Abstract-Research on information flow security for concurrent programs usually assumes sequential consistency although modern multi-core processors often support weaker consistency guarantees. In this article, we clarify the impact that relaxations of sequential consistency have on information flow security. We consider four memory models and prove for each of them that information flow security under this model does not imply information flow security in any of the other models. This result suggests that research on security needs to pay more attention to the consistency guarantees provided by contemporary hardware. The other main technical contribution of this article is a program transformation that soundly enforces information flow security under different memory models. This program transformation is significantly less restrictive than a transformation that first establishes sequential consistency and then applies a traditional information flow analysis for concurrent programs.
I. INTRODUCTION
Before granting a program access to private information or other secrets, one might like to know whether there is any danger that the program leaks the secrets. Research on information flow security aims at answering this question. The fact that researchers have kept making foundational contributions on information flow security [1] , [2] , [3] , [4] , [5] for more than 40 years by now, shows that information flow security is not only of practical relevance, but also a very rich domain of non-trivial research problems. Concurrency is a rich domain of foundational research problems itself. Combining it with information flow security results in intriguing new problems, such as how to achieve reliable information flow security without knowing how the scheduler works (see, e.g., [6] , [7] ), and further complicates problems that are already non-trivial in a sequential setting, such as how to control declassification (see, e.g., [8] , [9] ). In order to achieve reliable security for concurrent programs, all of these problems require solutions.
The focus of this article is on information flow security in the presence of concurrency. More concretely, we study the effects of relaxed consistency guarantees on noninterference. Weak memory models provide weaker guarantees than the sequential consistency property [10] that programmers of concurrent programs often take for granted. There are multiple benefits of relaxing sequential consistency. In particular, it enables more efficient uses of caches in multi-core processors and of program optimizations during compilation that are not compatible with sequential consistency. For an introduction to weak memory models, we refer to [11] , [12] . This is not the first study of noninterference under relaxed consistency guarantees. Vaughan and Millstein studied the effects of one weak memory model, namely total store order, on noninterference [13] . They showed that noninterference under sequential consistency does not imply noninterference under total store order and that noninterference under total store order does not imply noninterference under sequential consistency. This is an insight of great significance, because it shows how closely security depends on the memory model provided by the hardware on which a program runs. Vaughan and Millstein also proposed a security type system, showed that it is sound under total store order, and demonstrated how it can be made more precise without loosing soundness.
The three main, novel contributions of this article are:
• We clarify the effects of four memory models on information flow security. For each of the models, we show that noninterference under this memory model does not imply noninterference under any of the other memory models.
On the one hand, our results lift the observation by Vaughan and Millstein to further memory models. On the other hand, our results back that their observations are not just a peculiarity of one particular weak memory model. Hence, our results suggest that research on security should pay more attention to the consistency guarantees provided by modern hardware and optimizations.
• We propose a security type system and prove that it soundly verifies noninterference under four different memory models. This is the first security type system that is known to be sound for multiple weak memory models. Our type system not only checks whether programs are secure, but also transforms some potentially insecure programs into secure ones. This is the first transforming type system that is suitable for establishing noninterference under relaxed consistency guarantees. Our transformation inserts fence commands into a program such that it becomes noninterferent under weak memory models. Although inspired by fence-insertion techniques that establish sequentially consistent behavior of a program [14] , our transformation does not force sequential consistency on a program executed under a weak memory model. • We present a novel model of concurrent computation that is parametric in a set of consistency guarantees and that, hence, can be applied to different memory models. Our model of computation originated as a side product of our research project on security. Though originally a side product, we view this model itself also as a valuable contribution because it was helpful for our research on information flow security and might be helpful for others, not only in security. In contrast to the well known parametric model by Alglave [15] , our model features an explicit representation of intermediate states.
We are confident that our results constitute a significant step towards better foundations for software security under relaxed consistency guarantees. However, the exploration of the correlation between noninterference and weak memory models has just begun. To our knowledge, this is only the second article on this correlation. Beyond the memory models that we investigate in this article, there are further memory models whose impact on information flow security needs to be clarified. Our novel model of computation under relaxed consistency guarantees could be helpful for such studies.
