLT of located threads that satisfies,for all h d, M m i ∈ CLT and states h T, S i with S being ( W, Σ , Γ)-compatible memory S : h d, M m i ∈ CLT and T ( m ) = d and W ⊢ h{ M m } , T, S i d −→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i implies W ( T ( m )) F and h T ′ ( m ) , M ′ m i ∈ CLT . Furthermore, if P = { N n } then also h T ′ ( n ) , N n i ∈ CLT , and S ′ is still ( W, Σ , Γ)-compatible.The largest set of ( W, Σ , Γ)-confined located threads is denoted
CLT Σ , Γ W .For any W , Σ and Γ, the set of located threads where threads are values is a set of( W, Σ , Γ)-confined located threads. Furthermore, the union of a family of sets of ( W, Σ , Γ)-confined located threads is a set of ( W, Σ , Γ)-confined located threads. Consequently,
CT C W, Σ , Γ exists.The notion of confinement used in [Alm09, AC13] is implicitly defined for thread con-figurations (by means of located threads), instead of for pools of threads, such as in thepresent paper. The following definition generalizes that notion to one that works for anyinitial position tracker, and is thus defined for pools of threads. Definition B.2 (Flow Policy Confinement (on located threads)) . A pool of threads P satisfies Flow Policy Confinement with respect to an allowed-policy mapping W , a referencelabeling Σ and a typing environment Γ, if for all domains d ∈ Dom and threads M m ∈ P we have that h d, M m i ∈ CLT Σ , Γ W . We then write P ∈ F PC +LT ( W, Σ , Γ).
NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 67
Comparison.
Flow Policy Confinement, defined over thread configurations, is equivalent towhen defined over located threads.
Proposition B.3 (Proposition 4.3) . F PC ( W, Σ , Γ) =
F PC +LT ( W, Σ , Γ) .Proof. We assume that P ∈ F PC +LT ( W, Σ , Γ), and show that the set
CT C = {h P, T i | ∀ M m ∈ P . h T ( m ) , M m i ∈ CLT Σ , Γ W and dom( P ) = dom( T ) } satisfies CT C ⊆ CT C Σ , Γ W . Given any thread configuration h P, T i ∈ CT C , and any thread M m ∈ P , it is clear that h T ( m ) , M m i ∈ CLT Σ , Γ W . If W ⊢ Σ , Υ h P, T, S i d −→ F h P ′ , T ′ , S ′ i then for some P ′′ , T ′′ such that P = { M m } ∪ P ′′ and T = { m d } ∪ T ′′ we have thateither: • W ⊢ Σ , Υ h{ M m } , T, S i d −→ F h{ M ′ m } , T ′ , S ′ i where P ′ = { M ′ m } ∪ P ′′ and T ′ = { m d } ∪ T ′′ . In this case, by hypothesis, W ( T ( m )) F and also h T ′ ( m ) , M ′ m i ∈CLT Σ , Γ W . • W ⊢ Σ , Υ h{ M m } , T, S i d −→ F h{ M ′ m , N n } , T ′ , S ′ i where P ′ = { M ′ m , N n } ∪ P ′′ and T ′ = { m d, n d ′ } ∪ T ′′ for some d ′ . In this case, by hypothesis, W ( T ( m )) F and also h T ′ ( m ) , M ′ m i , h T ′ ( n ) , N n i ∈ CLT Σ , Γ W .In both cases, we can conclude that ∀ M m ∈ P ′ . h T ′ ( m ) , M m i ∈ CLT Σ , Γ W and dom( P ′ ) =dom( T ′ ), so h P ′ , T ′ i ∈ CT C . We then have that CT C ⊆ CT C Σ , Γ W , and also that for all h P, T i such that dom( P ) = dom( T ), we have that h P, T i ∈ CT C . Then, P ∈ F PC ( W, Σ , Γ).We now assume that P ∈ F PC ( W, Σ , Γ), and show that the set
CLT = {h T ( m ) , M m i | ∃ P, T . h P, T i ∈ CT C Σ , Γ W and M m ∈ P } satisfies CLT ⊆ CLT Σ , Γ W . Given any located thread h d, M m i ∈ CLT and position tracker T such that T ( m ) = d , and any ( W, Σ , Γ)-compatible memory S , it is clear that also h{ M m } , { m d }i ∈ CT C Σ , Γ W . Then, if: • W ⊢ Σ , Υ h{ M m } , T, S i d −→ F h{ M ′ m } , T ′ , S ′ i , then by hypothesis, we have W ( d ) F and h{ M ′ m } , T ′ i ∈ F PC ( W, Σ , Γ). Therefore, h T ′ ( m ) , M ′ m i ∈ CLT . • W ⊢ Σ , Υ h{ M m } , T, S i d −→ F h{ M ′ m , N n } , T ′ , S ′ i , then by hypothesis, we have W ( d ) F and h{ M ′ m , N n } , T ′ i ∈ F PC ( W, Σ , Γ). Therefore, both h T ′ ( m ) , M ′ m i , h T ′ ( n ) , N ′ n i ∈CLT .We then have that CLT ⊆ CLT Σ , Γ W , and also that for all h d, M m i such that M m ∈ P , wehave that h d, M m i ∈ CLT . Then, P ∈ F PC +LT ( W, Σ , Γ).B.2.
Type System.
B.2.1.
Subject reduction and safety.
In order to establish the soundness of the type system ofFigure 5 we need a Subject Reduction result, stating that types that are given to expressionsare preserved by computation. To prove it we follow the usual steps [WF94]. In thefollowing,
Pse is the set of pseudo-values, as defined in Figure 2.
Remark B.4. (1) If X ∈ Pse and W ; Γ ⊢ Σ A X : τ , then for all flow policies A ′ , we have that W ; Γ ⊢ Σ A ′ X : τ .(2) For any flow policies A and A ′ such that A ′ A , we have that W ; Γ ⊢ Σ A M : τ implies W ; Γ ⊢ Σ A ′ M : τ . Lemma B.5. (1) If W ; Γ ⊢ Σ A M : τ and x / ∈ dom(Γ) then W ; Γ , x : σ ⊢ Σ A M : τ . (2) If W ; Γ , x : σ ⊢ Σ A M : τ and x / ∈ fv( M ) then W ; Γ ⊢ Σ A M : τ .Proof. By induction on the inference of the type judgment.
