MAP-REDUCE Runtime Enforcement of Information Flow Policies by Ngo, Minh et al.
MAP-REDUCE Runtime Enforcement of
Information Flow Policies
Minh Ngo, Fabio Massacci, and Olga Gadyatskaya
University of Trento, Italy
{surname}@disi.unitn.it
April 2013
Revised May 2013
Abstract
We propose a flexible framework that can be easily customized to
enforce a large variety of information flow properties. Our framework
combines the ideas of secure multi-execution and map-reduce computa-
tions. The information flow property of choice can be obtained by simply
changes to a map (or reduce) program that control parallel executions.
We present the architecture of the enforcement mechanism and its
customizations for non-interference (NI) (from Devriese and Piessens) and
some properties proposed by Mantel, such as removal of inputs (RI) and
deletion of inputs (DI), and demonstrate formally soundness and precision
of enforcement for these properties.
1 Introduction
Information flow properties define the acceptable behaviours of computer pro-
grams with respect to allowed and forbidden flows of information. The most
well-known information flow property is non-interference (NI), which roughly
requires that the input data classified as confidential (also called secret, or high)
should not influence the public (low) outputs [7, 6].
By weakening or strengthening the definition of NI in order to address some
of its problems, security researchers have proposed different information flow
properties [15, 16, 9, 17, 26]. For instance, the definition of NI in [7] is based on
an assumption that if there is no high input, then there is no high output. This
assumption does not always hold. In [17], the generalized non-inference (GNF)
property is defined for systems that generate high outputs even if there are no
high inputs.
Different information flow properties led to different enforcement techniques.
To the best of our knowledge, there is no proposal in the literature with a
unified approach to the enforcement of multiple information flow properties.
The existing enforcement mechanisms (e.g. [6, 3, 25, 14, 23, 20, 5]) can be
configured to accommodate different information flow policies that identify what
is confidential and what is public, and what are the authorized flows in the
security lattice [6, 21], and, sometimes, they can as well enforce declassification
1
ar
X
iv
:1
30
5.
21
36
v1
  [
cs
.C
R]
  9
 M
ay
 20
13
Tab. 1: Enforcement mechanisms for the selected information flow properties
Property Section
Components
MAP REDUCE TM/TR
Removal of inputs [15] §5.1 Fig.10a Fig.10b Fig.10c,10d
Deletion of inputs [15] §5.3 Fig.17a Fig.17b Fig.17c,17d
Termination (in)sensitive §5.2 Fig.14a Fig.14b Fig.14c,14d
non-interference [6]
policies 1 (e.g. [1]). Yet, the adaptation of an existing enforcement mechanism
(for example, for NI) to enforce another property (for instance, GNF) is not
straight-forward.
We aim to fill this gap by providing an enforcement framework that can be
extended by different information flow properties. The framework is inspired
by the MAP-REDUCE approach explored by Google [12]; and generalizes the
secure multi-execution (SME) technique proposed by Devriese and Piessens in
[6] so that it can enforce other information flow properties, e.g. properties from
[15].
The main idea is to execute multiple “local” instances of the original pro-
gram, feeding different inputs to each instance of the program. The local inputs
are produced from the original program inputs by the MAP component, depend-
ing on the set of security levels defined in the framework and the input channels
available. Upon receiving the necessary data (for instance, after each individual
program instance is terminated), the REDUCE component collects the local out-
puts and generates the common output, thus ensuring that the overall execution
is secure. MAP and REDUCE are customizable and by changing their programs
the user can easily change the enforced property. Two simple tables (TM and
TR) tell MAP and REDUCE what they should do when receiving respectively
input and output requests from local executions on a channel.
In this report we present the following contributions:
• The architecture of this flexible enforcement framework.
• A set of simple instructions for programming the framework components,
such as a “clone” instruction to spawn new processes.
• The instantiation of the framework’s configuration for non-interference
(NI) from [6], Removal of Inputs (RI) and Deletion of Inputs (DI) from
[15]. The components are summarized in Tab. 1. We prove formally
soundness and precision of these enforcement mechanisms with respect
to the corresponding properties for a model programming language with
simple I/O instructions.
• An example on how a simple change to the configuration can lead to the
enforcement of new information flow properties.
The rest of the paper is organized as follows. §2 gives an overview of the idea
behind our approach and the architecture of the enforcement framework. The
1These policies are required when one needs to disclose information that depends on con-
fidential data in some way, see e.g. [18, 22] for details.
2
I0 π[0] O0
Ii π[i] Oi
ITOP π[TOP] OTOP
REDUCEMAP
Input Queue Output Queue
Local Executions
Local Input Queue Local Output Queue
TRTM
Fig. 1: Architecture of enforcement mechanisms
semantics of the controlled programs is introduced in §3. The formalization of
the framework is presented in §4. The enforcement mechanisms for the infor-
mation flow properties we have selected are described in §5. The soundness and
precision of the enforcement mechanisms constructed are presented in respec-
tively §6 and §7. We discuss options for fine-tuning the enforcement framework
and ideas for its further extensions with other properties in §8. The relation-
ships among the properties enforced, and the limitations of the framework are
discussed respectively in §9 and §10. Then we discuss related work in §11 and
conclude in §12.
2 Overview
Fig. 1 depicts the general architecture of the enforcement mechanism for an
information flow property on a program pi. It is composed by a stack EX of
local executions (pi[0], . . . , pi[TOP ], where TOP is the index of the top of the
stack), global input and output queues, the MAP and REDUCE components,
and the tables TM and TR.
Local executions (instances of the original program that are executed in
parallel and are unaware of each other) are separated from the environment
input and output actions by the enforcement mechanism. A local execution has
its own input and output queues. The local input (resp. output) queue of a local
execution contains the input (resp. output) items that can be freely consumed
(resp. generated) by this local execution. MAP and REDUCE are responsible
for respectively the global input queue containing the input items from the
external environment (received from the user or other input channels), and the
global output queue containing the output items filtered by the enforcement
mechanism to the environment.
When a local execution needs an input item that is not yet ready in its local
input queue, it will request the help of MAP by emitting an interrupt signal
(or just signal for short). When different local executions request values from
the same channel, there will be only one actual input action performed by the
enforcement mechanism. After the value is read, MAP will distribute it to local
executions, replacing the actual value by the default (fake) one, if necessary.
Similarly, when a local execution generates an output item, the output item
will be handled by REDUCE.
MAP and REDUCE can also autonomously send and, respectively, collect
items from local queues. For example, upon receiving an input item from the
environment, MAP can send it to all local executions that satisfy a predicate.
3
pi ::= instructions :
|x := e assignment
|pi;pi sequence
|if e then pi else pi if
|while e do pi while
|skip skip
|input x from c input
|output e to c output
Fig. 2: Language instructions
The parallel broadcast and parallel collection to and from local processors are
the characteristic features of MAP-REDUCE programs [12]; this explains our
choice for the name of the enforcement mechanism.
The actions of MAP (respectively REDUCE) on an input (output) request
from a local execution depend on the configuration information in the table
TM (TR). These components of the enforcement mechanism are customized
depending on the desired information flow property. The framework components
configured to implement the chosen information flow properties are listed in
Tab. 1 (for each selected property the table contains pointers to the actual
component configurations).
The configuration of input and output actions of local executions is based on
two privileges: ask (a) and tell (t). If a local execution has the ask privilege on
the input channel c, then MAP can fetch the input item from the environment
upon receiving the interrupt signal from a local execution. If a local execution
has the tell privilege on the input channel c, then this local execution can get
the real value from the channel c when MAP broadcasts the input item to local
executions, otherwise it will get a default value. If a local execution has the ask
privilege on the output channel c, then REDUCE will actually ask the execution
for the real value that it wished to send to c. Otherwise, REDUCE will just
replace it with a default value. If a local execution has the tell privilege on the
output channel c, it can invoke REDUCE to send the values generated by itself
to c.
Notice that an execution may have only one privilege. For example, an
execution with the ask but not the tell privilege in TR will provide the real
value to REDUCE, but will not be able to invoke REDUCE to put the value in
the external output. It will have to wait for somebody else with the tell privilege
on the channel to produce an output.
3 Semantics of Controlled Programs
Our model programming language is close to the one used in the SME paper
[6]. Valid values in this language are boolean values (T and F) or non-negative
integers. A program pi is an instruction composed from the terms described in
Fig. 2. In this figure, pi, e, x, and c are meta-variables for respectively instruc-
4
Tab. 2: Labels and their semantics
Label Semantics
prg Program executed by the component
mem Memory of the component
in Input queue of the component
out Output queue of the component
top Index of the top of the stack EX
stt State of a local execution
int Interrupt signal sent by a local execution
tm Table TM
tr Table TR
map MAP component
red REDUCE component
tions, expressions, variables, and input/output channels. Since a program is just
a sequence of instructions (i.e. a complex instruction itself), we will use program
and instruction interchangeably when referring to complex instructions.
We model an input (output) item as a vector and define input (output)
of program instances as queues. We use vectors of channel to accommodate
forms in which multiple fields are submitted simultaneously but are classified
differently (e.g. credit card numbers vs. user names)
Definition 3.1. An input vector ~v is a mapping from input channels to their
values, ~v : Cin → Σ∪{⊥}, where the value ⊥ is the special undefined value. An
output vector ~v is a mapping from output channels to their values, ~v : Cout →
Σ ∪ {⊥}.
Given a vector ~v and a channel c, the value of the channel is denoted by ~v[c].
The symbol ~⊥ denotes an output vector mapping all channels to ⊥. To simplify
the formal presentation, in the sequel w.l.o.g. we assume that each input and
output operation only affect one channel at a time. Thus, for each vector, there
is only one channel c such that ~v[c] 6= ⊥.
Let queue Q be a sequence of elements q1 . . . qn. We denote the addition
of a new element to the queue Q as Q.q, or q1 . . . qn.q; the removal of the first
element from the queue Q is denoted by q2 . . . qn. By  we denote an empty
queue.
To define an execution configuration, we use a set of labelled pairs. A labelled
pair is composed by a label and an object and in the form label:object. The
label is attached to the object in order to differentiate this object from others, so
each label occurs only once. For example, tm : TM is the configuration table for
MAP. A summary of labels and their semantics used in this report is in Tab. 2.
Definition 3.2. An execution configuration of a program is a set {prg:pi,mem:
m, in :I, out :O}, where pi is the program to be executed, m is the memory (a
function mapping variables to values), I (O respectively) is the queue of input
(resp. output) vectors.
The operational semantics of the language is described in Fig. 3. The conclu-
sion part of each semantic rule is written as ∆,Γ⇒ ∆,Γ′, where ∆ denotes the
5
ASSG
pi = x := e m(e) = val
∆, prg:pi,mem:m_ ∆, prg:skip,mem:m[x 7→ val]
COMP
prg:pi1,mem:m, in:I, out:O _ prg:pi′1,mem:m′, in:I ′, out:O′
prg:pi1;pi2,mem:m, in:I, out:O _ prg:pi′1;pi2,mem:m′, in:I ′, out:O′
IF-T
pi = if e then pi1 else pi2 m(e) = T
∆, prg:pi _ ∆, prg:pi1
IF-F
pi = if e then pi1 else pi2 m(e) = F
∆, prg:pi _ ∆, prg:pi2
WHIL-T
pi = while e do piloop m(e) = T
∆, prg:pi _ ∆, prg:piloop;pi
WHIL-F
pi = while e do piloop m(e) = F
∆, prg:pi _ ∆, prg:skip
SKIP
∆, prg:skip;pi _ ∆, prg:pi
INP
pi = input x from c I = ~v.I ′ ~v[c] 6= ⊥
∆, prg:pi,mem:m, in:I _ ∆, prg:skip,mem:m[x 7→ ~v[c]], in:I ′
OUTP
pi = output e to c ~v = ~⊥[c 7→ m(e)]
∆, prg:pi, out:O _ ∆, prg:skip, out:O.~v
Fig. 3: Semantics of instructions of controlled programs
elements of the execution configuration that are unchanged upon the transition.