In Section II and III, we introduce our model of computation. We present a concurrent language that features fence commands and dynamic thread creation in Section IV, where we use our novel model of computation to define the operational semantics. In Section V, we show how to specialize our model of computation for four concrete memory models. We present our clarification of the correlation between noninterference and relaxed consistency guarantees in Section VI and our security type system in Section VII. After a discussion of related work in Section VIII, we conclude in Section IX.
Notational conventions: For a set , we use and * to denote the set of all -tuples and the set of all finite lists, respectively, over . 
Note that a function update might augment the pre-image of a partial function.
We refer to partial functions with domain ℕ, range , and a finite pre-image also as vectors over . That is, a partial function ⃗ : ℕ ⇀ is a vector over if |pre(⃗)| ∈ ℕ holds.
II. A BASIC MODEL OF COMPUTATION
We introduce an event-based model of computation for multi-threaded programs. Our model captures the concurrent execution of multiple threads, where each thread has access to a globally shared memory and to its own set of registers, which cannot be accessed by other threads.
We simplify our presentation by not considering dynamic thread creation, synchronization, and caching in this section. We extend our model of computation to a more sophisticated, generic model that supports caching under different memory models in Section III. In Section IV, we demonstrate how this model of computation can be used for a concurrent programming language with a spawn and a fence command.
States: We assume pair-wise disjoint sets , ℛ, and of variable names, register names, and values, respectively.
We use functions in the set Mem = → to model states of the global memory and functions in Reg = ℛ → to model states of the register set, i.e., each thread's local memory. We identify threads by identifiers in ℐ = ℕ and use vectors in the set ⃗ Reg = ℐ ⇀ Reg to model states of the registers of all threads. For a given thread identifier, a vector ⃗ reg ∈ ⃗ Reg returns a function of type Reg that models the content of the register set of the thread with this identifier.
We model snapshots during a program run by pairs from the set Gst = ⃗ Reg × Mem and refer to such pairs as global states. We use pairs from Lst = Reg × Mem to capture the part of a global state that is relevant for a single thread and refer to such pairs as local states. We write gst[i ] for the local state of thread i ∈ pre(gst) in a global state gst ∈ Gst, i.e.,
We call a thread i ∈ ℐ active in gst if i ∈ pre(gst), and inactive otherwise. Note that gst[i ] is only defined if i is active.
As a notational convention, we use meta-variables as follows: , , for natural numbers in ℕ, x for variables in , r for registers in ℛ, v for values in , i , j for thread identifiers in ℐ, mem for global memories in Mem, reg for local memories of a single thread in Reg, ⃗ reg for local memories in ⃗ Reg, gst for global states in Gst, and lst for local states in Lst. We use each of these meta-variables also with indices and primes.
Events and Traces:
We use operators to model operations that a thread can perform on its registers and events to model the transfer of data between memory and register sets.
We leave the set of operators Op parametric, assuming that the arity of each operator in Op is defined by a function arity : Op → ℕ. We use terms of the form op(rs) to model the execution of the operation specified by the operator op on the register tuple rs ∈ ℛ arity(op) . We refer to such terms as expressions and define the set of all expressions by
For an expression e ∈ ℰ, we use args(e) to denote the set of all registers that appear as arguments of the operator in e. We define the set of events Ev by the following grammar:
where e ∈ ℰ. Intuitively, an event x v @r models the copying of the value v from the register r to the variable x . Moreover, an event v @x r models the copying of the value v from the variable x to the register r . Finally, an event v @e ↻ r models the updating of the register r with the value v , where the expression e captures how v was computed.
We formalize this intuition about the effects of events by a function effect : Ev → (Lst → Lst) that we define by 
We use finite lists of events to model sequences of computation steps by one thread. We refer to such lists as traces and define the set of all traces by Tr = Ev * .
We use meta-variables as follows: op for operators in Op, rs for register tuples in ℛ , e for expressions in ℰ, ev for events in Ev , and tr for traces in Tr .
III. SUPPORTING RELAXED CONSISTENCY GUARANTEES
Weak memory models relax sequential consistency, for instance, in order to support a more efficient use of caches in multi-core architectures. Weak memory models also provide consistency guarantees but these are weaker than sequential consistency. The various weak memory models differ in the consistency guarantees that they provide (see, e.g., [11] ).