Lemma B.6 (Substitution) . If W ; Γ , x : σ ⊢ Σ A M : τ and W ; Γ ⊢ Σ A ′ X : σ then W ; Γ ⊢ Σ A { x X } M : τ .Proof. By induction on the inference of W ; Γ , x : σ ⊢ Σ A M : τ , and by case analysis on thelast rule used in this typing proof, using the previous lemma. Nil:
Here { x X } M = M , and since x / ∈ fv( M ) then by Lemma B.5 we have W ; Γ ⊢ Σ j M : s, τ . Var: If M = x then σ = τ and { x X } M = X . By Remark B.4, we have W ; Γ ⊢ Σ A X : τ . If M = x then { x X } M = M , where x / ∈ fv( M ). Therefore, byLemma B.5, we have W ; Γ ⊢ Σ A M : τ . Abs:
Here M = ( λy. ¯ M ), and W ; Γ , x : σ, y : ¯ τ ⊢ Σ¯ A ¯ M : ¯ σ where τ = ¯ τ −→ ¯ A ¯ σ . We can as-sume that y / ∈ dom( W ; Γ , x : σ ) (otherwise rename y ). Therefore { x X } ( λy. ¯ M ) =( λy. { x X } ¯ M ). By assumption and Lemma B.5 we can write W ; Γ , y : ¯ τ ⊢ Σ A ′ X : σ . By induction hypothesis, W ; Γ , y : ¯ τ ⊢ Σ¯ A { x X } ¯ M : ¯ σ . Then, by Abs , W ; Γ ⊢ Σ A ( λy. { x X } ¯ M ) : τ . Rec:
Here M = ( ̺y. ¯ X ), and W ; Γ , x : σ, y : τ ⊢ Σ A ¯ X : τ . We can assume y / ∈ dom( W ; Γ , x : σ ) (otherwise rename y ). Therefore { x X } ( ̺y. ¯ X ) = ( ̺y. { x X } ¯ X ).By assumption and Lemma B.5 we have W ; Γ , y : τ ⊢ Σ A ′ X : σ . By induction hypoth-esis, W ; Γ , y : τ ⊢ Σ A { x X } ¯ X : τ . Then, by Rec , W ; Γ ⊢ Σ A ( ̺y. { x X } ¯ X ) : τ . Cond:
Here M = (if ¯ M then ¯ N t else ¯ N f ) and we have W ; Γ , x : σ ⊢ Σ A ¯ M : bool ,and W ; Γ , x : σ ⊢ Σ A N t : τ and W ; Γ , x : σ ⊢ Σ A N f : τ . By induction hypothesis, W ; Γ , x : σ ⊢ Σ A { x X } ¯ M : bool , W ; Γ , x : σ ⊢ Σ A { x X } N t : τ and W ; Γ , x : σ ⊢ Σ A { x X } N f : τ . Therefore, we have W ; Γ , x : σ ⊢ Σ A (if { x X } ¯ M then { x X } N t else { x X } N f ) : τ by rule Cond . Mig:
Here M = (thread l ¯ M at d ) and we have that W ; Γ , x : σ ⊢ Σ W ( d ) ¯ M : τ , with τ = unit . By induction hypothesis, then W ; Γ , x : σ ⊢ Σ W ( d ) { x X } ¯ M : τ . Therefore,by rule Mig , W ; Γ , x : σ ⊢ Σ A (thread l { x X } ¯ M at d ) : τ . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 69
Flow:
Here M = (flow ¯ F in ¯ M ) and W ; Γ , x : σ ⊢ Σ A ¯ M : τ , with A ¯ F . By induc-tion hypothesis, W ; Γ , x : σ ⊢ Σ A { x X } ¯ M : τ . Then, by Flow , W ; Γ , x : σ ⊢ Σ A (flow ¯ F in { x X } ¯ M ) : τ . Allow:
Here M = (allowed ¯ F then ¯ N t else ¯ N f ) and we have that W ; Γ , x : σ ⊢ Σ A ¯ M : bool and W ; Γ , x : σ ⊢ Σ A f ¯ F ¯ N t : τ and W ; Γ , x : σ ⊢ Σ A ¯ N f : τ . By induction hypoth-esis, W ; Γ , x : σ ⊢ Σ A f ¯ F { x X } ¯ N t : τ and W ; Γ , x : σ ⊢ Σ A { x X } ¯ N f : τ . There-fore, by rule Cond , we have that W ; Γ , x : σ ⊢ Σ A (allowed ¯ F then { x X } N t else { x X } N f ) : s, τ .The proofs for the cases Loc , BT and BF are analogous to the one for Nil , while theproofs for
Ref , App , Seq , Der and
Assign are analogous to the one for
Cond . Lemma B.7 (Replacement) . If W ; Γ ⊢ Σ A E[ M ] : τ is a valid judgment, then the proof gives M a typing W ; Γ ⊢ Σ A f ⌈ E ⌉ M : ¯ τ for some ¯ τ . In this case, if W ; Γ ⊢ Σ A f ⌈ E ⌉ N : ¯ τ , then W ; Γ ⊢ Σ A E[ N ] : τ .Proof. By induction on the structure of E. E[ M ] = M : This case is direct. E[ M ] = (if ¯E[ M ] then ¯ N t else ¯ N f ): By Cond , we have W ; Γ ⊢ Σ A ¯E[ M ] : bool ,and also W ; Γ ⊢ Σ A ¯ N t : τ and W ; Γ ⊢ Σ A ¯ N f : τ . By induction hypothesis, the proofgives M a typing W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ M : ˆ τ , for some ˆ τ .Also by induction hypothesis, W ; Γ ⊢ Σ A ¯E[ N ] : bool . Again by Cond , we have W ; Γ ⊢ Σ A (if ¯E[ N ] then ¯ N t else ¯ N f ) : τ . E[ M ] = (flow ¯ F in ¯E[ M ]): By Flow , we have W ; Γ ⊢ Σ A ¯E[ M ] : τ and A ¯ F . Byinduction hypothesis, the proof gives M a typing W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ M : ˆ τ , for some ˆ τ .Also by induction hypothesis, W ; Γ ⊢ Σ A ¯E[ N ] : τ . Then, again by Flow , we have W ; Γ ⊢ Σ A (flow ¯ F in ¯E[ N ]) : τ .The proofs for the cases E[ M ] = ⌈ (E[ M ] := N ) ⌉ , E[ M ] = ⌈ ( V := E[ M ]) ⌉ , E[ M ] = ⌈ (! E[ M ]) ⌉ ,E[ M ] = ⌈ (E[ M ] N ) ⌉ , E[ M ] = ⌈ ( V E[ M ]) ⌉ , E[ M ] = ⌈ (E[ M ]; N ) ⌉ and E[ M ] = ⌈ ref l,θ E[ M ] ⌉ ,are all analogous to the proof for the case E[ M ] = (if ¯E[ M ] then N t else N f ).We check that the type of a thread and the compatibility of memories is preserved byreduction. Proposition B.8 (Subject Reduction – Proposition 4.5) . Consider an allowed-policy map-ping W and a thread M m such that W ; Γ ⊢ Σ A M : τ , and suppose W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i , for a memory S that is ( W, Σ , Γ) -compatible. Then, W ; Γ ⊢ Σ A f W ( T ( m )) M ′ : τ , and S ′ is also ( W, Σ , Γ) -compatible.Proof. Suppose that we have M = ¯E[ ¯ M ] and that W ⊢ h{ ¯ M m } , T, S i d −→ ¯ F h{ ¯ M ′ m } ∪ P ′ , ¯ T ′ , ¯ S ′ i .We start by observing that this implies F = ¯ F f ⌈ ¯E ⌉ , M ′ = ¯E[ ¯ M ′ ], P = P ′ , ¯ T ′ = T ′ and ¯ S ′ = S ′ . We can assume, without loss of generality, that ¯ M is the smallest in the sense that there is no ˆE , ˆ M , ˆ N such that ˆE = [] and ˆE[ ˆ M ] = ¯ M for which we can write W ⊢ h{ ˆ M m } , T, S i d −→ ˆ F h{ ˆ M ′ m } ∪ P, T ′ , S ′ i .By Replacement (Lemma B.7), we have W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ ¯ M : ¯ τ in the proof of W ; Γ ⊢ Σ A ¯E[ ¯ M ] : τ , for some ¯ τ . We proceed by case analysis on the transition W ⊢ h{ ¯ M m } , T, S i d −→ ¯ F h{ ¯ M ′ m } ∪ P, T ′ , S ′ i , and prove that if S ′ = S then: • There exists ¯ τ ′ such that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) ¯ M ′ : ¯ τ ′ and ¯ τ ¯ τ ′ . Furthermore,for every reference a ∈ dom( S ′ ) we have Γ ⊢ Σ ℧ S ′ ( a ) : Σ ( a ). • If P = { N n } for some expression N and thread name n , then also W ; Γ ⊢ Σ W ( T ′ ( n )) N : unit . (Note that in this case S = S ′ .)By case analysis on the structure of ¯ M : ¯ M = (( λx. ˆ M ) V ): Here we have ¯ M ′ = { x V } ˆ M , S = S ′ and P = ∅ . Byrule App , there exist ˆ τ and ˆ σ such that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ ( λx. ˆ M ) : ˆ τ −−−−→ A f ⌈ ¯E ⌉ ˆ σ and W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ V : ˆ τ with ˆ σ = ¯ τ . By Abs , then W ; Γ , x : ˆ τ ⊢ Σ A f ⌈ ¯E ⌉ ˆ M : ˆ σ .Therefore, by Lemma B.6, we get W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ { x V } ˆ M : ¯ τ . By Remark B.4, W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) { x V } ˆ M : ¯ τ . ¯ M = ( ̺x.X ): Here we have ¯ M ′ = ( { x ( ̺x.X ) } X ), S = S ′ and P = ∅ . Byrule Rec , we have W ; Γ , x : ¯ τ ⊢ Σ A f ⌈ ¯E ⌉ X : ¯ τ . Therefore, by Lemma B.6, weget W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ { x ( ̺x.X ) } X : ¯ τ . By Remark B.4, W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) { x ( ̺x.X ) } X : ¯ τ . ¯ M = (if tt then N t else N f ): Here we have ¯ M ′ = N t , S = S ′ and P = ∅ . By Cond , we have that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ N t : ¯ τ . By Remark B.4, W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) N t : ¯ τ . ¯ M = (ref l,θ V ): Here we have ¯ M ′ = a , lab = a : θ ref l for some reference name a ,type θ and security level l , S ′ = S ∪ { ( a, V ) } and P = ∅ . By Ref , ¯ τ = θ ref and W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ V : θ , and by Remark B.4 then W ; Γ ⊢ Σ ℧ V : θ . By Lemma B.5 we have W ; Γ ⊢ Σ ℧ S ′ ( a ) : θ for every a ∈ dom( S ′ ). By Loc , we have W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ a : θ ref ,and ¯ τ = θ ref . ¯ M = (! a ): Here we have ¯ M ′ = S ( a ), S = S ′ and P = ∅ . By Der , we havethat W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ a : ¯ τ ref , and by Loc we know that Σ ( a ) = ¯ τ . By com-patibility assumption, then W ; Γ ⊢ Σ ℧ S ( a ) : Σ ( a ), and by Remark B.4, then W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) S ( a ) : ¯ τ . ¯ M = ( a := V ): Here we have ¯ M ′ = (), and P = ∅ . By Assign , ¯ τ = unit , and W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ a : θ ref and W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ V : θ , for some θ . By Loc , θ = Σ ( a ) and byRemark B.4 we have W ; Γ ⊢ Σ ℧ V : Σ ( a ). By Nil , we have that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) () : ¯ τ , with ¯ τ = unit . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 71 ¯ M = (flow F ′ in V ): Here we have ¯ M ′ = V , S = S ′ and P = ∅ . By rule Flow , wehave that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ V : ¯ τ and by Remark B.4, we have W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) V :¯ τ . ¯ M = (allowed F ′ then N t else N f ) and W ( T ( m )) F ′ : Here we have ¯ M ′ = N t , S = S ′ and P = ∅ . By Allow , we have that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f F ′ N t : ¯ τ . ByRemark B.4, then W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) N t : ¯ τ . ¯ M = (allowed F ′ then N t else N f ) and W ( T ( m )) F ′ : Here we have ¯ M ′ = N f , S = S ′ and P = ∅ . By Allow , we have that W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ N f : ¯ τ . ByRemark B.4, then W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( T ( m )) N f : ¯ τ . ¯ M = (thread k N at ¯ d ): Here we have ¯ M ′ = (), P = { ˆ N n } for some thread name n , S = S ′ , and T ′ ( n ) = ¯ d . By Nil , we have W ; Γ ⊢ Σ A () : unit . By Remark B.4, then W ; Γ ⊢ Σ A f ⌈ ¯E ⌉ f W ( d ) () : unit . Furthermore, by Mig , we have that W ; Γ ⊢ Σ W ( ¯ d ) N : unit and ¯ τ = unit .The cases ¯ M = (if ff then N t else N f ) and ¯ M = ( V ; ˆ M ) are analogous to the one for¯ M = (if tt then N t else N f ).By Replacement (Lemma B.7), we finally conclude that W ; Γ ⊢ Σ A f W ( T ( m )) ¯E[ ¯ M ′ ] : τ . Proposition B.9 (Safety – Proposition 4.7) . Given an allowed-policy mapping W , considera closed thread M m such that W ; ∅ ⊢ Σ A M : τ . Then, for any memory S that is ( W, Σ , ∅ ) -compatible and position-tracker T , either the program M is a value, orProof. By induction on the derivation of W ; Γ ⊢ Σ A M : τ . If M ∈ V al , then case 1 holds.