The semantics of the comma “,” in the expression ∆,Γ is the disjoint union of
∆ and Γ. We abuse the notation of the memory function m(.) and use it to
evaluate expressions to values. When an output command sends a value to the
channel c, an output vector ~v = ~⊥[c 7→ val] is inserted into the output queue,
where ~v is the vector with all undefined channels, except c that is mapped to
m(e), so ~v[c′] = ⊥ for all c′ 6= c and ~v[c] = m(e).
Definition 3.3. An execution of the program pi is a finite sequence of configu-
ration transitions γ0 _ γ1 _ . . . _ γk, where γ0 = {prg:pi,mem:m0, in:I, out:}
is the initial configuration, m0 is the function mapping every variable to the
initial value, and k is the number of transitions.
The transition sequence can be also written as γ0 _k γk, or γ0 _∗ γk if the
exact number of transitions does not matter, or (pi, I, )_∗ (pik, Ik, Ok), where
γk = {prg:pik,mem:mk, in:Ik, out:Ok}. All sequences have the form
6
(γ1
INST1
COMP_ γ2 SKIP_ γ3)|(γ1
INST2
COMP_ γ2)|(γ1 SKIP_ γ2)

∗
INST3
COMP_ γ4
, where INST1 is ASSG, WHIL-F, INP, or OUTP; INST2 is IF-T, IF-F, or
WHIL-T; and INST3 is ASSG, INP, OUTP, or SKIP.
An infinite sequence is written as γ0 _ γ1 _ . . . .
Definition 3.4. The program terminates if there exists a configuration γf =
{prg : skip,mem :m, in : , out :O} such that γ0 _∗ γf . We denote this whole
derivation sequence by (pi, I) ⇓ O using the big step notation.
4 Semantics of the Enforcement Mechanism
Definition 4.1. A configuration of an enforcement mechanism is a set {tm :
TM , tr : TR, top : TOP,map :M, red :R, in : I, out :O,
⋃
i LECSi}, where TM and
TR are configuration tables for respectively MAP and REDUCE, TOP is the
index of the top of the stack of configurations of local executions EX, M and
R are configurations of respectively MAP and REDUCE components, I and O
are respectively the input and output queues of the enforcement mechanism, and
LECSi is the configuration of the i-th local execution.
We denote the enforcement mechanism on pi by EM(pi). For the initial con-
figuration, all local input and output queues will be empty, all local executions
will be in the executing state, and skip is the only instruction in MAP and
REDUCE programs. The enforcement mechanism is terminated when all local
executions, MAP and REDUCE programs are terminated, and the global input
queue is consumed completely.
Definition 4.2. The enforcement mechanism terminates if there exists a con-
figuration γf = {tm:TM , tr:TR, top:TOP,map:M, red:R, in:, out:O,
⋃
i LECSi} such
that γ0 _∗ γf , where EX[i].prg:skip for all i, map.prg:skip, and red.prg:skip.
We denote this whole derivation sequence by (EM(pi), I) ⇓ O using the big step
notation.
We now specify the semantics of the enforcement mechanism components:
local executions, the programs of MAP and REDUCE. The general approach is
that execution of parallel programs is modeled by the interleaving of concurrent
atomic instructions [13] so each transition rule either by a local execution, by
MAP, or by REDUCE is a step of the enforcement mechanism as a whole.
4.1 Local Executions
Each local execution is associated with a unique identifier i, that is its number on
the stack EX. A local execution can be in one of the two states: E (Executing)
or S (Sleeping). Initially, the state of all local executions is E. A local execution
moves from E to S when it has sent an interrupt signal to require an input item
7
LINP1
EX[i].st = E
pi = input x from c dequeue(I, c) = (val, I ′) val 6= ⊥
∆, EX[i].prg:pi,EX[i].mem:m,EX[i].in:I
⇒ ∆, EX[i].prg:skip, EX[i].mem:m[x 7→ val], EX[i].in:I ′
LINP2
EX[i].st = E pi = input x from c dequeue(I, c) = (⊥, I ′)
∆, EX[i].stt:E, EX[i].int:⊥ ⇒ ∆, EX[i].stt:S, EX[i].int:c
LOUTP
EX[i].st = E
pi = output e to c EX[i].mem = m ~v = ~⊥[c 7→ m(e)]
∆, EX[i].stt:E, EX[i].int:⊥, EX[i].prg:pi,EX[i].out:O
⇒ ∆, EX[i].stt:S, EX[i].int:c, EX[i].prg:skip, EX[i].out:O.~v
Fig. 4: Semantics of the input and output instructions of pi[i]
that is not ready in its local input queue, or to signal that it has generated
an output item. A local execution moves from S to E when it is awaken by
the MAP component (the input item it required is ready) or by the REDUCE
component (its output item is consumed).
Definition 4.3. An execution configuration of a local execution is a set LECSi ,
{EX[i].stt:st, EX[i].int:signal, EX[i].prg:pi,EX[i].mem:m,EX[i].in:I, EX[i].out:
O}, where EX is the global stack of local execution, i denotes the i-th execution,
st is the state of the local execution, signal is the interrupt signal sent by the
local execution, pi is an instruction to be executed, m is the memory, and I and
O are queues of input and output vectors respectively.
We define the dequeue operator dequeue(Q, c) on a queue Q and a channel c
that returns (val,Q′), where the value of val is ~v[c], where ~v is the first vector,
such that ~v[c] 6= ⊥, and Q′ is obtained by removing ~v from Q; otherwise (there
is no vector ~v in Q, where ~v[c] 6= ⊥), val = ⊥ and Q′ = Q.
The semantics of local executions for assignment, composition, if, while,
skip instructions is essentially identical to the one described in Fig. 3. The
only difference is the explicit condition that the local state must be E. We do
not present these rules in the paper. We provide the rules for input and output
instructions in Fig. 4. When the input instruction is executed and the input item
required is in the local input queue, this item will be consumed (rule LINP1).
Otherwise, the local execution emits an input interrupt signal c and moves to
the sleep state (rule LINP2). The output interrupt signal c is generated when
the output instruction is executed (rule LOUTP).
The initial configuration of the i-th local execution is {EX[i].stt:E, EX[i].int:
⊥, EX[i].prg :pi,EX[i].mem :m0, EX[i].in :, EX[i].out :}. A local execution is
terminated if there is only the skip instruction to be executed.
4.2 MAP
A MAP program is normally composed of three steps: the input retrieval step,
the value distribution step and the wake up step. In the first step, an input
8
piM ::= . . . instructions :
|map(e, c, PRED[ ]) map
|wake(PRED[ ]) wake
|clone(PRED[ ], PRIVTM , PRIVTR) clone
Fig. 5: MAP instructions
item is fetched by performing an actual input action from the specified channel,
or by using the default value (valdef ). In the second step, a real input item
or the default item is sent to local executions. These two steps depend on the
configuration in TM . In the third step, local executions are waken up if a certain
condition is satisfied, e.g., these local executions were waiting for input items
and they have received the input items they required.
In addition to the instructions in Fig. 2 (except the output instruction that
is replaced by the map instruction), the program piM is also composed by the in-
structions described in Fig. 5, where PRED[ ] , λx.Pred(x) is a meta-variable
for predicates. The evaluation of the predicate PRED[ ] on the configuration
of the local execution pi[i] is denoted as PRED[i].
The execution of map, wake, or clone instruction is applied simultaneously
to all local executions pi[i] such that PRED[i] is true as follows. First, the value
of the expression e is sent to the input queues of all local executions. The value
sent is considered as a value from the channel c. Then all local executions pi[i]
are awaken and the interrupt signals generated by those local executions (if
there were some) are removed. The execution of the clone instruction clones
the configuration of each local execution pi[i]. The new program and the over-
all configuration will be appended to the local executions stack. The state of
the new executions is S. The privileges of the new local executions are copied
from the lists of privileges PRIVTM and PRIVTR . The list PRIVTM (respec-
tively PRIVTR) is an input (resp. output) privilege configuration template
which varies depending on the enforced property. We give an example of such
templates in §5.3, where the enforced property requires cloning.
Definition 4.4. A configuration of the MAP component is a set {map.prg :
piM ,map.mem :m}, where piM is the instruction to be executed, and m is the
memory.
The semantics of instructions of assignment, sequence, if, while, and skip
of MAP is almost the same as the semantics presented in Fig. 3. The output
instruction is not used in piM . The semantics of input and map is described
in Fig. 6. For the map, wake, and clone instructions, if there is no i such
that PRED[i] holds, then the execution of these instructions makes all local
executions move from their current configurations to themselves.
The bijective function assignIndex() : S → {1, . . . , |S|} assigns and returns
an unique index of the element i in the set S (the index starts from 1). The func-
tion fork(LECSi, j) makes a copy of the local execution pi[i]; the new execution
can be referred as EX[j]. The function assign(TM , TR, TOP, TOP
′, PRIVTM , PRIVTR)
9
INPM
piM = input x from c I = ~v.I
′ ~v[c] 6= ⊥
∆,map.prg:piM ,map.mem:m, in:I ⇒ ∆,map.prg:skip,map.mem:m[x 7→ ~v[c]], in:I ′
MAP
piM = map(e, c, PRED[ ]) S = {i ∈ {0, . . . , TOP} : PRED[i]}
LECS =
⋃
i∈S
{EX[i].in:I} ~v = ~⊥[c 7→ m(e)] LECS′ =
⋃
i∈S
{EX[i].in:I.~v}
∆,map.prg:piM , LECS⇒ ∆,map.prg:skip, LECS′
WAKM
piM = wake(PRED[ ]) S = {i ∈ {0, . . . , TOP} : PRED[i]}
LECS =
⋃
i∈S
{EX[i].int:signal, EX[i].stt:S}
LECS′ =
⋃
i∈S
{EX[i].int:⊥, EX[i].stt:E}
∆,map.prg:piM , LECS⇒ ∆,map.prg:skip, LECS′
CLON
piM = clone(PRED[ ], PRIVTM , PRIVTR)
S = {i ∈ {0, . . . , TOP} : PRED[i]} LECS =
⋃
i
LECSi
LECS′ = LECS ∪
⋃
i∈S
fork(LECSi, TOP + assignIndex(i))
TOP ′ = TOP + |S|
(T ′M , T
′
R) = assign(TM , TR, TOP, TOP
′, PRIVTM , PRIVTR)
∆, tm:TM , tr:TR, top:TOP,map.prg:piM , LECS
⇒ ∆, tm:T ′M , tr:T ′R, top:TOP ′,map.prg:skip, LECS′
MACT
map.prg:skip S = {i ∈ {0, . . . , TOP} : WAITI[i]}
S 6= ∅ i = pick(S) EX[i].prg = input x from c;pi
∆, EX[i].int:c,map.prg:skip,map.mem:m
⇒ ∆, EX[i].int:⊥,map.prg:piM (i, c),map.mem:m0
Fig. 6: Semantics of instructions of MAP
modifies tables TM and TR by adding new columns for the newly cloned pro-
cesses and the corresponding values for the privileges from PRIVTM and PRIVTR
for the input and output channels for these processes.