This variety of memory models is of conceptual interest and also relevant in practice. For instance, the processors Alpha, x86 and POWER support weak memory models that differ from each other [11] , [16] , [17] .
In this section, we extend our basic model of computation from Section II to a model that supports weaker consistency guarantees than sequential consistency. This results in a novel model of computation that is generic in the sense that it can be instantiated for different memory models. Conceptually, we build on the common distinction between program-order relaxations and write-atomicity relaxations [11] . This distinction leads to a modular definition of weak memory models by sets of permitted primitive relaxations. We exploit this modularity in the construction of our model of computation.
Two key technical concepts in our model are obligations and paths. They complement events and traces as follows.
While we use events to capture computation steps and data transfers that a thread has performed, we use obligations to capture steps and transfers that have not yet happened, but for which a thread already made a commitment. For the purposes of this article, we define events and obligations to have the same granularity as commands in the considered programming language. That is, each event and obligation reflects the execution of a single command.
While we use traces to capture the order in which computation steps and data transfers have happened, we use paths to capture the order in which commitments have been made. We require each thread to commit to obligations in the order in which the corresponding commands appear in the program that the thread runs. That is, obligations must be assumed in program order. Under a weak memory model, the order in which a thread performs steps might differ from the order in which the thread has made commitments or, more figuratively, different traces might appear on one path.
The preconditions for assuming obligations and the effects of fulfilling them are not explained here, but in Section IV.
A. Obligations, Paths and Advancing Paths
We define the set of obligations Ob by the grammar:
where ev ∈ Ev and fe ∈ Fe. The set Fe of fences may only contain obligations that do not involve updates of variables and registers. We leave Fe parametric in this section. In Section IV, we define a concrete set Fe that contains obligations that capture the effects of fence commands and spawn commands. Intuitively, an obligation ?@x r models the copying of the value of variable x into register r . The question mark indicates that the value of x is not yet known. Once the value v of x has been determined, the question mark can be replaced by v , resulting in the obligation v @x r . We re-use our syntax for events to denote the corresponding obligations. That is, v @x r is the obligation to copy v from x to r , v @e ↻ r is the obligation to update r to v after an operation on registers, and x v @r is the obligation to copy v from r to x . Like for events, we distinguish between read obligations, computation obligations, and write obligations. We capture this distinction by three predicates, where isRead (ob) holds if ob has the form ?@x r or v @x r , isComp(ob) holds if ob has the form v @e ↻ r , and isWrite(ob) holds if ob has the form x v @r . Moreover, we define two functions sinks, sources : ob → 2 ∪ℛ in Table I that, as their names indicate, retrieve the set of all registers and variables appearing as sources and sinks, respectively, in an obligation.
We record the order in which a program assumes obligations by finite lists from the set Pa = (ℐ × Ob) * and refer to such lists as paths. We recursively define the projection of a path pa to a thread identifier i ∈ ℐ by 
B. Weak Memory Models
Lamport defined sequential consistency as the requirement "[. . . ] the result of any execution is the same as if the operations of all the processors were executed in some sequential order, and the operations of each individual processor appear in this sequence in the order specified by its program." [10] As elaborated in [11] , there are two aspects to sequential consistency. Firstly, the operations of each individual processor must take effect in the program order, i.e., the order in which operations appear in a program and, secondly, that operations of all processors must take effect in a single sequential order.
Using our concepts from Section III-A, we make these two aspects precise. Since a thread i ∈ ℐ assumes obligations in the order in which the corresponding commands appear in the program that this thread executes, the order of obligations in the projection pa ↾ i of a path pa reflects the program order. Hence, if each thread i ∈ ℐ fulfills its obligations in the order in which they appear in pa ↾ i for a given path pa and if obligations only cause effects when they are fulfilled, then this ensures the first aspect of sequential consistency. The second aspect of sequential consistency requires the existence of a single sequential order in which commands take effect. If there is a total order in which obligations are fulfilled by all threads and if each obligation only causes effects when it is fulfilled, then this ensures the second aspect of sequential consistency.
We capture the relaxations of these two aspects of sequential consistency with predicates. As usual, we distinguish between program-order relaxations, which relax the first aspect of sequential consistency, and write-atomicity relaxations, which relax both aspects of sequential consistency. More concretely, in terms of Section III-A, a program-order relaxation permits that, in certain cases, obligations of a thread i are fulfilled in a different order than specified by pa ↾ i , while a write-atomicity relaxation permits that, in certain cases, obligations may have an effect already before they are fulfilled.