Flow: If M = (flow F in N ), then W ; Γ ⊢ Σ A N : τ . By induction hypothesis, then oneof the following cases holds for N : Case 1:
Then case 2 holds for M , with M ′ = N , d = T ( m ) and F ′ = F . Case 2:
Suppose that there exists F ′ , N ′ , P , S ′ and T ′ such that W ⊢ h{ N m } , T, S i d −→ F ′ h{ N ′ m } ∪ P, T ′ , S ′ i . Then W ⊢ h{ M m } , T, S i d −−−→ F ′ ∪ F h{ (flow F in N ′ ) m } ∪ P, T ′ , S ′ i ,so case 2 holds for M . Allow: If M = (allowed F then N t else N f ), then we have that W ⊢ h{ M m } , T, S i T ( m ) −−−→ ∅ h{ M ′ m } , T, S i , with M ′ = N t of M ′ = N f depending on whether W ( T ( m )) F or W ( T ( m )) F (respectively). Therefore, case 2 holds for M . Mig: If M = (thread l N at d ), then W ⊢ h{ M m } , T, S i T ( m ) −−−→ W h{ () m , N n } , T, S i , socase 2 holds for M .B.2.2. Soundness.
Theorem B.10 (Soundness of Enforcement Mechanism I – Theorem 4.6) . Consider anallowed-policy mapping W , reference labeling Σ , typing environment Γ , and a thread con-figuration h P, T i such that for all M m ∈ P there exists τ such that W ; Γ ⊢ Σ W ( T ( m )) M : τ .Then h P, T i is a ( W, Σ , Γ) -confined thread configuration. Proof.
Consider the following set: C = {h P, T i | ∀ M m ∈ P, ∃ τ . W ; Γ ⊢ Σ W ( T ( m )) M : τ } We show that C is a set of ( W, Σ , Γ)-confined thread configurations. If h P, T i ∈ C and for agiven ( W, Σ , Γ)-compatible store S we have that there exist P ′ , T ′ , S ′ such that W ⊢ h P, T, S i d −→ F h P ′ , T ′ , S ′ i , then, there is a thread M m such that P = { M m }∪ ¯ P and W ⊢ h{ M m } , T, S i d −→ F h{ M m } ∪ ¯ P ′ , T ′ , S ′ i , with P ′ = { M m } ∪ ¯ P ′ ∪ ¯ P and T ( m ) = d . By induction on the infer-ence of W ; Γ ⊢ Σ W ( T ( m )) M : τ , we prove that W ( d ) F , and W ; Γ ⊢ Σ W ( T ′ ( m )) M ′ : τ . Further-more, if ¯ P = N n for some expression N and thread name n , then W ; Γ ⊢ Σ W ( T ′ ( n )) N : unit .Since typability of the threads that result from the transition step, as well as the( W, Σ , Γ)-compatibility of the stores, is guaranteed by Subject Reduction (Proposition 4.5),we prove only the conditions regarding the compliance of the declared flow policies to thecurrent domain’s allowed flow policy. Assuming that W ; Γ ⊢ Σ W ( d ) M : τ , and by case analysison the last rule in the corresponding typing proof: Flow:
Here M = (flow ¯ F in ¯ M ), and we have W ; Γ ⊢ Σ W ( d ) ¯ M : τ , with W ( d ) ¯ F .There are two cases to consider:¯ M can compute: Then W ⊢ h{ ¯ M } , T, S i d −→ ¯ F ′ h{ ¯ M ′ } ∪ ¯ P ′ , T ′ , S ′ i , with F = ¯ F f ¯ F ′ . By induction hypothesis, then W ( d ) ¯ F ′ . Since W ( d ) ¯ F , then W ( d ) F .¯ M ∈ Val : Then we have F = ℧ , so W ( T ( m )) F holds vacuously. Allow:
Here M = (allowed ¯ A then ¯ N t else ¯ N f ), and we have F = ℧ . Therefore W ( T ( m )) F holds vacuously. Mig:
In this case M = (thread l ¯ M at ¯ d ), with W ; Γ ⊢ Σ W ( ¯ d ) ¯ M : unit . Then we have F = ℧ , so W ( T ( m )) F holds vacuously.The cases for Ref , Der , Assign , Seq , App and
Cond are similar to
Flow , since forthe cases where the sub-expressions are not all values, these sub-expressions require typingassumptions that have the same A parameter as the concluding judgment, and for the caseswhere the expression is ready to reduce, the flow policy that decorates the transition is ℧ .The cases for Rec and
Mig are similar to
Allow , since the constructs are not evaluationcontexts, and therefore the transition is decorated with the top flow policy F = ℧ .B.3. Runtime Type Checking.
B.3.1.
Subject Reduction and weak safety.
Proposition B.11 (Subject Reduction – Proposition 4.9) . Consider a thread M m suchthat Γ ⊢ Σ A M : τ and suppose that W ⊢ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P, T ′ , S ′ i , for a memory S that is ( W, Σ , Γ) -compatible. Then, Γ ⊢ Σ A f W ( T ( m )) M ′ : τ , and S ′ is also ( W, Σ , Γ) -compatible. NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 73
Proof.
The proof is the same as the one for Proposition B.8, with exception for the treatmentof the case where the step corresponds to the creation of a new thread: ¯ M = (thread l N at d ): Here we have ¯ M ′ = (), P = { ˆ N n } for some thread name n , T ′ ( n ) = d and (by the migration condition) Γ ⊢ Σ W ( d ) N : unit , where ¯ τ = unit . By Nil we have that Γ ⊢ Σ A () : unit . Proposition B.12 (Safety (weakened) – Proposition 4.11) . Consider a closed thread M m such that ∅ ⊢ Σ A M : τ . Then, for any allowed-policy mapping W , memory S that is ( W, Σ , ∅ ) -compatible and position-tracker T , either: (1) the program M is a value, or (2) W ⊢ h{ M m } , T, S i T ( m ) −−−→ F ′ h{ M ′ m } ∪ P, T ′ , S ′ i , for some F ′ , M ′ , P , S ′ and T ′ , or (3) M = E[(thread l N at d )] , for some E , l , d such that ∅ ⊢ ΣΩ N : unit but ∅ 6⊢ Σ W ( d ) N : unit .Proof. By induction on the derivation of Γ ⊢ Σ A M : τ . If M ∈ V al , then case 1 holds.