The initial configuration of MAP is {map.prg:skip,map.mem:m0}. The exe-
cution of MAP is terminated if skip is the only instruction in the MAP program.
We define the predicate WAITI[ ] that indicates whether a local execution
is waiting for an input item or not. The function pick(S) returns an element
from the non-empty set S. The selection of an element in a non-empty set S
can be non-deterministic or in the round-robin way.
WAITI[ ] , λx.EX[x].stt = S ∧ ∃c ∈ Cin : EX[x].int = c ∧
∧ EX[x].prg = input y from c;pi
The MAP component activation is presented in Fig. 6 (the rule MACT ).
10
piR ::= . . . instructions :
|retrieve x from (i, c) retrieve
|clean(c, PRED[ ]) clean
Fig. 7: REDUCE instructions
MAP can be activated when there is only the skip instruction in the MAP
program, and there is an interrupt signal c from the local execution pi[i], the
state of this local execution is sleeping (S), the instruction to be executed is an
input instruction. The activation of MAP on a signal on channel c from pi[i] will
remove the signal from configuration of pi[i].
4.3 REDUCE
The REDUCE component controls the output actually generated by the en-
forcement mechanism. A REDUCE program piR can ask an item from a local
execution, send an item to the external output, clean local output queues of
local executions and wake local executions up.
Definition 4.5. A configuration of the REDUCE component is a set {red.prg:
piR, red.mem:m}, where piR is the instruction to be executed, and m is the mem-
ory.
Except for the input instruction that is replaced by the retrieve instruction,
in addition to the instructions in Fig. 3 and the wake instruction, the program
of the REDUCE component may contain the instructions described in Fig. 7.
The execution of the retrieve instruction reads the value from the output queue
of pi[i] and stores it into x. The execution of the clean instruction is applied to
all local execution pi[i] such that PRED[i] is true. This instruction removes the
first vector ~v of the output queue O of pi[i], where the value of ~v[c] is different
from ⊥.
The semantics of the retrieve, output, wake, and clean instructions is de-
scribed in Fig. 8, where the function remove(O, c) removes the first vector ~v in
O where ~v[c] 6= ⊥.
The initial configuration of REDUCE is {red.prg:skip, red.mem:m0}. Similar
to the execution of MAP, the execution of REDUCE is terminated if skip is the
only instruction in the REDUCE program.
We define the predicate WAITO[ ] indicating whether a local execution is
sleeping on an output instruction.
WAITO[ ] , λx.EX[x].stt = S ∧ ∃c ∈ Cout : EX[x].int = c ∧
∧ EX[x].prg = output e to c;pi
In Fig. 8 we present the REDUCE activation rule (RACT ). Similarly to MAP,
REDUCE can be activated when there is only the skip instruction in the REDUCE
program, and there is an interrupt signal c from the local execution pi[i], the
state of this local execution is sleeping (S), the instruction to be executed is an
11
RETR
piR = retrieve x from (i, c)
EX[i].out = O dequeue(O, c) = (val, O′) val 6= ⊥
∆, red.prg:piR, red.mem:m⇒ ∆, red.prg:skip, red.mem:m[x 7→ val]
OUTR
piR = output e to c red.mem = m ~v = ~⊥[c 7→ m(e)]
∆, red.prg:piR, out:O ⇒ ∆, red.prg:skip, out:O.~v
WAKR
piR = wake(PRED[ ]) S = {i ∈ {0, . . . , TOP} : PRED[i]}
LECS =
⋃
i∈S
{EX[i].int:signal, EX[i].stt:S}
LECS′ =
⋃
i∈S
{EX[i].int:⊥, EX[i].stt:E}
∆, red.prg:piR, LECS⇒ ∆, red.prg:skip, LECS′
CLN
piR = clean(c, PRED[ ]) S = {i ∈ {0, . . . , TOP} : PRED[i]}
LECS =
⋃
i∈S
{EX[i].out:O} LECS′ =
⋃
i∈S
{EX[i].out:remove(O, c)}
∆, red.prg:piR, LECS⇒ ∆, red.prg:skip, LECS′
RACT
red.prg:skip S = {i ∈ {0, . . . , TOP} : WAITO[i]} S 6= ∅
i = pick(S) EX[i].prg = output e to c;pi
∆, EX[i].int:c, red.prg:skip, red.mem:m
⇒ ∆, EX[i].int:⊥, red.prg:piR(i, c), red.mem:m0
Fig. 8: Semantics of instructions of REDUCE
output instruction. The activation of REDUCE on a signal on channel c from
pi[i] will remove the signal from configuration of pi[i].
5 Configurations for the Selected Properties
In [15], Mantel proposes a uniform framework to define possibilistic informa-
tion flow properties and he proves that existing possibilistic information flow
properties can be expressed as a predefined basic security predicate (BSP) or
conjunction of these BSPs. A BSP is generally defined in the framework of
Mantel based on removal of some high inputs and events.
In the next sections, we will demonstrate configurations of our framework
for enforcement of two BSPs, RI and DI, and the SME-style NI. It might not be
obvious whether these properties are actually different in our model. We resolve
possible doubts of the attentive reader in Sec. 9.
Definition 5.1. Let COND[ ] , λ~v.Cond() be a predicate and COND[~v] be
the result of the evaluation of COND[ ] on ~v. We define the restriction operator
12
1 input h1 from cH1
2 input l1 from cL1
3 if !h1 then
4 l1 := !l1
5 input l2 from cL2
6 h2 := 0
7 if l1 then
8 input h2 from cH2
9 output l2 + h2 to cH3
10 output l2 + h2 to cL3
Fig. 9: Running Example Program
on the queue Q with COND[ ] as follows:
Q|COND[ ] ,

, if Q = ;
~v.Q′|COND[ ], if Q = ~v.Q′ and COND[~v] = T;
Q′|COND[ ], if Q = ~v.Q′ and COND[~v] = F.
We will use the notation Q|l, the restriction on security level l, if Cond(l) ,
λ~v.∃c : ~v[c] 6= ⊥ ∧ LV L[c] = l; and the notation Q|c, the restriction on channel
c, if Cond(c) , λ~v.~v[c] 6= ⊥.
In the sequel, we will use the program described in Fig. 9 to illustrate how
the enforcement mechanism works for different information flow properties. The
program has two high input channels cH1, cH2, and one high output channel
cH3. With the execution of instructions at lines 3, 4, 7, and 8, the secret values
from cH1 (line 1) and cH2 (line 8) can influence the value sent to the low output
channel cL3 (line 10). In addition, the sequences of high input items are effected
by the low input (line 7 and 8); for example, if the value of l1 is T, an input
item from cH2 will be consumed.
We consider the execution of the program with the input sequence (cH1 = T)
(cL1 = F) (cL2 = m) (cH2 = M).
5.1 Removal of Inputs
The property of removal of inputs [15] requires that if a possible trace is per-
turbed by removing all high input items, then the result can be corrected into
a possible trace.
∀t ∈ Tr.∃t′ ∈ Tr.t|L = t′|L ∧ t′|HI = 
In our notation, if all high input items in an input queue are replaced by
default items or removed, the input queue can be modified to an input such
that that the program will be terminated when executing on this input and the
output generated will be equivalent at the low level with the original output.
Definition 5.2. A program pi satisfies the property of removal of inputs iff
∀I,∀ values of valdef : (pi, I) ⇓ O =⇒ ∃I ′ : I ′|L = I|L ∧ I ′|H = (~df)∗∧
∧ ∀c ∈ Cin, ‖ I ′|c ‖≤‖ I|c ‖ ∧(pi, I ′) ⇓ O′ ∧O′|L = O|L,
13
1: if a ∈ TM [i][c] then
2: input x from c
3: map(x, c, canTell(c))
4: map(valdef , c,¬canTell(c))
5: wake(isReady(c))
6: else
7: skip
(a) MAP for RI for an input from c from pi[i]
1: x := valdef
2: if a ∈ TR[i][c] then
3: retrieve x from (i, c)
4: if t ∈ TR[i][c] then
5: output x to c
6: clean(c, identical(i))
7: wake(identical(i))
(b) REDUCE for RI for an output to c from pi[i]
pi[0] pi[1]
LV L[c] = H at a
LV L[c] = L t at
(c) TM
pi[0] pi[1]
LV L[c] = H at −
LV L[c] = L − at
(d) TR
RI prevents attackers from inferring what high input items have been read, since the
removal and the replacement of high input items with fake ones have no effect on what
is visible to attackers. Only the low execution in the enforcement mechanism can output
to low channels. MAP can perform input actions for all requests from the low execution.
The low execution can only receive default values for high input items.
Fig. 10: Configuration for the enforcement mechanism of RI
where the vector ~df contains the default value, and ‖ Q ‖ returns the length of
Q.
The enforcement mechanism of the RI property on the program pi only needs
two parallel programs: the high (pi[0]) and the low (pi[1]). We specify the full
configuration of the local executions in Fig. 10. The high execution can receive
(real) input values from L and H channels, while the low execution can receive
only (real) input values from L channels. The high execution can write output
values only to H channels, the low execution can write values only to L channels.
If the interrupt signal is from pi[1], or the interrupt signal is from pi[0] and the
level of channel c is H, then the input action will be performed. Otherwise, the
local execution keeps sleeping.
The program of MAP is described in Fig. 10a. The function canTell(c)
indicates whether the local execution pi[x] can receive real values from MAP:
canTell(c) , λx.t ∈ TM [x][c] (1)
If a local execution that is sleeping and waiting for an input item from a
channel has received the input item required, this local execution is ready to be
waken up:
isReady(c) , λx.EX[x].stt = S ∧ EX[x].prg = input y from c;pi ∧
∧EX[x].in = I ∧ dequeue(I, c) = (val, I ′) ∧ val 6= ⊥ (2)
When there is an interrupt signal on channel c from pi[i] on an output in-
struction, the program REDUCE provided in Fig. 10b is activated. If the local
execution pi[i] can send items to channel c (TR[i][c] = 1), the output action
is performed. Otherwise, there is no output action. After that, the output
14
pi[0] pi[1]
cH1 at a
cH2 at a
cL1 t at
cL2 t at
(a) TM
pi[0] pi[1]
cH3 at −
cL3 − at
(b) TR
Fig. 11: Example tables TM and TR for RI
queue of pi[i] is cleaned and only pi[i] is waken. Since the execution of the wake
instruction wakes only pi[i] up, the function identical() is defined as
identical(i) , λx.x = i (3)
Example. We consider the tables TM and TR of the enforcement mechanism
of RI for the program described in Fig. 9. In Figure 11a we show the TM
instantiation for the given set of channels. Following Fig. 10c, on the channels
cH1 and cH2 we assign the “at” permissions for the high execution pi[0], but only
the “a” permission to the low execution pi[1]. We also assign the permission “t”
on the low channels cL1 and cL2 for the high execution pi[0], while we set “at”
for the low execution pi[1]. The table TR in Fig. 11b is configured similarly,
following Fig. 10d.