We capture each program-order relaxation by a predicate that takes a list of obligations obs and a position < |obs|−1 as arguments. Each predicate defines conditions under which the last obligation in obs may be fulfilled before an obligation that occurs at position in obs. Note that one can use also to check whether an obligation at an arbitrary position in obs may be fulfilled before the obligation at position < , by applying to the arguments obs[0 . . . ] and .
In order to fulfill an obligation by thread i out of order, it must be possible to re-order this obligation with all obligations that the thread has assumed before and not yet fulfilled. For a given set Φ of program-order relaxations, we formalize the condition that the last obligation in a non-empty list of obligations obs may be fulfilled next bȳ
Now we are ready to define under which conditions an obligation at position in a given path pa may be fulfilled next for a given set Φ of program-order relaxations:
Note that the thread identifier i of the thread that assumed the obligation at position is used to project the path pa to a list of obligations and that only obligations up to position in pa are used in this projection. Also note that next Φ (pa ′ ::(i , ob), ) holds trivially if pa ′ contains no obligations of thread i . That is, a thread is always permitted to fulfill its first obligation in a path.
We capture each write-atomicity relaxation by a predicate that defines conditions under which a write obligation at position in a path pa may impact an obligation at a later position > . This constitutes a relaxation of sequential consistency if the obligation at position is not the obligation that is fulfilled next. Again, we assume that the last obligation in pa is the one that shall be influenced. Nevertheless, one can use to check whether an obligation at an arbitrary position in a path pa may be influenced by the write obligation at position , by applying to the arguments pa[0 . . . ] and . Now we are ready to define how the unknown value in an obligation ?@x r in a path may be specialized for a given set Ψ of write-atomicity relaxations. We define a function specialize Ψ that returns the set of all events to which one may specialize an obligation ob of thread i that occurs at the end of a path pa::(i , ob) in a global state ( ⃗ reg, mem). We first define the case where the obligation ob has the form ?@x r :
Program-order relaxations for read and write The first set in the above definition captures that a thread i may retrieve the value of x from the global memory mem if there are no obligations of this thread in the path pa that involve writing the variable x (i.e., if x / ∈ sinks(pa ↾ i ) holds). The second set in the above definition captures the condition under which the thread i may retrieve the value of x from some write obligation that is pending in the path pa.
If ob ∈ Ev or ob ∈ Fe holds, then specialize Ψ returns the singleton set containing ob or the empty set, respectively: Note that predicates in Φ and Ψ constitute relaxations of sequential consistency and, hence, the bigger the two sets are, the weaker is the consistency guarantee that is provided.
In Figures 1, 2 , and 3, we present formal definitions of prominent program-order and write-atomicity relaxations.
In Figure 1 , we define four predicates WR , WW , RW , and RR to capture conditions for re-ordering read and write operations. These predicates correspond to the program-order relaxations Write-to-Read, Write-to-Write, Read-to-Write, and Read-to-Read (see, e.g., [11] ), respectively. Note that each of the four predicates requires that the obligation at the end of the list obs and the obligation at position are of a particular type (read or write). Moreover, each of the predicates requires that modifications and observations caused by fulfilling early Figure 3 . Program-order relaxations for read-others write early For instance, WR requires that the obligation at position in the list obs is a write obligation, and that the last obligation in obs is a read obligation. The condition sinks(obs[ ])∩sources(last(obs)) = ∅ prevents a re-ordering if the read obligation depends on a variable that is influenced by the write obligation. This condition ensures that a write-toread re-ordering cannot affect purely sequential computations.
In Figure 2 , we define two predicates ROwn and ROwn that together express the precondition for a read-own-writeearly relaxation (see, e.g., [11] ). The predicate ROwn captures for a path pa ending with a pair (i , ?@x r ) under which conditions the value of x in the obligation ?@x r of thread i may be influenced by a write obligation at position . Namely, the write obligation at position must be an obligation of the same thread i , the sink of this write obligation must be the same variable x , and the thread i must not have assumed further write obligations for x after position . By permitting the earlier write obligation to influence the value of x in the later read obligation without making the update of x visible to other threads, the write becomes a non-atomic operation. The predicate ROwn defines conditions under which a re-ordering of a read obligation and an earlier write obligation is permissible, if these two obligations involve the same variable. Note that WR does not permit the reordering of two obligations that access the same variable.