Flow: If M = (flow F in N ), then Γ ⊢ Σ A N : τ . By induction hypothesis, then one ofthe following cases holds for N : Case 1:
Then case 2 holds for M , with M ′ = N , d = T ( m ) and F ′ = F . Case 2:
Suppose that there exists F ′ , N ′ , P , S ′ and T ′ such that W ⊢ h{ N m } , T, S i d −→ F ′ h{ N ′ m } ∪ P, T ′ , S ′ i . Then W ⊢ h{ M m } , T, S i d −−−→ F ′ ∪ F h{ (flow F in N ′ ) m } ∪ P, T ′ , S ′ i ,so case 2 holds for M . Case 3:
Suppose that there exists an evaluation context ¯ E , a security level l anda domain name d such that N = E[(thread l N ′ at d )] and Γ ⊢ ΣΩ N ′ : unit butΓ Σ W ( d ) N ′ : unit . Then, case 3 also holds for M for the evaluation context E = (flow F in ¯E[]). Allow: If M = (allowed F then N t else N f ), then we have that W ⊢ h{ M m } , T, S i T ( m ) −−−→ ∅ h{ M ′ m } , T, S i , with M ′ = N t of M ′ = N f depending on whether W ( T ( m )) F or W ( T ( m )) F (respectively). Therefore, case 2 holds for M . Mig: If M = (thread l N at d ), then Γ ⊢ ΣΩ N : unit , and either: Γ ⊢ Σ W ( d ) N : unit : Then, W ⊢ h{ M m } , T, S i T ( m ) −−−→ ∅ h{ () m , N n } , T, S i . Therefore,case 2 holds for M . Γ Σ W ( d ) N : unit : Then, case 3 holds for M for the evaluation context E = ¯E.B.4. Declassification effect.
B.4.1.
Subject Reduction and weak safety.
In order to prove Subject Reduction, we followthe usual steps [WF94]. In the following,
Pse is the set of pseudo-values, as defined inFigure 2.
Remark B.13.
If Γ ⊢ Σ M ֒ → N : s, τ then M ∈ Val iff N ∈ Val and s = ℧ . Remark B.14.
If Γ ⊢ Σ M ֒ → N : s, τ and M ∈ Pse with rn( M ) ⊆ dom(Σ), then N ∈ Pse and s = ℧ . Lemma B.15. (1) If Γ ⊢ Σ M ֒ → ˆ M : s, τ and x / ∈ dom(Γ) then W ; Γ , x : σ ⊢ Σ M ֒ → ˆ M : s, τ . (2) If W ; Γ , x : σ ⊢ Σ M ֒ → ˆ M : s, τ and x / ∈ fv( M ) then Γ ⊢ Σ M ֒ → ˆ M : s, τ .Proof. By induction on the inference of the type judgment.
Lemma B.16 (Substitution) . If W ; Γ , x : σ ⊢ Σ M ֒ → N : s, τ and Γ ⊢ Σ X ֒ → X : ℧ , σ ′ with σ σ ′ , then Γ ⊢ Σ { x X } M ֒ → { x X } N : s, τ ′ with τ τ ′ .Proof. By induction on the inference of W ; Γ , x : σ ⊢ Σ M ֒ → N : s, τ , and by case analysison the last rule used in this typing proof, using Lemma B.15. Nil I : Here { x X } M = M , and { x X } N = N , and since x / ∈ fv( M ) then byLemma B.15 we have Γ ⊢ Σ M ֒ → N : s, τ . Var I : If M = x then N = x , s = ℧ , σ = τ , { x X } M = X , and { x X } N = X .It is then direct that Γ ⊢ Σ X ֒ → X : s, σ ′ , and we take τ ′ = σ ′ . If M = x then N = x , { x X } M = M and { x X } M = M where x / ∈ fv( M ). Therefore, byLemma B.15, we have Γ ⊢ Σ M ֒ → N : s, τ . Abs I : Here M = ( λy. ¯ M ), N = ( λy. ¯ N ), s = ℧ , and W ; Γ , x : σ, y : ¯ τ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ σ where τ = ¯ τ ¯ s −→ ¯ σ . We can assume that y / ∈ dom( W ; Γ , x : σ ) (otherwise re-name y ). Then { x X } ( λy. ¯ M ) = ( λy. { x X } ¯ M ) and { x X } ( λy. ¯ N ) =( λy. { x X } ¯ N ). By assumption and Lemma B.15 we can write W ; Γ , y : ¯ τ ⊢ Σ X ֒ → X : ℧ , σ ′ . By induction hypothesis, W ; Γ , y : ¯ τ ⊢ Σ { x X } ¯ M ֒ → { x X } ¯ N :¯ s, ¯ σ ′ with ¯ σ ¯ σ ′ . By Abs I , Γ ⊢ Σ ( λy. { x X } ¯ M ) ֒ → ( λy. { x X } ¯ N ) : s, ¯ τ ¯ s −→ ¯ σ ′ ,and we take τ ′ = ¯ τ ¯ s −→ ¯ σ ′ . Rec I : Here M = ( ̺y. ¯ X ), M = ( ̺y. ¯ X ), by Remark B.14 we have s = ℧ , and W ; Γ , x : σ, y : τ ⊢ Σ ¯ X ֒ → ¯ X : s, τ . We can assume that y / ∈ dom( W ; Γ , x : σ ) (oth-erwise rename y ). Then { x X } ( ̺y. ¯ X ) = ( ̺y. { x X } ¯ X ) and { x X } ( ̺y. ¯ X ) =( ̺y. { x X } ¯ X ). By assumption and Lemma B.15 we have W ; Γ , y : τ ⊢ Σ X ֒ → X : s, σ ′ . By induction hypothesis, W ; Γ , y : τ ⊢ Σ { x X } ¯ X ֒ → { x X } ¯ X : ℧ , τ ′ , with tau τ ′ . Then, by Rec I , Γ ⊢ Σ ( ̺y. { x X } ¯ X ) ֒ → ( ̺y. { x X } ¯ X ) : ℧ , τ ′ . Ref I : Here M = (ref θ ¯ M ), N = (ref θ ¯ N ) and we have Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, θ ′ where θ θ ′ and τ = θ ref . By induction hypothesis, Γ ⊢ Σ { x X } ¯ M ֒ →{ x X } ¯ N : ¯ s, θ ′′ with θ ′ θ ′′ . Then, θ θ ′′ , so we conclude by Ref I thatΓ ⊢ Σ (ref θ { x X } ¯ M ) ֒ → (ref θ { x X } ¯ N ) : s, τ . Cond I : Here M = (if ¯ M then ¯ M t else ¯ M f ), N = (if ¯ N then ¯ N t else ¯ N f ) and wehave that W ; Γ , x : σ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, bool , W ; Γ , x : σ ⊢ Σ ¯ M t ֒ → ¯ N t : ¯ s t , ¯ τ t and W ; Γ , x : σ ⊢ Σ ¯ M f ֒ → ¯ N f : ¯ s f , ¯ τ f with s = ¯ s f ¯ s t f ¯ s f , ¯ τ t ≈ ¯ τ f and τ =¯ τ t f ¯ τ f . By induction hypothesis, W ; Γ , x : σ ⊢ Σ { x X } ¯ M ֒ → { x X } ¯ N :¯ s, bool , W ; Γ , x : σ ⊢ Σ { x X } ¯ M t ֒ → { x X } ¯ N t : ¯ s t , ¯ τ t ′ and W ; Γ , x : σ ⊢ Σ { x X } ¯ M f ֒ → { x X } ¯ N f : ¯ s f , ¯ τ f ’ with ¯ τ t ¯ τ t ′ and ¯ τ f ¯ τ f ′ . Still ¯ τ t ′ ≈ ¯ τ f ′ , so NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 75 by Cond I we have W ; Γ , x : σ ⊢ Σ (if { x X } ¯ M then { x X } ¯ M t else { x X } ¯ M f ) ֒ → (if { x X } ¯ N then { x X } ¯ N t else { x X } ¯ N f ) : s, ¯ τ t ′ f ¯ τ f ′ . We then take τ ′ = ¯ τ t ′ f ¯ τ f ′ . App I : Here M = ( ¯ M ¯ M ) and we have that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ θ ¯ s −→ ¯ σ and Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ θ ′′ where s = ¯ s f ¯ s f ¯ s , ¯ θ ¯ θ ′′ , and τ = ¯ σ . By induction hypoth-esis, W ; Γ , x : σ ⊢ Σ { x X } ¯ M ֒ → { x X } ¯ N : ¯ s t , ¯ θ ¯ s ′ −−→ ¯ σ ′ and W ; Γ , x : σ ⊢ Σ { x X } ¯ M f ֒ → { x X } ¯ N : ¯ s f , ¯ θ ′′′ with ¯ s ¯ s ′ , ¯ σ ¯ σ ′ and ¯ θ ′′ ¯ θ ′′′ . Itis still the case that ¯ θ ¯ θ ′′′ . Therefore, by rule App I we have that W ; Γ , x : σ ⊢ Σ ( { x X } ¯ M { x X } ¯ M ) ֒ → (if { x X } ¯ M then { x X } ¯ N t else { x X } ¯ N ) : s, ¯ σ ′ , and we take τ ′ = ¯ σ ′ . Mig I : Here M = (thread l ¯ M at d ), N = (thread ¯ sl ¯ N at d ), s = ℧ and we have W ; Γ , x : σ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ and τ = unit . By induction hypothesis, thenΓ ⊢ Σ { x X } ¯ M ֒ → { x X } ¯ N : ¯ s, ¯ τ . Therefore, by rule Mig I , we haveΓ ⊢ Σ (thread l { x X } ¯ M at d ) ֒ → (thread ¯ sl { x X } ¯ N at d ) : ℧ , τ . Flow I : Here M = (flow ¯ F in ¯ M ), N = (flow ¯ F in ¯ N ) and W ; Γ , x : σ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, τ with s = ¯ s f ¯ F . By induction hypothesis, Γ ⊢ Σ { x X } ¯ M ֒ → { x X } ¯ N : ¯ s, τ ′ with τ τ ′ . By Flow I , Γ ⊢ Σ (flow ¯ F in { x X } ¯ M ) ֒ → (flow ¯ F in { x X } ¯ N ) : s, τ ′ . Allow I : Here M = (allowed ¯ F then ¯ M t else ¯ M f ), and N = (allowed ¯ F then ¯ N t else ¯ N f )and W ; Γ , x : σ ⊢ Σ ¯ M ֒ → ¯ M : ¯ s, bool and also W ; Γ , x : σ ⊢ Σ ¯ M t ֒ → ¯ N t : ¯ s t , ¯ τ t and W ; Γ , x : σ ⊢ Σ ¯ M f ֒ → ¯ N f : ¯ s f , ¯ τ f , with s = ¯ s t ⌣ ¯ F f ¯ s f , ¯ τ t ≈ ¯ τ f and τ = ¯ τ t f ¯ τ f . By induction hypothesis, Γ ⊢ Σ { x X } ¯ M t ֒ → { x X } ¯ N t :¯ s t , ¯ τ ′ t and Γ ⊢ Σ { x X } ¯ M f ֒ → { x X } ¯ N f : ¯ s f , ¯ τ ′ f with ¯ τ t ¯ τ ′ t and ¯ τ f ¯ τ ′ f . Still, we have that ¯ τ ′ t ≈ ¯ τ ′ f . We then have, by rule Allow I , that Γ ⊢ Σ (allowed ¯ F then { x X } ¯ M t else { x X } ¯ M f ) ֒ → (allowed ¯ F then { x X } ¯ N t else { x X } ¯ N f ) : s, ¯ s ′ t ⌣ ¯ F f ¯ s ′ f . We then take τ ′ = ¯ τ t f ¯ τ f .The proofs for the cases Loc I , Bt I and Bf I are analogous to the one for Nil I , while theproofs for Seq I , Der I and Ass I are analogous to (or simpler than) the one for App I . Lemma B.17 (Replacement) . (1) If Γ ⊢ Σ E [ M ] ֒ → N E : s, τ is a valid judgment, then the proof gives M a typing Γ ⊢ Σ M ֒ → N : ¯ s, ¯ τ for some N , ¯ s and ¯ τ such that s ¯ s and for which there exists E such that N E = E [ N ] . In this case, if Γ ⊢ Σ M ′ ֒ → N ′ : ¯ s ′ , ¯ τ ′ with ¯ s f A ¯ s ′ for some A and ¯ τ ¯ τ ′ , then Γ ⊢ Σ E [ M ′ ] ֒ → E [ N ′ ] : s ′ , τ ′ for some s ′ , τ ′ such that s f A s ′ and τ τ ′ . (2) If Γ ⊢ Σ M E ֒ → E [ N ] : s, τ is a valid judgment, then the proof gives N a typing Γ ⊢ Σ M ֒ → N : ¯ s, ¯ τ for some M , ¯ s and ¯ τ such that s ¯ s and for which there exists E such that M E = E [ M ] . In this case, if Γ ⊢ Σ M ′ ֒ → N ′ : ¯ s ′ , ¯ τ ′ with ¯ s f A ¯ s ′ for some A and ¯ τ ¯ τ ′ , then Γ ⊢ Σ E [ M ′ ] ֒ → E [ N ′ ] : s ′ , τ ′ for some s ′ , τ ′ such that s f A s ′ and τ τ ′ .Proof. (1) By induction on the structure of E . The proof is symmetric to the second case. (2) By induction on the structure of E . E [ N ] = N : This case is direct. E [ N ] = (if ˆE [ N ] then ˆ N t else ˆ N f ): By Cond I , M E = (if M ˆ E then ˆ M t else ˆ M f ),and Γ ⊢ Σ M ˆ E ֒ → ˆE [ N ] : ˆ s, bool , and also Γ ⊢ Σ ˆ M t ֒ → ˆ N t : ˆ s t , ˆ τ t andΓ ⊢ Σ ˆ M f ֒ → ˆ N f : ˆ s f , ˆ τ f with s = ˆ s f ˆ s t f ˆ s f , ˆ τ t ≈ ˆ τ f and τ = ˆ τ t f ˆ τ f . Byinduction hypothesis, the proof gives N a typing Γ ⊢ Σ M ֒ → N : ¯ s, ¯ τ , for some M , ¯ s , ¯ τ such that ˆ s ¯ s , and for which there exists ˆE such that M ˆ E = ˆE [ M ].Also by induction hypothesis, Γ ⊢ Σ ˆE [ M ′ ] ֒ → ˆE [ N ′ ] : ˆ s ′ , bool , for some ˆ s ′ suchthat ˆ s f A ˆ s ′ . Again by rule Cond I we have that Γ ⊢ Σ (if ˆE [ M ′ ] then ˆ M t else ˆ M f ) ֒ → (if ˆE [ N ′ ] then ˆ N t else ˆ N f ) : s ′ , τ ′ with s ′ = ˆ s ′ f ˆ s t f ˆ s f and τ ′ = ˆ τ t f ˆ τ f .Notice that s f A = ˆ s f ˆ s t f ˆ s f f A ˆ s ′ f ˆ s t f ˆ s f = s ′ . E [ M ] = (flow ˆ F in ˆE [ M ]): By Flow I , M E = (flow ˆ F in M ˆ E ), and Γ ⊢ Σ M ˆ E ֒ → ˆE [ N ] : ˆ s, τ and s = ˆ s f ˆ F . By induction hypothesis, the proof gives N a typing Γ ⊢ Σ M ֒ → N : ¯ s, ¯ τ , for some M , ¯ s , ¯ τ such that ˆ s ¯ s , and for whichthere exists ˆE such that M ˆ E = ˆE [ M ].Also by induction hypothesis, Γ ⊢ Σ ˆE [ M ′ ] ֒ → ˆE [ N ′ ] : ˆ s ′ , τ , for some ˆ s ′ suchthat ˆ s f A ˆ s ′ . Then, again by Flow I , we have Γ ⊢ Σ (flow ˆ F in ˆE [ M ′ ]) ֒ → (flow ¯ F in ˆE [ N ′ ]) : s ′ , τ with s ′ = ˆ s ′ f ˆ F . Notice that s f A = ˆ s f ˆ F f A ˆ s ′ f ˆ F = s ′ .The proofs for the cases E [ M ] = ⌈ (ˆE [ M ] := N ) ⌉ , E [ M ] = ⌈ ( V := ˆE [ M ]) ⌉ ,E [ M ] = ⌈ (! ˆE [ M ]) ⌉ , E [ M ] = ⌈ (ˆE [ M ] N ) ⌉ , E [ M ] = ⌈ ( V ˆE [ M ]) ⌉ , E [ M ] = ⌈ (ˆE [ M ]; N ) ⌉ and E [ M ] = ⌈ (ref l,θ ˆE [ M ]) ⌉ , are all analogous to the proof for thecase where E [ M ] = (if ˆE [ M ] then N t else N f ).The following proposition ensures that the annotation processing is preserved by theannotated semantics. This is formulated by stating that after reduction, programs arestill well annotated. More precisely, the following result states that if a program is theresult of an annotation process, a certain declassification effect and type, then after onecomputation step it is still the result of annotating a program, and is given a not morepermissive declassification effect and type. Proposition B.18 (Subject Reduction, or Preservation of Annotations – Proposition 4.13) . Consider a thread M m such that Γ ⊢ Σ M ֒ → N : s, τ and suppose that W ⊢ Σ , Υ h{ N m } , T, S i d −→ F h{ N ′ m } ∪ P, T ′ , S ′ i , for a memory S that is ( W, Σ , Γ) -compatible. Then there exist M ′ , s ′ , τ ′ such that s f W ( T ( m )) s ′ , and τ τ ′ , and Γ ⊢ Σ M ′ ֒ → N ′ : s ′ , τ ′ , and S ′ is also ( W, Σ , Γ) -compatible. Furthermore, if P = { N ′′ n } for some expression N ′′ and thread name n , then there exist M ′′ , s ′′ such that W ( T ′ ( n )) s ′′ and Γ ⊢ Σ M ′′ ֒ → N ′′ : s ′′ , unit .Proof. Suppose that N = ¯E[ ¯ N ] and W ⊢ Σ , Υ h{ ¯ N m } , T, S i d −→ ¯ F h{ ¯ N ′ m } ∪ P ′ , ¯ T ′ , ¯ S ′ i . We startby observing that this implies F = ¯ F f ⌈ ¯E ⌉ , M ′ = ¯E[ ¯ M ′ ], P = P ′ , ¯ T ′ = T ′ and ¯ S ′ = S ′ .We can assume, without loss of generality, that ¯ N is the smallest in the sense that there is NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 77 no ˆE , ˆ N such that ˆE = [] and ˆE[ ˆ N ] = ¯ N for which we can write W ⊢ Σ , Υ h{ ˆ N m } , T, S i d −→ ˆ F h{ ˆ N ′ m } ∪ P, T ′ , S ′ i .By Replacement (Lemma B.17), we have Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ , for some ¯ M , ¯ s ’ ¯ τ suchthat s ¯ s , in the proof of Γ ⊢ Σ M ֒ → N : s, τ . We proceed by case analysis on thetransition W ⊢ Σ , Υ h{ ¯ N m } , T, S i d −→ ¯ F h{ ¯ N ′ m } ∪ P, T ′ , S ′ i , and prove that: • There exist ¯ M ′ , ¯ s ′ and ¯ τ ′ such that Γ ⊢ Σ ¯ M ′ ֒ → ¯ N ′ : ¯ s ′ , ¯ τ ′ , and ¯ s f W ( T ( m )) ¯ s ′ and¯ τ ¯ τ ′ . Furthermore, for every reference a ∈ dom( S ′ ) implies Γ ⊢ Σ ℧ , V ֒ → S ′ ( a ) : Σ ( a )for some value V . • If P = { N ′′ n } for some expression N ′′ and thread name n , then there exist M ′′ and¯ s ′′ such that Γ ⊢ Σ M ′′ ֒ → N ′′ : ¯ s ′′ , unit , and W ( T ′ ( n )) ¯ s ′ . (Note that in this case S = S ′ .)By case analysis on the structure of ¯ N : ¯ N = (( λx. ˆ N ) V ): Here we have ¯ N ′ = { x V } ˆ N , S = S ′ and P = ∅ . By rule App I , there exist ˆ M , V , ˆ s , ˆ s , ˆ s , ˆ τ , ˆ σ and ˆ τ ′′ such that Γ ⊢ Σ ( λx. ˆ M ) ֒ → ( λx. ˆ N ) :ˆ s , ˆ τ ˆ s −→ ˆ σ and Γ ⊢ Σ V ֒ → V : ˆ s , ˆ τ ′′ with ¯ s = ˆ s f ˆ s f ˆ s , ˆ τ ˆ τ ′′ and ¯ τ = ˆ σ .By Abs I , then Γ , x : ˆ τ ⊢ Σ ˆ M ֒ → ˆ N : ˆ s , ˆ σ . Therefore, by Lemma B.16, we getΓ ⊢ Σ { x V } ˆ M ֒ → { x V } ˆ N : ˆ s ′ , ˆ σ ′ with ˆ s ˆ s ′ and ˆ σ ¯ τ ′ . We take ¯ s ′ = ˆ s and ¯ τ ′ = ˆ σ ′ . ¯ N = (flow ˆ F in V ): Here we have ¯ N ′ = V , S = S ′ and P = ∅ . By rule Flow I andby Remark B.13, there exist V , ˆ s , such that Γ ⊢ Σ V ֒ → V : ℧ , ¯ τ . We take ¯ s ′ = ℧ . ¯ N = (allowed ˆ F then N t else N f ) and W ( T ( m )) ˆ F : Here we have ¯ N ′ = N t , S = S ′ and P = ∅ . By Allow I , there exist M t , N t , ˆ s t , ˆ s f , ˆ τ t and ˆ τ f such thatΓ ⊢ Σ M t ֒ → N t : ˆ s t , ˆ τ t , and Γ ⊢ Σ M f ֒ → N f : ˆ s f , ˆ τ f , where ¯ s = ˆ s t ⌣ ˆ F f ˆ s f , τ t ≈ τ f and ¯ τ = ˆ τ t f ˆ τ f . We take ¯ s ′ = ˆ s t and ¯ τ ′ = ˆ τ t . Notice that ¯ s f W ( T ( m )) = ˆ s t ⌣ ˆ F f ˆ s f f W ( T ( m )) ˆ s t and ¯ τ ¯ τ ′ . ¯ N = (thread ˙ sk ˆ N at d ): Here we have ¯ N ′ = (), S = S ′ , P = { ˆ N n } for some threadname n , T ′ ( n ) = d and W ( d ) ˙ s . By Mig I , we have that there exists ˆ M such thatΓ ⊢ Σ ˆ M ֒ → ˆ N : ˙ s, unit and ¯ τ = unit , and by Nil I we have that Γ ⊢ Σ () ֒ → () : ℧ , unit .By Replacement (Lemma B.17), we can finally conclude that Γ ⊢ Σ M ′ E ֒ → ¯E[ ¯ N ′ ] : s ′ , τ ′ for some M ′ E , s ′ , τ ′ such that s f W ( T ( m )) s ′ and τ τ ′ . Proposition B.19 (Safety (weakened) – Proposition 4.15) . Consider a closed thread M m such that ∅ ⊢ Σ M ֒ → ˆ M : s, τ . Then, for any allowed-policy mapping W , memory S that is ( W, Σ , ∅ ) -compatible and position-tracker T , either the program ˆ M is a value, or: (1) the program ˆ M is a value, or (2) W ⊢ h{ ˆ M m } , T, S i T ( m ) −−−→ F ′ h{ ˆ M ′ m } ∪ P, T ′ , S ′ i , for some F ′ , ˆ M ′ , P , S ′ and T ′ , or (3) M = E[(thread l N at d )] , for some E , l , d and ˆ s such that ˆ M = E[(thread ˆ sl ˆ N at d )] and ∅ ⊢ Σ N ֒ → ˆ N : ˆ s, τ but W ( d ) ˆ s .Proof. By induction on the derivation of Γ ⊢ Σ M ֒ → ˆ M : s, τ . If ˆ M ∈ V al ′ then case 1holds. Flow I : If M = (flow F in N ) and ˆ M = (flow F in ˆ N ), then Γ ⊢ Σ N ֒ → ˆ N : s ′ , τ . Byinduction hypothesis, then one of the following cases holds for ˆ N : Case 1:
Then case 2 holds for ˆ M , with ˆ M ′ = ˆ N , d = T ( m ) and F ′ = F . Case 2:
Suppose that there exists F ′ , ˆ N ′ , P , S ′ and T ′ such that W ⊢ h{ ˆ N m } , T, S i d −→ F ′ h{ ˆ N ′ m } ∪ P, T ′ , S ′ i . Then W ⊢ h{ ˆ M m } , T, S i d −−−→ F ′ ∪ F h{ (flow F in ˆ N ′ ) m } ∪ P, T ′ , S ′ i ,so case 2 holds for ˆ M . Case 3:
Suppose that there exists an evaluation context ¯ E , a security level l ,a domain name d and a security effect ˆ s such that N = E[(thread l N ′ at d )],ˆ N = E[(thread ˆ sl ˆ N ′ at d )] and Γ ⊢ Σ N ′ ֒ → ˆ N ′ : ˆ s, τ but W ( d ) ˆ s . Then, case 3also holds for ˆ M for the evaluation context E = (flow F in ¯E[]). Allow: If M = (allowed F then N t else N f ) and M = (allowed F then ˆ N t else ˆ N f ),then we have that W ⊢ h{ ˆ M m } , T, S i T ( m ) −−−→ ∅ h{ ˆ M ′ m } , T, S i , with ˆ M ′ = ˆ N t ofˆ M ′ = ˆ N f depending on whether W ( T ( m )) F or W ( T ( m )) F (respectively).Therefore, case 2 holds for ˆ M . Mig: If M = (thread l N at d ) and ˆ M = (thread ˆ sl ˆ N at d ), then Γ ⊢ Σ N ֒ → ˆ N : ˆ s, unit ,and either: W ( d ) ˆ s : Then, W ⊢ h{ M m } , T, S i T ( m ) −−−→ ∅ h{ () m , N n } , T, S i . Therefore, case 2holds for M . W ( d ) ˆ s : Then, case 3 holds for M for the evaluation context E = ¯E.B.4.2. Preservation of the semantics.