Examples of executions of the high execution pi[0] and the low execution pi[1]
are shown in Fig. 12. Here, we assume that the high execution runs faster. At
line 1, pi[0] sends a request to MAP and moves to the state S. MAP is activated
and the code from line 1 to line 5 in Fig. 10a is executed, since the permission
“a” is in TM [0][cH1]. Line 2 reads the value T from the global queue; line 3
sends T to the local input queue of pi[0], since canTell(c) returns T with pi[0];
line 4 sends the default value F to the local input queue of pi[1]; line 5 wakes
pi[0] up, since isReady(cH1) returns T with pi[0]. The high execution pi[0] is
waken up and it continues to execute at line 1. At this time, since there is a
value from cH1 in the local input queue, the execution of the input instruction
follows the rule LINP1. Next, line 2 in Fig. 12a is executed. The high execution
moves to the state S and waits for an input item from cL1.
The low execution starts executing. The execution of line 1 follows the rule
LINP1 since there is an item (with default value) from cH1 in the local input
queue. The execution of line 2 moves the low execution to the state S. MAP
is activated, and it consumes F from cL1 (line 2), sends F to both local input
queues (line 3), and wakes the low execution pi[1] up (line 5). The execution of
line 4 does nothing since there is no local execution that can make ¬canTell(cL1)
be true. After that, the low execution keeps executing.
Because values of h1 and l1 are respectively T and F, the high execution
executes instructions at lines 3, 5, 6, 7, 9, and 10. At line 9 the high execution
moves to the state S and then REDUCE is activated. The program described
in Fig. 10b is executed. Since the permission “at” is in TR[0][cH3], REDUCE
retrieves the value generated by the high execution (line 3), sends the value to
the global output queue (line 5), cleans the output queue of pi[1] (line 6), and
wakes the high execution pi[0] up (line 7).
15
1 input h1 from cH1 //Get T from cH1.
2 input l1 from cL1 //Use F read by the public execution.
3 if !h1 then
4 l1 := !l1 //This instruction is skipped since the value of h1 is T.
5 input l2 from cL2 //Use m read by the public execution.
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //This instruction is skipped since l1 is F.
9 output l2 + h2 to cH3 //Send m to cH3.
10 output l2 + h2 to cL3 //The output is ignored.
(a) The high execution pi[0]
1 input h1 from cH1 //The default value (F) is used.
2 input l1 from cL1 //Get F from cL1
3 if !h1 then
4 l1 := !l1 //Value of l1 is T
5 input l2 from cL2 //Get an input from cL2
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //A default value (∗) is used.
9 output l2 + h2 to cH3 //The output is ignored.
10 output l2 + h2 to cL3 //Send ∗+m to cL3.
(b) The low execution pi[1]
Fig. 12: Executions of local copies for RI
Since the value of both h1 and l1 is F, the instructions at lines 3, 4, 5, 6, 7,
8, 9, and 10 of the low execution pi[1] are executed. At line 8 the low execution
moves to the state S and MAP is activated. Because the permission “a” is in
TM [1][cH2], MAP reads M from the global input queue, sends M and a default
value (∗) to the local input queues of the high and the low execution respectively,
and wakes the low execution up. When executing the output instruction at line 9
the low execution moves to the state S, and REDUCE is activated. Since neither
of the permissions “a” and “t” is in TR[1][cH3], REDUCE does not retrieve any
item from the local output queue of the low execution and does not send any
value to the global queue. REDUCE cleans the output generated by pi[1] and
wakes pi[1] up. The execution of the output instruction at line 10 is similar to
the execution of the output instruction at line 9 of the high execution.
We describe the global input, output queues, and local input, output queues
in Fig. 13. The global input queue is consumed completely by the execution of
the enforcement mechanism. The values sent to cH3 and cL3 are respectively m
and ∗+m. Each column in the table corresponds to an input/output operation.
Input and output tables should be read from left to right; columns describe the
input/output to each channel at time t = 0, t = 1, etc.
5.2 Non-Interference
The enforcement mechanism configured in this section mimics the SME-style
enforcement of non-interference [6] from Devriese and Piessens, and therefore
16
The input to MAP:XXXXXXXXXXChannel
Time
0 1 2 3
cH1 T ⊥ ⊥ ⊥
cH2 ⊥ ⊥ ⊥ M
cL1 ⊥ F ⊥ ⊥
cL2 ⊥ ⊥ m ⊥
=⇒ MAP
Local Executions:
The high execution pi[0]:
The local input: The local output:
cH1 T ⊥ ⊥ ⊥
cH2 ⊥ ⊥ ⊥ M
cL1 ⊥ F ⊥ ⊥
cL2 ⊥ ⊥ m ⊥
cH3 ⊥ ⊥ ⊥ ⊥ m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ m
The low execution pi[1]:
The local input: The local output:
cH1 F ⊥ ⊥ ⊥
cH2 ⊥ ⊥ ⊥ ∗
cL1 ⊥ F ⊥ ⊥
cL2 ⊥ ⊥ m ⊥
cH3 ⊥ ⊥ ⊥ ⊥ ∗+m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ ∗+m
REDUCE =⇒
The output by REDUCE:XXXXXXXXXXChannel
Time
0 1 2 3 4 5
cH3 ⊥ ⊥ ⊥ ⊥ m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ ∗+m
Fig. 13: Example of input and output queues for RI
inherits also the limitations of SME formal guarantees.
Informally, a program satisfies the termination-insensitive non-interference
(TINI) property if given two arbitrary inputs that are equivalent at the low
level and the executions of the program on these two inputs are terminated,
then the outputs generated are indistinguishable to the users at the low level.
In other words, the high input items in these two inputs have no effect on what
observable is to users at the low level. Termination-sensitive non-interference
(TSNI) additionally requires that the secret input items do not influence the
termination of the program [3].
Definition 5.3. A program pi satisfies the property of termination-insensitive
non-interference iff
∀I, I ′ : I ′|L = I|L =⇒ O′|L = O|L,
where (pi, I) ⇓ O and (pi, I ′) ⇓ O′.
Definition 5.4. A program pi satisfies the property of termination-sensitive
non-interference iff
∀I, I ′ : I ′|L = I|L ∧ (pi, I) ⇓ O =⇒ (pi, I ′) ⇓ O′ ∧O′|L = O|L
17
1: if a ∈ TM [i][c] then
2: input x from c
3: map(x, c, canTell(c))
4: map(valdef , c,¬canTell(c))
5: wake(isReady(c))
6: else
7: if t 6∈ TM [i][c] then
8: map(valdef , c, identical(i))
9: wake(identical(i))
10: else
11: skip
(a) MAP for SME for input from c requested
from pi[i]
1: x := valdef
2: if a ∈ TR[i][c] then
3: retrieve x from (i, c)
4: if t ∈ TR[i][c] then
5: output x to c
6: clean(c, identical(i))
7: wake(identical(i))
(b) REDUCE for SME for an output to c from
pi[i]
pi[0] pi[1]
LV L[c] = H at −
LV L[c] = L t at
(c) TM
pi[0] pi[1]
LV L[c] = H at −
LV L[c] = L − at
(d) TR
NI prevents attackers from inferring high input items, since all executions on inputs that
are low-equivalent will generate low-equivalent outputs. The low execution pi[1] cannot
ask values from high input channels or be told real value from these channels. MAP will
not perform any input actions on requests for high inputs items from the low execution.
TR and the program of REDUCE are the same as in the enforcement mechanism of RI.
Fig. 14: Configuration for the enforcement mechanism of NI
To implement the SME approach [6], we use the following configuration.
The high execution pi[0] can only read high input items, but it can consume
both high and low ones. For low input items this local execution needs to wait
for the values read by the low execution pi[1]. The low execution pi[1] can read
and consume only low items. If the low execution requires a high input item,
the default value will be used.
The configuration tables TM and TR and the program for MAP, and REDUCE
to enforce the SME-style NI are presented in Fig. 14. Compared to the program
for MAP in the enforcement mechanism of RI, the program for MAP is different,
as shown in Fig. 14a. The functions canTell(c), isReady(c) and identical(i) are
defined in respectively Eq. 1, 2 and 3 in §. 5.1.
Example. The contents of the tables TM and TR for the enforcement mech-
anism of NI for the running example program in Fig. 9 follow the patterns
described in Fig. 14c and Fig. 14d respectively.
The executions of the high execution and the low execution are described in
Fig. 15. The execution of the high program is similar to the execution of the
high program in RI. The execution of the low execution is almost the same as the
execution of the low execution in RI, except for handling the input instruction
at line 8.
When the input instruction at line 8 is executed, the low execution moves
to the state S and sends a signal to MAP. When MAP is activated on this
18
1 input h1 from cH1 //Get T from cH1.
2 input l1 from cL1 //Use F read by the low execution.
3 if !h1 then
4 l1 := !l1 //This instruction is skipped since the value of h1 is T.
5 input l2 from cL2 //Use m read by the low execution.
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //This instruction is skipped since l1 is F.
9 output l2 + h2 to cH3 //Send m to cH3.
10 output l2 + h2 to cL3 //The output is ignored.
(a) The high execution pi[0]
1 input h1 from cH1 //A default value is used.
2 input l1 from cL1 //Get F from cL1
3 if !h1 then
4 l1 := !l1
5 input l2 from cL2 //Get an input from cL2
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //A default value is used.
9 output l2 + h2 to cH3 //The output is ignored.
10 output l2 + h2 to cL3 //Send ∗+m to cL3.
(b) The low execution pi[1]
When the low execution pi[1] asks MAP an item from cH2, MAP does not perform any
input operation and sends a default value to the local input queue of the low execution
Fig. 15: Executions of local copies for NI
signal, the instructions at lines 1, 7, 8, 9 in the program described in Fig. 14a
are executed. MAP sends a default value to the local input queue of the low
execution (line 8), and wakes this local execution up (line 9).
We describe the global input, output queues, and local input, output queues
in Fig. 16. Compared to the execution of the enforcement mechanism of RI,
the execution of the enforcement of NI consumes only three input items. The
fourth input item is kept in the figure for the illustrative purposes and in order
to make a comparison with the enforcement of RI. The local input queue of the
high execution contains only three input items; these are two low input items
requested by the low execution and one high input item requested by the high
execution. The local input queue of the low execution pi[1] contains four input
items, where the last one is the default item generated and sent by MAP.
5.3 Deletion of Inputs
The property of deletion of inputs (DI) [15] requires that if we perturb a possible
trace t (where t = β.e.α and there is no high input event in α) by deleting the
high input event e, then the result can be corrected into a possible trace t′
(t′ = β′.α′). The parts β and β′ are equivalent on the low input events and
the high input events. In other words, the low input events and the high input
events in β and β′ must be the same. The parts α and α′ are also equivalent on
19
The input to MAP:
(The last input item is not consumed.)