Proposition B.20 (Proposition 4.18) . If Γ ⊢ Σ M ֒ → N : s, τ , then for all allowed-policymappings W and thread names m ∈ Nam we have that { M m }∼ W, Σ , Γ { N m } .Proof. We prove that, for all allowed-policy mappings W , the set B = {h{ M m } , { N m }i | m ∈ Nam and ∃ s, τ . Γ ⊢ Σ M ֒ → N : s, τ } is a ( W, Σ , Γ)-simulation according to Definition 4.17.Let us assume that W ⊢ Σ , Υ h{ N m } , T, ˆ S i d −→ F h{ N ′ m } ∪ P ′ , T ′ , ˆ S ′ i . Consider ¯E , ¯ N suchthat N = ¯E [ ¯ N ] and W ⊢ Σ , Υ h{ ¯ N m } , T, ˆ S i d −→ ¯ F h{ ¯ N ′ m } ∪ ¯ P ′ , ¯ T ′ , ¯ˆ S ′ i and N ′ = ¯E [ ¯ N ′ ]. Westart by observing that F = ¯ F f ⌈ ¯E ⌉ , N ′ = ¯E [ ¯ N ′ ], P ′ = ¯ P ′ , ¯ T ′ = T ′ and ¯ˆ S ′ = ˆ S ′ . Wecan assume, without loss of generality, that ¯ N is the smallest in the sense that there is noˆE , ˆ N such that ˆE = [] and ˆE [ ˆ N ] = ¯ N for which we can write W ⊢ Σ , Υ h{ ˆ N m } , T, ˆ S i d −→ ˆ F h{ ˆ N ′ m } ∪ P ′ , T ′ , ˆ S ′ i .By Replacement (Lemma B.17), we have Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ , for some ¯ M , ¯ s , ¯ τ suchthat s ¯ s , in the proof of Γ ⊢ Σ M ֒ → N : s, τ . Furthermore, there exists ¯E such that M = ¯E [ ¯ M ]. We proceed by case analysis on the transition W ⊢ Σ , Υ h{ ¯ N m } , T, ˆ S i d −→ ¯ F h{ ¯ N ′ m } ∪ P ′ , T ′ , ˆ S ′ i , and prove that: NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 79 • if annot Σ , Γ ( S ) = ˆ S , there exist ¯ M ′ , S ′ s.t. W ⊢ Σ , Υ h{ ¯ M m } , T, S i d −→ ¯ F h{ ¯ M ′ m } ∪ P ′ , T ′ , S ′ i and annot Σ , Γ ( S ′ ) = ˆ S ′ , and for which there exist ¯ s ′ and ¯ τ ′ such that Γ ⊢ Σ ¯ M ′ ֒ → ¯ N ′ : ¯ s ′ , ¯ τ ′ . • If P ′ = { N ′′ n } for some expression N ′′ and thread name n , then there exist M ′′ and s ′′ such that P ′ = { M ′′ n } and Γ ⊢ Σ M ′′ ֒ → N ′′ : s ′′ , unit .By case analysis on the structure of ¯ N : ¯ N = (flow ˆ F in V ): Here we have ¯ N ′ = V , S = S ′ , T = T ′ and P ′ = ∅ . By rule Flow I and Remark B.13, there exist V , ˆ s , such that ¯ M = (flow ˆ F in V ) andΓ ⊢ Σ V ֒ → V : ˆ s, ¯ τ . We then have W ⊢ h{ ¯ M m } , T, S i d −→ F h{ V m } , T, S i , so we take¯ M ′ = V . ¯ N = (allowed ˆ F then N t else N f ) and W ( T ( m )) ˆ F : Here we have that ¯ N ′ = N t , S = S ′ , T = T ′ and P ′ = ∅ . By Allow I , there exist M t , M f , ˆ s t , ˆ s f , ˆ τ t andˆ τ f such that ¯ M = (allowed ˆ F then M t else M f ) and Γ ⊢ Σ M t ֒ → N t : ˆ s t , ˆ τ t , andΓ ⊢ Σ M f ֒ → N f : ˆ s f , ˆ τ f , where ¯ s = ˆ s t ⌣ ˆ F f ˆ s f , τ t ≈ τ f and ¯ τ = ˆ τ t f ˆ τ f . We take¯ s ′ = ˆ s t and ¯ τ ′ = ˆ τ t . We then have W ⊢ h{ ¯ M m } , T, S i d −→ F h{ M tm } , T, S i , so we take¯ M ′ = M t . ¯ N = (thread ˙ sk ˆ N at d ): Here we have ¯ N ′ = (), S = S ′ , P = { ˆ N n } for some threadname n , T ′ ( n ) = d and W ( d ) ˙ s . By Mig I , we have that there exists ˆ M such that¯ M = (thread k ˆ M at d ) and Γ ⊢ Σ ˆ M ֒ → ˆ N : ˙ s, unit and ¯ τ = unit , and by Nil I wehave that Γ ⊢ Σ () ֒ → () : ℧ , unit . Therefore, W ⊢ h{ ¯ M m } , T, S i d −→ F h{ () m , ˆ M n } , T, S i ,so we take ¯ M ′ = () and M ′′ = ˆ M .We then have that W ⊢ Σ , Υ h{ M m } , T, S i d −→ F h{ M ′ m } ∪ P ′ , T ′ , S ′ i with M ′ = ¯E [ ¯ M ′ ].By Replacement (Lemma B.17), we can conclude that Γ ⊢ Σ ¯E [ ¯ M ′ ] ֒ → ¯E [ ¯ N ′ ] : s ′ , τ ′ for some s ′ , τ ′ . Therefore, { M ′ m } B { N ′ m } , and if P ′ = { N ′′ n } , then P ′ = { M ′′ n } and { M ′ m , M ′′ n } B { N ′ m , N ′′ n } .B.4.3. Soundness.
Theorem B.21 (Soundness of Enforcement Mechanism III – Theorem 4.14) . Consider anallowed-policy mapping W , reference labeling Σ , typing environment Γ , and a thread configu-ration h P, T i such that for all M m ∈ P there exist ˆ M , s and τ such that Γ ⊢ Σ M ֒ → ˆ M : s, τ and W ( T ( m )) s . Then h ˆ P , T i , formed by annotating the threads in h P, T i , is ( W, Σ , Γ) -confined.Proof. Consider the following set: C = {h P, T i | ∀ ˆ M m ∈ P, ∃ M, s, τ . Γ ⊢ Σ M ֒ → ˆ M : s, τ and W ( T ( m )) s } We show that C is a set of ( W, Σ , Γ)-confined thread configurations. As in the proofof Theorem B.10, if for a given ( W, Σ , Γ)-compatible store S we have that there exist P ′ , T ′ , S ′ such that W ⊢ h P, T, S i d −→ F h P ′ , T ′ , S ′ i , then, there is a thread M m such that P = { M m } ∪ ¯ P and W ⊢ h{ M m } , T, S i d −→ F h{ M m } ∪ ¯ P ′ , T ′ , S ′ i , with P ′ = { M m } ∪ ¯ P ′ ∪ ¯ P and T ( m ) = d . By induction on the inference of Γ ⊢ Σ M ֒ → ˆ M : s, τ , we prove that W ( d ) F and there exists M ′ , s ′ and τ ′ such that Γ ⊢ Σ M ′ ֒ → ˆ M ′ : s ′ , τ ′ with W ( T ′ ( m )) s ′ .Furthermore, if ¯ P = N n for some expression N and thread name N , then there exists M ′ , s ′ , τ ′ such that Γ ⊢ Σ M ′ ֒ → ˆ M ′ : s ′ , τ ′ with W ( T ′ ( m )) s , and there exists N , s ′′ such thatΓ ⊢ Σ N ֒ → ˆ N : s ′′ , unit with W ( T ′ ( n )) s ′′ .Notice that since we necessarily have T ′ ( m ) = T ( m ) = d , then typability of the threadsthat result from the transition step is guaranteed by Subject Reduction (Proposition 4.13).Also, by the same result, we have compliance of the new declassification effect s ′ to thedomain’s allowed flow policy, for: If s f W ( T ( m )) s ′ , and since W ( d ) = W ( T ( m )) s ,then W ( T ( m )) s ′ . Furthermore, if ¯ P = N n , then W ( T ′ ( n )) s ′′ .It remains to prove the conditions regarding the compliance of the declared flow poli-cies to the current domain’s allowed flow policy. Assuming that Γ ⊢ Σ M ֒ → N : s, τ and W ( T ( m )) s and by case analysis on the last rule in the corresponding typing proof: Flow I : Here M = (flow ¯ F in ¯ M ), N = (flow ¯ F in ¯ N ), and Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, τ , with s = ¯ s f ¯ F . Then, we have that W ( d ) ¯ s . There are two cases to consider:¯ N can compute: Then W ⊢ Σ , Υ h{ ¯ N m } , T, S i d −→ ¯ F ′ h{ ¯ N ′ m } ∪ P, T ′ , S ′ i , with F =¯ F f ¯ F ′ . By induction hypothesis, then W ( T ( m )) ¯ F ′ . Since W ( T ( m )) = W ( d ) ¯ F , then W ( T ( m )) F .¯ N ∈ Val : Then we have F = ℧ , so W ( T ( m )) F holds vacuously. Allow I : Here N = (allowed ¯ A then ¯ N t else ¯ N f ), and we have F = ℧ . Therefore W ( T ( m )) F holds vacuously. Mig I : In this case we have M = (thread l ¯ M at ¯ d ) and N = (thread ¯ sl ¯ N at ¯ d ), withΓ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, unit . Then we have F = ℧ , so W ( T ( m )) F holds vacuously.Since N can reduce, then W ( ¯ d ) = W ( T ′ ( n )) ¯ s .The cases for Ref I , Der I , Ass I , Seq I , App I and Cond I are similar to Flow I , sincefor the cases where the sub-expressions are not all values, these sub-expressions are typedwith a declassification effect s ′ that is at least as restrictive as that s ′ of the concludingjudgment, i.e. s s ′ , and so since W ( d ) s ′ then the induction hypothesis can be applied.Furthermore, for the cases where the sub-expression is ready to reduce, the flow policy thatdecorates the transition is the same as F . When the sub-expressions are all values (moreprecisely, those that are to be evaluated in the evaluation context provided by each of theseconstructs), then F = ℧ . The case for Rec I is similar to Allow I , since the constructs arenot evaluation contexts, and therefore the transition is decorated with the top flow policy F = ℧ .B.4.4. Comparison of Enforcement Mechanisms II and III.