XXXXXXXXXXChannel
Time
0 1 2 3
cH1 T ⊥ ⊥ ⊥
cH2 ⊥ ⊥ ⊥ M
cL1 ⊥ F ⊥ ⊥
cL2 ⊥ ⊥ m ⊥
=⇒ MAP
Local Executions:
The high execution pi[0]:
The local input: The local output:
cH1 T ⊥ ⊥
cH2 ⊥ ⊥ ⊥
cL1 ⊥ F ⊥
cL2 ⊥ ⊥ m
cH3 ⊥ ⊥ ⊥ ⊥ m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ m
The low execution pi[1]:
The local input: The local output:
cH1 F ⊥ ⊥ ⊥
cH2 ⊥ ⊥ ⊥ ∗
cL1 ⊥ F ⊥ ⊥
cL2 ⊥ ⊥ m ⊥
cH3 ⊥ ⊥ ⊥ ⊥ ∗+m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ ∗+m
REDUCE =⇒
The output by REDUCE:XXXXXXXXXXChannel
Time
0 1 2 3 4 5
cH3 ⊥ ⊥ ⊥ ⊥ m ⊥
cL3 ⊥ ⊥ ⊥ ⊥ ⊥ ∗+m
Fig. 16: Example of input and output queues for NI
the low events and the high input events. Since there is no high input events in
α, there is also no high input events in α′.
∀t ∈ Tr, ∀α, β ∈ E∗,∀e ∈ E.(e ∈ HI ∧ t = β.e.α ∧ α|HI = ) =⇒
(∃t′ ∈ Tr.t|L = t′|L ∧ t′ = β′.α′ ∧ α′|L∪HI = α|L∪HI ∧ β′|L∪HI = β|L∪HI)
In our notation, if we have an input queue I = I1.~v.I2, where ~v contains a
value from a high channel and in I2 there are either no high input items or only
high input items with default values, then this input queue can be changed by
replacing ~v by the default vector. The obtained input queue can be sanitized
by removing existing default high input items in I2 or adding other default high
input items to I2. The sanitized queue can be consumed completely by a clone
of the original program and the output should still be equivalent at the low level
to the original output generated with the input I.
20
1: if LV L[c] == H and i == 0 then
2: clone(identical(i), PRIVTM , PRIVTR)
3: if a ∈ TM [i][c] then
4: if t ∈ TM [i][c] then
5: input x from c
6: map(x, c, canTell(c))
7: map(valdef , c,¬canTell(c))
8: wake(isReady(c))
9: else
10: map(valdef , c, identical(i))
11: wake(identical(i))
12: else
13: skip
(a) MAP for DI for an input from c from pi[i]
1: x := valdef
2: if a ∈ TR[i][c] then
3: retrieve x from (i, c)
4: if t ∈ TR[i][c] then
5: output x to c
6: clean(c, identical(i))
7: wake(identical(i))
(b) REDUCE for DI for an output
to c from pi[i]
pi[0] pi[1] pi[i] > 1
LV L[c] = H at a a
LV L[c] = L t at t
(c) TM
pi[0] pi[1] pi[i] > 1
LV L[c] = H at − −
LV L[c] = L − at −
(d) TR
DI prevents attackers from deducing the value of the last high input item since the
mechanism makes sure that if the last high input item is replaced with a fake item, the
observation of the attackers is still the same. Whenever the high execution requests a
high input item, the high execution will be cloned and the clone can only receive default
values for high input items. When receiving a request from the low execution for a high
input item, MAP will return the default value. The program of REDUCE is the same as
in the enforcement mechanism of RI.
Fig. 17: Configuration for the enforcement mechanism of DI
Definition 5.5. A program pi satisfies the property of deletion of inputs DI iff
∀I, ∀ values of valdef : I = I1.~v.I2 ∧LV L[c] = H ∧ I2|H = (~df)∗ ∧ (pi, I) ⇓ O
=⇒ ∃I ′ : I ′ = I ′1.I ′2 ∧ I ′|L = I|L ∧ I ′2|H = (~df)∗ ∧ (pi, I ′) ⇓ O′ ∧O′|L = O|L,
where ~v[c] 6= ⊥ and the vector ~df contains a default value.
DI is enforced with the idea that whenever the high execution requests a
high input item, this execution will be cloned and the clone will not receive real
values from high channels. Components configured to implement the enforce-
ment mechanism of DI are presented in Fig. 17. The program of REDUCE is
identical to the program used in the enforcement mechanism of RI.
The enforcement mechanism of DI requires more than two local executions.
Only the high execution pi[0] can ask for and get the high input items, other
local executions will only use default values. Each time the high execution is
cloned the new execution is inserted into the stack of local executions. The con-
figuration of the clones for input (respectively, output) is presented in Fig. 17c
(respectively, 17d) in the column pi[i] > 1; this is the privilege configuration
template PRIVTM (PRIVTR , respectively). In addition, only the low execution
21
pi[0] pi[1] pi[2]
cH1 at a a
cH2 at a a
cL1 t at t
cL2 t at t
(a) TM
pi[0] pi[1] pi[2]
cH3 at − −
cL3 − at −
(b) TR
Fig. 18: Example tables TM and TR for DI
pi[1] can ask for low input items and generate low output items; other local
executions will reuse the low input items retrieved by the low execution.
Example. Fig. 18 depicts TM and TR of the DI enforcement mechanism for the
program described in Fig. 9 that are instances of the tables described in Fig. 14c
and Fig. 14d respectively. When the enforcement mechanism starts executing,
there are only two columns (pi[0] and pi[1]) in each table. The third column is
appended when the corresponding local execution is created. Following Fig. 17c,
the new execution has the “a” permission on high input channels (cH1 and cH2)
and the “t” permission on low input channels (cL1 and cL2). The permissions
of the new local execution on output channels are configured in a similar way
from the column pi[i] > 1 in Fig. 17d.
The executions of local executions are described in Fig. 19. When line 1 of the
high program is executed, the high execution moves to the state S; the program
of MAP in Fig. 17a is activated (the contents of PRIVTM and PRIVTR used
at line 2 are from the columns pi[1] > 1 in Fig. 17c and Fig. 17d respectively).
Line 2 creates a new clone of pi[0], which is referred to as pi[2]. After that, MAP
consumes T from the global input queue (line 5), sends T to the local input
queue of the high execution pi[0] (line 6), broadcasts F to the local input queues
of pi[1] and pi[2] (line 7), and wakes pi[0] and pi[2] up (line 8).
When line 2 of pi[0] is executed, the high execution moves to the state S and
waits for the corresponding input item to be requested by the low execution.
After the low execution executes the input instruction at line 2 and F is received
from cL1, the high execution is waken up. Next, the instructions at lines 3, 5,
7, 9, and 10 are executed.
The execution of the low execution pi[1] is the same as the execution of
the low program in NI. The execution of pi[2] follows the same pattern as the
execution of pi[1], with the only difference that also the result of the output
instruction at line 10 is ignored by REDUCE.
The input consumed and the output generated by the enforcement mecha-
nism, the local input and output queues of the high execution pi[0] and the low
execution pi[1] are the same as the ones in the enforcement mechanism of NI in
Fig. 16. The local input and output queues of the other local execution pi[2] are
the same as respectively the input and output queues of the low execution.
22
1 input h1 from cH1 //Get T from cH1.
2 input l1 from cL1 //Use F read by the low execution.
3 if !h1 then
4 l1 := !l1 //This instruction is skipped since the value of h1 is T.
5 input l2 from cL2 //Use m read by the low execution.
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //This instruction is skipped since l1 is F.
9 output l2 + h2 to cH3 //Send m to cH3.
10 output l2 + h2 to cL3 //The output is ignored.
(a) The high execution pi[0]
1 input h1 from cH1 //A default value is used.
2 input l1 from cL1 //Get F from cL1
3 if !h1 then
4 l1 := !l1
5 input l2 from cL2 //Get an input from cL2
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //A default value is used.
9 output l2 + h2 to cH3 //The output is ignored.
10 output l2 + h2 to cL3 //Send ∗+m to cL3.
(b) The low execution pi[1]
1 input h1 from cH1 //The default value (F) is used.
2 input l1 from cL1 //Use F read by the public execution.
3 if !h1 then
4 l1 := !l1
5 input l2 from cL2 //Use m read by the public execution.
6 h2 := 0
7 if l1 then
8 input h2 from cH2 //A default value is used.
9 output l2 + h2 to cH3 //The output is ignored.
10 output l2 + h2 to cL3 //The output is ignored.
(c) The other execution pi[2]
The execution pi[2] is created when the high execution requests the first high input item.
When the low execution pi[1] (or the other execution pi[2]) asks MAP for an item from
cH2, MAP does not perform any input operation, but it sends a default value to the local
input queue of the low execution (respectively, the other local execution).
Fig. 19: Executions of local copies for DI
6 Soundness
In this section we formalize the soundness property of an enforcement mecha-
nism, and postulate the theorem on the security guarantees that the enforce-
ment mechanisms configured earlier ensure with respect to the corresponding
properties.
Definition 6.1. An enforcement mechanism is sound with respect to a property
23
Prop 6.1
Input of EM(π)
Prop 6.2
Output of 
EM(π)
NI
Prop 6.3
Semantics 
Equivalence
RI DI
Prop 6.4
DI
similar
Fig. 20: Proof Strategy for Soundness
P if for all programs pi the enforcement mechanism executed on pi satisfies P .
Theorem 6.1 (Soundness of Enforcement). Each enforcement mechanism in
Tab. 1 is sound with respect to the corresponding property, except for TSNI.
In order to prove soundness, we state two basic properties specifying the
behaviour of MAP on receiving requests for low input items and the behaviour
of REDUCE when receiving an output request from a local execution. For the
actual proof of the theorem, we perform a case-based reasoning showing that at
the end, the output is what we expect. In this respect an important assumption
is that the program to be enforced is deterministic. For RI, we need an addi-
tional preliminary property showing the relationship between the execution of
a controlled program and the corresponding local execution. For DI, we need
another preliminary property about the input items that can be consumed by
pi[i] where i > 1. Figure 20 sketches the proof strategy for soundness.
We first prove the soundness theorem for NI. To this extend, we first need
two simple propositions on the I/O behaviour of the enforcement components.
Proposition 6.1 (Input items consumed by enforcement mechanisms and input
items sent to local input queues of local executions). Consider the enforcement
mechanisms of information flow properties, it follows that:
• MAP will only ask low input items from the environment for low input
requests from the low execution. The low execution can only receive default
values for high input items. This local execution can receive real values for
low input items.
• For the enforcement mechanism of NI and DI, MAP will only ask high
input items from the environment for high input requests from the high
execution.
• For the enforcement mechanism of RI, MAP will ask high input items from
the environment for high input request from any local execution.
• The high execution can receive real values for low and high input items.
24
Proof. The proposition is obvious from the configurations of the corresponding
enforcement mechanisms, where all input items in local input queues are sent
by MAP; and only MAP can get input items from the environment.
The proposition is proven by using the induction technique on the number
of times of activation of MAP on input requests from local executions. Let k be
the number of times of activation of MAP on the input request.
Base case: k = 0. The proposition holds vacuously.
Induction hypothesis: Assume that the proposition holds for the case
that k < n. We now prove that the proposition holds for k = n. We consider
the n-th activation of MAP on a request from pi[i] on channel c. The following
holds:
• Each instruction of MAP, REDUCE, and local executions is executed atom-
ically,
• The execution of the MAP program does not interfere with the execution
of the REDUCE program and vice-versa,
• The execution of a local execution does not interfere with the execution
of the MAP (REDUCE) program,
Therefore, we have:
• Case 1: i = 0
– Case 1.1: LV L[c] = L: For RI, the instructions at lines 1 and 7 in
Fig. 10a are executed. For NI, the instructions at lines 1 and 11 in
Fig. 14a are executed. For DI, the instructions at lines 1, 3 and 13 in
Fig. 17a are executed. MAP does not perform any input action. This
activation does not influence the items received by the low execution.
– Case 1.2: LV L[c] = H: For RI, the instructions from line 1 to 5 in
Fig. 10a are executed. For NI, the instructions from line 1 to 5 in
Fig. 14a are executed. For DI, the instructions from line 1 to 8 in
Fig. 17a are executed. MAP performs an input action and sends a
default value to the local input queue of the low execution, and the
real value to the local input queue of the high execution.
• Case 2: i = 1.
– Case 2.1: LV L[c] = L: The instructions executed are the same as the
ones in Case 1.2, except for the clone instruction at line 2 in Fig. 17a
that is not executed. The real value is sent to the local input queues
of pi[1] and pi[0].
– Case 2.2: LV L[c] = H: We check the instructions of the correspond-
ing MAP programs. MAP does not perform an input action on low
channels in this case. For NI, (respectively DI), the default value is
sent to the local input queue of pi[1] by the execution of the instruc-
tion at line 8 in Fig. 14a (resp. line 10 in Fig. 17a). For RI, an input
operation is performed (line 2 in Fig. 10a). However, a default value
is sent to the local input queue of pi[1] (line 4), while the real value
is sent to the local input queue of pi[0] (line 3).
25
• Case 3: i > 1 (only for the enforcement mechanism of DI)
– Case 3.1: LV L[c] = L: MAP does not perform any input actions.
MAP does not send any input item to the local input queue (line 10
in Fig. 17a).
– Case 3.2: LV L[c] = H: MAP will send only a default input item to
the local input queue of pi[i] (line 10 in Fig. 17a).
The proposition holds for k = n. Therefore, the proposition holds for all
k ≥ 0.
Proposition 6.2 (Outputs of enforcement mechanisms). Concerning the output
of an enforcement mechanism for an information flow property, it follows that:
• For the enforcement mechanism of RI, NI, and DI, only the high execution
pi[0] sends output items to high output channels.
• For the enforcement mechanism of RI, NI, and DI, only the low execution
pi[1] can send output items to low output channels.
• For the enforcement mechanism of DI, the output items generated by the
local execution pi[i] with i > 1 are ignored.
Proof. The proposition is proven by using the induction technique on the num-
ber of times of activation of REDUCE on output requests from local executions.
The proof is similar to the proof of Prop. 6.1.
Now we proceed to the proof of soundness of the enforcement mechanism for
NI.
Proof of Theorem 6.1 for NI. Let us consider two executions: (EM(pi), I) ⇓
O and (EM(pi), I ′) ⇓ O′, where I|L = I ′|L.
The following holds:
1. The low input items consumed by the enforcement mechanism depends
only on the low execution (by Prop. 6.1).
2. The low executions in the runs of the enforcement mechanism on I and I ′
always consume default values for high input items (by Prop 6.1).
3. The low executions in these two runs consume the same low input items
and same high output items. (By 1, 2 and pi be deterministic).
4. These low executions generate the same outputs (By 3 and the fact that
pi is deterministic).
5. The output items sent to low output channels are always generated by the
low executions (by Prop 6.2).
6. O|L = O′|L (by 4 and 5)
This concludes the proof.
For the proof of the soundness of the enforcement mechanism for RI, we need
an property stating the relationship between the controlled program and a local
execution. We also need another simple property showing how MAP handles
the high input requests from local executions.
26
Proposition 6.3 (Controlled programs and local executions). Let I1 and I2 be
two input queues, such that for all input channels c, I1|c = I2|c. Then we have:
for all programs pi,
∀I1 : (pi, I1, )_k (pik, I1k , Ok) =⇒ ∀I2 : ∀c ∈ Cin : I1|c = I2|c : (pi, I2, )⇒k (pi, I2k , Ok)
and I1k |c = I2k |c for all c.
And we have:
∀I1 : (pi, I1, )⇒k (pik, I1k , Ok) =⇒ ∃I2 : ∀c ∈ Cin : I1|c = I2|c : (pi, I2, )_k (pi, I2k , Ok)
and I1k |c = I2k |c for all c.
Proof. The proposition is proven by using the induction technique on k and the
length of the input queue I1, along with the fact that controlled programs and
the local executions are deterministic.
Next, we prove the soundness of the enforcement mechanism for RI.
Proof of Theorem 6.1 for RI. Let I1rc be the input consumed by the low
execution in the run (EM(pi), I) ⇓ O, and k be the number of high input items
in I.
Base case: k = 0. The theorem holds for RI.(in this case I ′ = I).
Induction hypothesis: Assume that the theorem holds for k < n for RI.
We now prove that the theorem holds for k = n. The following holds:
1. I1rc|L = I|L (by Prop. 6.1).
2. I1rc|H = (~df)∗ (by Prop. 6.1).
3. There exists I∗ such that (pi, I∗) ⇓ O∗, and I∗|c = I1rc|c for all c (by
Prop. 6.3).
4. I∗|L = I1rc|L (by 3, Prop. 6.1, and the fact that pi is deterministic).
5. I∗|L = I|L (by 1 and 4).
If we used I∗ as an input for the enforcement mechanism and the high
execution is run only after the low execution is terminated:
6. The low execution will consume all input items in I∗ and is not stuck (by
Prop 6.1).
7. Both the high and the low executions will consume with the same input
(by 2, 3, and Prop 6.1).
8. Both the high and the low execution are terminated (by 6 and 7).
9. The output items are generated by the low execution (by Prop. 6.2).
From 4, 8, and 9, we have there exists I∗, such that (EM(pi), I∗) ⇓ O∗ and
O∗|L = O|L. Let I ′ , I∗, it follows that the theorem for the enforcement
mechanism of RI holds for the case k = n. Thus, the theorem holds for RI.
To prove the soundness of DI, we need a proposition showing the influence
of local execution pi[i] (with i > 1) on the input consumed by the enforcement
mechanism.
27
Proposition 6.4. For the enforcement mechanism of DI, a local execution pi[i]
with i > 1 has no effect on the input consumed by the enforcement mechanism.
Proof. The proof is obvious from the configuration of the enforcement mecha-
nism.
Proof of Theorem 6.1 for DI. The idea of the enforcement mechanism of DI
is that when the high execution requests a high input item, the high execution
will be duplicated and the newly duplicated execution will receive the default
values for high input items. If we replace the last high input item in the original
input I with a default item, then there exists another input queue satisfying the
definition of DI. Such an input queue is the input consumed by the pi[TOP ].
Let I be an input, such that (EM(pi), I) ⇓ O. The proof of soundness of
the enforcement mechanism of DI is based on the induction technique on the
number of high input item in I.
Base case: If there is no high input item in I, the theorem holds vacuously.
Induction Hypothesis: The theorem holds for all I, such that the number
of high input items is smaller than n. We now prove that the theorem also holds
for the case when the number of high input items is equal to n. Now I can be
written as I1.~v1. . . . .In.~vn.In+1
Based on the configuration of the enforcement mechanism, pi[TOP ] is created
when the high execution requests the last high input item. Let ITOPrc be the
input consumed by pi[TOP ], I1rc be the input consumed by pi[1]. We have:
1. ITOPrc = I1.~v1. . . . .In.
~df.I ′n+1, where I
′
n+1|H = (~df)∗.
2. I|L = I1rc|L
Let I∗ be an input queue, such that I∗ = I1. . . . .In.In+1.~v1. . . . .~vn−1. ~df.I∗n+1,
where I∗n+1 = I
′
n+1|H . Assume that the order of executing local executions is
first pi[1], then pi[0]. We have:
3. I∗|L = I|L.
4. The low execution will consume the part I1. . . . .In.In+1 for low input items
and default values for high input items (by Prop 6.1).
5. The high execution pi[0] will consume ~v1. . . . ~vn−1. ~df.I∗n+1 (by 1 and Prop. 6.3).
6. For every i, such that 1 < i ≤ TOP , the execution of the local execution
pi[i] is terminated and it does not effect the input consumed by the enforce-
ment mechanism (by the assumption that (EM(pi), I) ⇓ O and Prop. 6.4).
7. I∗ is consumed completely by the enforcement mechanism (by 4 and 5).
8. The high execution is terminated (by the assumption that (EM(pi), I) ⇓
O).
9. (EM(pi), I∗) ⇓ O∗ (by 6, 7, 8).
10. O∗|L = O|L (by Prop. 6.2)
From 3, 9, and 10, the theorem holds for the case of the number of high input
item in I is n. Therefore, the theorem holds for the enforcement mechanism of
DI.
28
Prop 6.2
Output of 
EM(π)
Prop 6.3
Semantics 
Equivalence
NI RI DI
Prop 7.1
Local Queues
Prop 7.2
Wake of π[i]
Prop 7.3
Global Queue and 
Local Queue
Lem.7.1
NI
Construct I’
Lem.7.2
RI
Construct I’
similar
similar
similar
Fig. 21: Proof Strategy for Precision
7 Precision
The notion of precision for enforcement of a property is taken from [6, 8]. The
intuition is that the enforcement mechanism does not change the visible behav-
ior of a program that is already secure with respect to the chosen property (and
in particular each I/O on specific channels). Devriese and Piessens separated
by construction the input queues of each channel. Since in our formulation the
channels are merged into a global stream, our definition of precision must make
explicit that the partial order of input items on a channel is preserved. This
observation applies also to the order of output items in output queues. In our
framework, the local executions are executed in parallel with no specific order.
Therefore, the total order of input items consumed by the enforcement mech-
anism can be different from the total order of input items in the input queue
consumed by the controlled program that already obeys the desired property.
However, the partial order of input items on a channel is preserved. This ob-
servation applies also to the order of output items in output queues.
Definition 7.1. An enforcement mechanism is precise with respect to a prop-
erty, if for any program pi that satisfies the property, and for every input I, where
(pi, I) ⇓ O, regardless of the order of executing local executions, the input I∗ and
O∗ of the enforcement mechanism will be such that I∗|c = I|c, O∗|c = O|c for
every channel c, and (EM(pi), I∗) ⇓ O∗.
Theorem 7.1 (Precision of Enforcement). Each enforcement mechanism in
Tab. 1 is precise with respect to the corresponding property, except for TINI.
Figure 21 shows the proof strategy for precision. The proof of precision
is more complex than the proof of soundness. At first, we need to prove a
number of simple properties on the correct handling of interrupt signals and the
29
equivalence between the semantics of controlled programs and the semantics of
local executions.
Proposition 7.1 (Local executions and local input queues). For a local execu-
tion, when the input instruction is executed, if the input item required is in its
local input queue, this item will be consumed. Otherwise, an interrupt signal is
generated.
Proof. Proof follows obviously from the semantics of local executions.
Proposition 7.2 (The wake of local executions). The following facts hold:
1. If a local execution is sleeping on an input instruction that required an
input item from the channel c, this local execution will be waken up when
the input item is ready and the instruction of piM executed is the wake
instruction. In addition, when a local execution is awaken, there is no
interrupt signal in its configuration.
2. A local execution is not awaken when the input item required is not ready
or when the input item required is ready, but the instruction executed of
piM is not the wake instruction.
Proof. Proof follows by induction on the length of the derivation sequence of
the enforcement mechanism.
Next we show that from pi[0]’s input, we can reconstruct the original global
input.
Proposition 7.3 (Global input and local inputs). Let k be the number steps
of derivation of the execution of the enforcement mechanism of RI, DI, or NI.
Assume that we have (EM(pi), I, ) ⇒k (EM(pi)k, Ik, Ok), and I0rck is the queue
of the input items that have been received by pi[0], then it follows that:
• I0rck .Ik = I
Proof. The lemma is proven by using the induction technique on the length
of the global input queue and the length of the derivation sequence of the en-
forcement mechanism, along with the fact that the execution of the controlled
program and the executions of local executions are deterministic.
At this point, we have all that is needed to present the key lemma for the
proof of precision for NI that shows that all inputs have been processed and
there is nothing left within the enforcement mechanism.
Lemma 7.1 (Inputs of a controlled program and inputs consumed by the cor-
responding enforcement mechanism). Let pi be a program satisfying TSNI and
(pi, I) ⇓ O. Regardless of the order of executing local executions, if the low
execution consumes the same low input items as in I, and the high execution
consumes high input and low input items as in I, then it follows that the exe-
cution of the enforcement mechanism is terminated, and the input consumed by
the enforcement mechanism is I∗, where I∗|c = I|c for all c.
30
Proof. The proof of this lemma is based on the proposition of equivalence
between semantics of controlled programs and semantics of local executions
(Prop. 6.3) and the proposition of the relationships between the global input
queue and local input queues (Prop. 7.3).
According to the semantics of the enforcement mechanism of NI, the high
execution does not influence the termination of the low execution, the input
consumed and the output generated by the low execution.
Therefore, regardless of the order of executing local executions, if the low
execution consumes the same low input items as in I, then the input consumed
by the low execution is I|L.(~df)∗.Ia, where Ia contains only low input items.
We next prove that Ia =  and the low execution is terminated.
• Assume that Ia 6= . This means there exists an input I ′, where I ′|L =
I|L.Ia and I ′|H = (~df)∗, and (pi, I ′) _ . . . . Since pi satisfies TSNI, this
case cannot happen.
• Assume that pi[1] is not terminated. However, this leads to the conclusion
that pi does not satisfy TSNI.
We now prove that the high execution is also terminated and does not request
any high input item that is not in I.
• Case 1: Assume that the high execution is stuck on a request for low input
items. If the high input execution needs a low input item, the enforcement
mechanism will behave accordingly to Prop. 7.1 and Prop. 7.2. The high
execution is stuck on low input items when it requests for an input item
that is never requested by the low execution. Since the low input items
consumed by the low execution is I|L, the stuck of the high execution
leads to the conclusion that pi is non-deterministic.
• Case 2: The high execution requests a high input items that is not in I.
Regarding this assumption, because of Prop. 6.3, there are two instances
of pi that consume some input items, but at some point run in different
paths of execution. In other words, pi is non-deterministic.
• Case 3: The high execution receives all input items it needs, but is in
an infinite loop. This case also leads to the conclusion that pi is non-
deterministic.
Therefore both local executions are terminated. Let I0rc be the input queue
received by pi[0]. Since pi[0] does not request any other input items that are not
in I, then I0rc|c = I|c. From Prop. 7.3, we have I∗ = I0rc. Thus I∗|c = I|c and
(EM(pi), I∗) ⇓ O∗.
We have now all that is needed for the main theorem.
Proof of Theorem 7.1 for NI. Let I be an input queue, such that (pi, I) ⇓ O.
We need to prove that regardless of the order of executing local execution,
the input I∗ and output Oj will be such that I∗|c = I|c, O∗|c = O|c, and
(EM(pi), I∗) ⇓ O∗.
The proof of precision of the enforcement mechanism of NI is based on
Lem. 7.1 and Prop. 6.2. We have:
31
• Regardless of the order of executing local execution, the input I∗ and out-
put O∗ will be such that I∗|c = I|c, and (EM(pi), I∗) ⇓ O∗ (by Lem. 7.1).
• O∗|c = O|c (by Prop. 6.2 and pi satisfying TSNI).
Therefore, the theorem holds for the enforcement mechanism of NI.
For the RI property, the structure of the proof is similar. We can directly
state the main lemma since we have already stated the key propositions.
Lemma 7.2. Let pi be a program satisfying RI and (pi, I) ⇓ O. Regardless of the
order of running local executions, if the low execution consumes the same low
input items as in I, and the high execution consumes high input and low input
items as in I, then it follows that the execution of the enforcement mechanism is
terminated, and the input consumed by the enforcement mechanism is I∗, where
I∗|c = I|c for all c.
Proof. The proof is similar to the proof of Lem. 7.1. According to the semantics
of the enforcement mechanism of RI, the high execution does not influence the
termination of the low execution and the output generated by the low execution.
The high execution also does not influence the input consumed by the low
execution, since MAP can ask all input items for the low execution, and the low
execution only consumes default high input items.
Therefore, regardless of the order of executing local executions, if the low
execution consumes the same low input items as in I, then the input consumed
by the low execution is I|L.(~df)∗.Ia, where Ia contains only low input items.
The proofs that Ia = , the low execution is terminated, the high execution
does not request any other low input items not in I are similar to the proofs in
Lem. 7.1.
We now prove that all the high input items in I0rc are consumed by pi[0].
Assume that there exists a high input item ~v in I0rc (~v[c] 6= ⊥) that is not
consumed. From Prop. 7.2 and Prop. 7.1, the existence of such a high input
item means that the low execution requested a high input item that was not
required by pi[0]. In other words, ‖ I1rc|c ‖6≤‖ I0rc|c ‖. However, since pi satisfies
RI, this case cannot happen.
Let I0rc be the input queue received by pi[0]. Since pi[0] does not request any
other input items that are not in I, then I0rc|c = I|c. From Prop. 7.3, we have
I∗ = I0rc. Thus I
∗|c = I|c and (EM(pi), I∗) ⇓ O∗.
Proof of Theorem 7.1 for RI. We next prove the precision of the enforce-
ment mechanism of RI. Let pi be a program satisfying RI, and I be an input
queue, such that (pi, I) ⇓ O. We have:
• Regardless of the order of executing local execution, the input I∗ and out-
put O∗ will be such that I∗|c = I|c, and (EM(pi), I∗) ⇓ O∗ (by Lem. 7.2).
• O∗|c = O|c (by Prop. 6.2 and pi satisfying RI).
Therefore, the theorem holds for the case of RI.
Proof of Theorem 7.1 for DI. The proof for DI follows the same structure.
32
1: if a ∈ TM [i][c] then
2: input x from c
3: map(x, c, canTell(c))
4: map(valdef , c,¬canTell(c))
5: wake(isReady(c))
6: else
7: skip
(a) MAP for SubDI for an input from c from pi[i]
pi[0] pi[1]
LV L[c] = H at −
LV L[c] = L t at
(b) TM
1 input h1 from cH1
2 if h1 then
3 input l2 from cL2
4 input h2 from cH2
5 else
6 input h2 from cH2
7 input l2 from cL2
(c) A program that satisfies RI,
but not SubDI
Fig. 22: The new property - SubDI
8 Further Properties
Our framework can capture other properties. Other BSPs from [15] can also
be enforced. Removal of events (RE) requires that if there is no high input,
there is no high output. To enforce RE, when receiving an output request for
a high channel from the high execution, REDUCE needs to check whether there
are any other high input items different from the default values and affecting
the output generated by the high execution. Enforcement of strict removal of
inputs (SRI) is similar to the enforcement of RI, but only the low execution can
generate output items for both high and low channels. Strict deletion of inputs,
deletion of events, and backward strict deletion can be enforced by using the
clone instruction and the REDUCE check mentioned above.
In [24] Sutherland defines the notion of non-deducibility (ND) under the
assumption that attackers have knowledge about the program, i.e. they know
all possible executions of the program. ND can be enforced in our framework
by running three local executions: the low, the high and the normal execution.
Configuration of the low execution is similar to the low execution in the en-
forcement mechanism for NI. The normal execution will be privileged to use
only input items read by other executions, and to output to high output chan-
nels. The high execution will read high input items and consume default low
input items. In this way the attackers cannot deduce which execution occurred
since there are other executions that can generate the same low behaviour. If
an attacker based on his observations tries to construct a set of all possible
executions that are low-equivalent, he cannot deduce which sequence of high
events did not occur since the set he constructed contains all possible sequences
of high events.
By modifying the privileges of local executions or modifying the MAP or
REDUCE programs, we can enforce new properties. A possible modification is
shown in Fig. 22b, where the configuration of TM is the same as the configuration
of TM for NI, and the MAP program is the same as the one for RI. The low
execution needs to wait for high input items requested by the high execution
even though the low execution can only consume default values. This option
33
pi[0] pi[1]
LV L[c] = H at at
LV L[c] = L − at
Fig. 23: A configuration of TR, in which the low execution can send output to
high channels
1 input x from cH1
2 input value from cL1
3 if x then
4 input y from cH2
5 else
6 input z from cH3
7 output value to cL2
(a) A program that satisfies NI, but
not RI
1 input h1 from cH1
2 if h1 then
3 input h2 from cH2
4 if h2 then
5 input l1 from cL1
6 else
7 input l1 from cL1
8 while true do skip
9 else
10 input h2 from cH2
11 input l1 from cL1
12 output l1 to cL2
(b) A program that satisfies RI, but
not DI
Fig. 24: Examples of programs satisfying a property, but not another
leads to a novel strict property, which we have called substitution-deletion of
inputs (SubDI). SubDI requires that when all high input items in an input I
are substituted by a default item or deleted, then the remaining input items
can be corrected to I ′, which preserves the low prefixes of high input items in I.
A program that satisfies RI, but not SubDI, is described in Fig. 22c; therefore
these properties are actually different.
The configuration of TR also leads to discovery of new properties. A possible
configuration of TR is described in Fig. 23 in which the low execution can send
output items to high channels.
9 Relationships among the properties enforced
We have defined enforcement mechanisms for several information flow prop-
erties, but it might be unclear whether these properties are actually different
(in our notation). Further we demonstrate that the properties that we have
investigated are not the same.
The relationship between RI and NI. The RI property is stricter than
the property of TINI, because the RI property requires that if a real value is
replaced by a default one, then the other real values are either also replaced
by the default ones, or will not appear in the input squeue at all. Actually,
if a program satisfies the RI property, then it also satisfies the NI property.
However, the opposite is not true.
A program, which satisfies NI, but not RI, is shown in Fig. 24a. In this
example the level of the channels cH1, cH2 and cH3 is high, while the level of
34
the channels cL1 and cL2 is low. This program satisfies the NI property, since
the output item on the channel cL5 is independent from the secret values from
confidential channels. However, this program does not satisfy the RI property.
The reason is that the execution of the program with the input (cH1 = T)(cL1 =
val)(cH2 = val) is terminated, but if we apply the procedure of perturbation
and correction on this input, the results are inputs with which the execution of
the program will be error.
The relationship of DI and RI A program satisfying RI, but not DI, is
shown in Fig. 24b. In this example, I = (cH1 = T)(cH2 = T)(cL1 = val) is an
input and the execution of the program on I generates the output O = (cL2 =
val). If we replace all high inputs with the default values, we obtain another
input (cH1 = F)(cH2 = F)(cL1 = val), such that the program in Fig. 24b will
produce an output low equivalent with O. However, if we replace the last high
input event by the default value, then the new input is I∗ = (cH1 = T)(cH2 =
F)(cL1 = val), and the execution of the program with I∗ is not terminated.