Proposition B.22 (Proposition 4.16) . If for an allowed policy A and type τ we have that Γ ⊢ Σ A M : τ , then there exist N , s and τ ′ such that Γ ⊢ Σ M ֒ → N : s, τ ′ with A s and τ τ ′ . NFORMATION FLOW IN A DISTRIBUTED SECURITY SETTING 81
Proof.
By induction on the inference of Γ ⊢ Σ A M : τ , and by case analysis on the last ruleused in this typing proof. Nil:
Here M = () and τ = unit . We conclude using Nil I , N = (), s = ℧ and τ ′ = unit . Var:
Here M = x and τ = Γ( x ). We conclude using Var I , N = x , s = ℧ and τ ′ = Γ( x ). Abs:
Here M = ( λx. ¯ M ) and Γ , x : ¯ θ ⊢ Σ¯ A ¯ M : ¯ σ where τ = ¯ θ ¯ A −→ ¯ σ . By inductionhypothesis, there exist ¯ N , ¯ s and ¯ σ ′ such that Γ , x : ¯ θ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ σ ′ and ¯ A ¯ s with ¯ σ ¯ σ ′ . We conclude using Abs I , N = ( λx. ¯ N ), s = ℧ , and τ ′ = ¯ θ ¯ s −→ ¯ σ ′ . Rec:
Here M = ( ̺x. ¯ X ), and Γ , x : τ ⊢ Σ A ¯ X : τ . By induction hypothesis, there exist¯ X , ¯ s and ¯ τ ′ such that Γ , x : τ ⊢ Σ ¯ X ֒ → ¯ X : ¯ s, ¯ τ ′ and A ¯ s with τ ¯ τ ′ . Weconclude using Rec I , N = ( ̺x. ¯ X ), s = ¯ s , and τ ′ = ¯ τ ′ . Cond:
Here M = (if ¯ M then ¯ M t else ¯ M f ) and we have Γ ⊢ Σ A ¯ M : bool , Γ ⊢ Σ A ¯ M t : ¯ τ and Γ ⊢ Σ A ¯ M f : ¯ τ where ¯ τ = τ . By induction hypothesis, there exist ¯ N , ¯ N t , ¯ N f , ¯ s ,¯ s t , ¯ s f , ¯ τ t and ¯ τ f such that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, bool , Γ ⊢ Σ ¯ M t ֒ → ¯ N t : ¯ s t , ¯ τ t and Γ ⊢ Σ ¯ M f ֒ → ¯ N f : ¯ s f , ¯ τ f and A ¯ s , A ¯ s t , A ¯ s f with ¯ τ ¯ τ t and ¯ τ ¯ τ f . Therefore, A ¯ s f ¯ s ′ t f ¯ s ′ f , and we conclude using rule Cond I , N = (if ¯ N then ¯ N t else ¯ N f ), s = ¯ s f ¯ s ′ t f ¯ s ′ f and τ ′ = ¯ τ t f ¯ τ f . Ref :
Here M = (ref θ ¯ M ) and we have Γ ⊢ Σ A ¯ M : θ where τ = θ ref . By inductionhypothesis, there exist ¯ N , ¯ s and θ ′ such that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, θ ′ and A ¯ s with θ θ ′ . We conclude using rule Ref I , N = (ref ¯ N ), s = ¯ s and τ ′ = θ ref . Der:
Here M = (! ¯ M ) and we have Γ ⊢ Σ A ¯ M : ¯ τ with ¯ τ = τ ref . By inductionhypothesis, there exist ¯ N , ¯ s and ¯ τ ′ such that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ ′ and A ¯ s with¯ τ ¯ τ ′ . Notice that ¯ τ ′ = τ ref . We conclude using rule Der I , N = (! ¯ N ), s = ¯ s and τ ′ = τ . Assign:
Here M = ( ¯ M := ¯ M ) and we have Γ ⊢ Σ A ¯ M : ¯ θ ref and Γ ⊢ Σ A ¯ M : ¯ θ where τ = unit . By induction hypothesis, there exist ¯ N , ¯ N , ¯ s , ¯ s , ¯ τ ′ , and ¯ θ ′ such thatΓ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ τ ′ and Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ θ ′ and A ¯ s ′ , A ¯ s ′ with¯ θ ref ¯ τ ′ and ¯ θ ¯ θ ′ . Notice that ¯ τ ′ = ¯ θ ref . Therefore, A ¯ s ′ f ¯ s ′ , and weconclude using rule App I , N = ( ¯ N ¯ N ), s = ¯ s ′ f ¯ s ′ and τ ′ = unit . App:
Here M = ( ¯ M ¯ M ) and we have Γ ⊢ Σ A ¯ M : ¯ θ A −→ ¯ σ and Γ ⊢ Σ A ¯ M : ¯ θ where τ = ¯ σ . By induction hypothesis, there exist ¯ N , ¯ N , ¯ s , ¯ s , ¯ τ ′ , and ¯ θ ′ such thatΓ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ τ ′ and Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s , ¯ θ ′ and A ¯ s ′ , A ¯ s ′ with¯ θ A −→ ¯ σ ¯ τ ′ and ¯ θ ¯ θ ′ . Notice that ¯ τ ′ = ¯ θ A ′′ −−→ ¯ σ ′′ , for some A ′′ and ¯ σ ′′ such that A A ′′ and ¯ σ ¯ σ ′′ . Therefore, A ¯ s ′ f ¯ s ′ f A ′′ , and we conclude using rule App I , N = ( ¯ N ¯ N ), s = ¯ s ′ f ¯ s ′ f A ′′ and τ ′ = ¯ σ ′′ . Mig:
Here M = (thread l ¯ M at d ) and we have that Γ ⊢ ΣΩ ¯ M : ¯ τ , with τ = ¯ τ = unit .By induction hypothesis, there exist ¯ N , ¯ s , ¯ τ ′ such that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ ′ andΩ ¯ s with ¯ τ ¯ τ ′ . We conclude using rule Mig I , N = (thread ¯ sl ¯ N at d ), s = ℧ and τ ′ = unit . Flow:
Here M = (flow ¯ F in ¯ M ) and Γ ⊢ Σ A ¯ M : ¯ τ , with A ¯ F and τ = ¯ τ . Byinduction hypothesis, there exist ¯ N , ¯ s , ¯ τ ′ such that Γ ⊢ Σ ¯ M ֒ → ¯ N : ¯ s, ¯ τ ′ and A ¯ s with ¯ τ ¯ τ ′ . Therefore A ¯ s f ¯ F and we conclude using rule Flow I , N = (flow ¯ F in ¯ N ), s = ¯ s f ¯ F and τ ′ = ¯ τ ′ . Allow:
Here M = (allowed ¯ F then ¯ M t else ¯ M f ) and we have Γ ⊢ Σ A f ¯ F ¯ M t : ¯ τ andΓ ⊢ Σ A ¯ M f : ¯ τ where ¯ τ = τ . By induction hypothesis, there exist ¯ N t , ¯ N f , ¯ s t , ¯ s f and¯ τ ′ such that Γ ⊢ Σ ¯ M t ֒ → ¯ N t : ¯ s t , ¯ τ ′ and Γ ⊢ Σ ¯ M f ֒ → ¯ N f : ¯ s f , ¯ τ ′ and A f ¯ F ¯ s ′ t , A ¯ s ′ f with ¯ τ ¯ τ ′ . Therefore, A ¯ s ′ t ⌣ ¯ F f ¯ s ′ f , and we conclude using rule Allow I , N = (allowed ¯ F then ¯ N t else ¯ N f ), s = ¯ s ′ t ⌣ ¯ F f ¯ s ′ f and τ ′ = ¯ τ ′ .The proofs for the cases Loc , BT and BF are analogous to the one for Nil , while the prooffor
Seq is analogous to the one for