Therefore, the DI property does not hold for the program.
10 Limitations
Currently, the enforcement mechanism is not independent from the choice of
the default values (valdef ). We prove soundness and precision of enforcement
with respect to all possible choices of the default values, and we assume that
for each channel it is possible to determine a suitable (“non-leaking”) default
value.
The definition of DI in our notation requires that high items in I ′2 are default
ones. This constraint is enough to prevent attackers from deducing whether the
value of the last high input is default or not. However, we can put another
constraint on I ′2, i.e, ‖ I ′2|c ‖≤‖ I2|c ‖ for all c. Regarding this additional
constraint, the relationship between DI and RI as shown in [15] is preserved.
Our enforcement mechanism in §5.2 inherits the limitations of the SME
mechanism [6]. SME can soundly enforce TINI, but not TSNI. This happens
in the case when the low execution is terminated but the high execution is not,
and thus the whole enforcement mechanism is not terminated. Respectively,
SME (and our enforcement mechanism for NI) can precisely enforce TSNI, but
not TINI.
In [11] Kashyap, Wiedermann and Hardekopf evaluate the security guaran-
tees of SME for the termination covert channel; they have proposed to mediate
the security problems of SME related to this channel with more sophisticated
schedulers. In our approach we do not schedule the order of local executions,
therefore, we cannot immediately adapt their suggestions. However, our frame-
work can be extended to control the order of executing local executions by
specifying a new rule to control the start of local executions, and the predicate
isReady() used in the wake instruction.
We see one of the main limitations of our current proposal in the absence of
a practical implementation. It is still an open question, whether the memory
and performance overhead will be acceptable, especially for complex properties,
such as DI. Devriese and Piessens in the original SME paper [6], as well as
Bielova et al. in [4] and De Groef et al. in [8] report on complications while
35
instrumenting SME for real browsers, which we will have to address. A working
implementation is our next target.
11 Related Work
The information flow policies enforcement is a deeply investigated field. We will
briefly recall the developed approaches for information flow policies enforcement
and discuss the most relevant techniques in more details.
Static analysis techniques for information flow security inspect the program
code in order to check whether there is any unwanted information flow. We refer
the interested reader to the survey by Sabelfeld and Myers [21] with an excellent
overview of static language-based approaches for information flow security.
In contrast to the static verification techniques, dynamic analysis for infor-
mation flow enforcement tracks propagation of confidential information when
a program is executed; an extensive review on the dynamic approach can be
found in [14]. The trade-offs between static and dynamic analysis approaches
are evaluated by Russo and Sabelfeld in [19].
Our choice of using the multi-execution approach, despite its performance
overhead, was dictated by its advantages over the static and dynamic informa-
tion flow analysis techniques. Static analysis can fall short in scenarios when
the program can be composed dynamically, such as in the case of JavaScript;
dynamic runtime monitoring for information flow can can suffer from impossi-
bility to account for the branch of execution that was not taken, and can leak
the control flow details [21], e.g. introduce information leaks through the halting
behaviour of the program.
Secure multi-execution [6] has inspired many researchers to push further in-
vestigation of this technique. Jaskelioff and Russo in [10] describe their adapta-
tion of SME to Haskell and provide an SME implementation in a handy library.
SME is applied to a reactive model of a browser in [4], and is implemented as a
fully functional web browser FlowFox that embeds an SME-based runtime en-
forcement mechanism in [8]. FlowFox is a modification of Firefox, it introduces
a noticeable memory and performance overhead, but works with most of the
existing web sites. We plan to learn from [8] how to implement a fully working
solution and how to evaluate the usability.
Barthe et al. [2] achieve the effects of SME through static program trans-
formation instead of modifying the runtime environment. The transformation
technique, which provides sound and precise enforcement of non-interference,
is based on the main SME idea: a program is transformed into the sequential
composition of the same code paired with a security level ranging from low to
high. The program instances on higher levels reuse the inputs of the low in-
stances through global buffers of inputs. We achieve the same security with our
enforcement mechanism configuration for NI.
In [11] the authors analyse SME with respect to timing and termination
covert channels and propose a variety of schedulers for SME to close these
channels. Our framework can be extended with a scheduler to orchestrate the
local executions order of executions; we plan to apply the subtleties of timing-
and termination-sensitive non-interference identified by the authors and improve
our framework by closing these covert channels.
Instead of having multiple different executions, in [1] non-interference is
36
achieved by using faceted values (pairs of two values containing low and high
information). This allows to effectively simulate multiple executions on different
security levels while in fact running a single-process execution (the projection
property). The authors also introduce enforcement of declassification policies
with their technique. Our enforcement mechanism for NI ensures the same
security as the faceted values approach; however, our framework currently does
not include support for declassification. Yet, enforcement of such property as DI
seems infeasible for the faceted values approach in its current state, as significant
changes in the semantics for treatment of faceted values are required.
Capizzi et al. in [5] propose the shadow execution technique, with the main
goal to prevent confidentiality leaks of the user information in an operating
system setting. Shadow execution, which idea is similar to SME, consists of
replacing the original program with two copies. The private copy (the high
execution) receives the confidential data, but is prevented from accessing the
network. The public copy (the low execution) receives fake data, but can access
the network; the results from the network are supplied also to the private copy.
In this way the private copy can avail any network related functionality without
leaking the confidential data. Our framework can be configured to fully simulate
the shadow execution technique, by using the configuration for enforcement of
NI and regulating the network connectivity of the program copies.
With respect to the body of work on the SME technique, we do not push
further the security guarantees offered by the SME paper [6]; for the non-
interference property we do not improve the SME drawbacks and do not close
the reported covert channels. However, our goal is different. We aim at creat-
ing an enforcement framework which can be easily configured to accommodate
different information flow properties; and multi-execution is just the technique
we have chosen for achieving our goal. Other techniques (e.g. the faceted values
approach) can also be considered.
12 Conclusion
We have presented an architecture of an extensible framework for enforcement
of information flow properties. To the best of our knowledge, this is the first
enforcement mechanism capable to accommodate more than one property. The
main idea behind our approach is to run several local instances of a program
in parallel, following the idea of secure multi-execution [6], and carefully or-
chestrate processing of input and output operations of the enforced program
through two components (MAP and REDUCE), and two tables (TM and TR).
To support our claims on the extensibility of the framework we have pro-
vided a set of configurations of the enforcement framework for enforcement of
non-interference and several properties from the framework of Mantel [15]. The
the framework components programs for each of these properties are quite sim-
ple. For these properties we have formally proven soundness and precision of
enforcement.
Our approach to enforcement allows the users to define and enforce novel
information flow properties, only by fine-tuning the settings. This characteris-
tics of our framework has huge potential. We plan to continue studying new
properties that appear due to fine-tuning the components of the framework, and
to research configurations for combinations of several properties.
37
One may argue whether it is actually easy to configure the enforcement in
order to add a new property. Of course, we do not expect that an average user
might be interested in defining his own property; we only aim to provide such a
user with a checkbox selection of a desired information flow property. However,
more security-aware users and the security researchers with a desire to inves-
tigate some information flow property will be able to obtain the enforcement
mechanism by customizing our framework with simple programs for MAP and
REDUCE, and defining the tables TM and TR, instead of hacking their browsers.
Our next steps include the investigation the patterns of TM , TR, piM , piR
and the property to be enforced; a proof-of-concept implementation (we have
chosen to implement our framework for a web browser; however, our approach
can be suitable to any platform), and extension of the framework with more
properties and options for declassification.
Acknowledgment
This work is partly supported by the projects EU-IST-NOE-NESSOS and EU-
IST-IP-ANIKETOS.
38
References
[1] T. H. Austin and C. Flanagan. Multiple facets for dynamic information
flow. SIGPLAN Not., 47(1):165–178, Jan. 2012.
[2] G. Barthe, J. Crespo, D. Devriese, F. Piessens, and E. Rivas. Secure multi-
execution through static program transformation. In Formal Techniques for
Distributed Systems, volume 7273 of Lecture Notes in Computer Science,
pages 186–202, 2012.
[3] G. Barthe, P. R. D’Argenio, and T. Rezk. Secure information flow by self-
composition. Mathematical Structures in Computer Science, 21(6):1207–
1252, 2011.
[4] N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-
interference for a browser model. In Proc. of NSS 2011, pages 97–104,
2011.
[5] R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. Preventing
information leaks through shadow executions. In Proc. of ACSAC 2008,
pages 322–331, 2008.
[6] D. Devriese and F. Piessens. Noninterference through secure multi-
execution. In Proc. of IEEE S&P 2010, pages 109–124, 2010.
[7] J. A. Goguen and J. Meseguer. Security policies and security models. In
Proc. of IEEE S&P 1982, pages 11–20, 1982.
[8] W. D. Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Flowfox: a web
browser with flexible and precise information flow control. In Proc. of CCS
2012, pages 748–759, 2012.
[9] J. D. Guttman and M. E. Nadel. What needs securing? In Proc. of CSFW
1988, pages 34–57, 1988.
[10] M. Jaskelioff and A. Russo. Secure multi-execution in Haskell. In Per-
spectives of Systems Informatics, volume 7162 of LNCS, pages 170–178,
2012.
[11] V. Kashyap, B. Wiedermann, and B. Hardekopf. Timing- and termination-
sensitive secure information flow: Exploring a new approach. In Proc. of
IEEE S&P 2011, pages 413–428, 2011.
[12] R. La¨mmel. Google’s MapReduce programming model - revisited. Sci.
Comput. Program., 68:208–237, October 2007.
[13] L. Lamport. Specifying concurrent program modules. ACM Transactions
on Programming Languages and Systems, 5(2):190–222, Apr. 1983.
[14] G. Le Guernic. Confidentiality enforcement using dynamic information
flow analyses. PhD thesis, Kansas State University, Manhattan, KS, USA,
2007.
[15] H. Mantel. Possibilistic definitions of security - an assembly kit. In Proc.
of CSFW 2000, pages 185–199. IEEE Computer Society, 2000.
39
[16] D. McCullough. Specifications for multi-level security and a hook-up prop-
erty. In Proc. of IEEE S&P 1987, pages 161–166, 1987.
[17] J. McLean. A general theory of composition for trace sets closed under
selective interleaving functions. In Proc. of IEEE S&P 1994, pages 79 –93,
May 1994.
[18] A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassifi-
cation. In Proc. of CSFW 2004, pages 172–186, 2004.
[19] A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security anal-
ysis. In Proc. of CSF 2010, pages 186 –199, july 2010.
[20] A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in
dynamic tree structures. In ESORICS, pages 86–103, 2009.
[21] A. Sabelfeld and A. Myers. Language-based information-flow security. Se-
lected Areas in Communications, IEEE Journal on, 21(1):5 – 19, 2003.
[22] A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. J.
on Comput. Secur., 17(5):517–548, Oct. 2009.
[23] P. Shroff, S. Smith, and M. Thober. Dynamic dependency monitoring to
secure information flow. In Proc. of CSF 2007, pages 203–217, 2007.
[24] D. Sutherland. A model of information. In Proc. of NCSC’86, pages 177
–186, 1986.
[25] D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow
analysis. J. Comput. Secur., 4(2-3):167–187, Jan. 1996.
[26] A. Zakinthinos and E. Lee. A general theory of security properties. In
Proc. of IEEE S&P 1997, pages 94 –102, May 1997.
40