In Figure 3 , we define the predicate early ROth that is parametric in the function early : ℐ ⇀ 2 ℐ . This predicate expresses a read-others-write-early relaxation, where early(i ) specifies the set of threads whose writes a thread i may read early. The condition early ROth (pa, ) captures for a path that ends with a pair (i , ?@x r ) that the value of the variable x may be influenced by a write obligation of some thread ∈ early(i ) at position in pa if this is the most recently assumed write obligation of thread for x . By permitting the write obligation to influence the read obligation without making the update of x visible to all threads, the write becomes non-atomic. 
IV. A MULTI-THREADED LANGUAGE
We introduce a concrete, multi-threaded language. Our example language comprises commands for transferring data between the shared memory and the local memory of a thread, computation commands, conditionals, and loops. Our language also provides a spawn command, which dynamically creates new threads, and a fence command, which can be used in a program to limit the effects of program-order relaxations.
The syntax of our language is defined by the grammar: where v ∈ , r ∈ ℛ, x ∈ , and ∈ ℕ. Note that each command carries a number ∈ ℕ as subscript. We assume that each subscript appears only once in a given program, such that each subscript uniquely identifies a particular occurrence of a command in the program. For instance, one could use the line number in which a command appears as subscript, given that each line contains at most one command. We use to denote the set of all programs in our language. To simplify our technical exposition in the rest of this article, we only support two commands for performing computations: the equality test "eq r 1 r 2 r 3 " and the conjunction "and r 1 r 2 r 3 ". Adding further commands for computations to our language would cause no fundamental difficulties, but it would increase the length of calculi, explanations, and proofs.
Like the MEMBAR #sync instructions of SPARC [18] , the fence commands in our language correspond to full fences. That is, the execution of a fence command is only possible if all commands that appear before the fence in program order have been executed already. Moreover, commands that appear after the fence in program order cannot be executed before the fence. Hence, fences can be used to rule out unwanted behavior by limiting the effects of program-order relaxations.
We define the operational semantics in terms of our model of computation from Sections II and III. To this end, we instantiate the set of operations by Op = {const, eq, and} and the set of synchronization obligations by Fe = {∥, ↗ c | c ∈ }, where ∥ and ↗ c are the obligations that correspond to the commands fence and spawn c, respectively.
The execution of a command is split into two steps: the assumption of an obligation and the fulfillment of this obligation. As explained in Section III-A, we use advancing paths to model snapshots during a program run. Given an advancing path (pa, ⃗ tr ) ∈ APa, the assumption of an obligation ob by thread i results in the advancing path (pa:: and refer to such triples as global configurations. A global configuration consists of a vector ⃗ cs : ℕ ⇀ ( ∪ ), an advancing path (pa, ⃗ tr ) ∈ APa, and a global state ( ⃗ reg, mem) ∈ Gst, where we use the symbol in the range of ⃗ cs to model that a thread has terminated. We call a global configuration well formed if ⃗ cs, ⃗ tr , and ⃗ reg have the same pre-image, i.e., if pre( ⃗ cs) = pre( ⃗ tr ) = pre( ⃗ reg) holds. In the remainder of this article, all relevant global configurations will be well formed.
To capture small steps on global configurations under a memory model (Φ, Ψ), we introduce the judgment
The calculus for deriving this judgment is depicted in Figure 5 . The first rule in Figure 5 captures how commands are processed and how obligations are assumed. The first premise ensures that i is an active thread. In the third premise, the judgment ⟨ ⃗ cs(i ), pa, reg⟩ → i ⟨c ′ , pa ′ ⟩ is used to capture the processing of the next command in ⃗ cs(i ) by thread i , where c ′ is the command that remains to be executed by thread i and pa ′ is the resulting path. This judgment will be defined later in this section such that the path pa ′ either equals pa or equals pa::[(i , ob)] for some obligation ob. The fourth premise ensures that a thread cannot assume new obligations if a fence obligation of this thread is pending.
The second rule in Figure 5 captures how threads fulfill obligations other than ∥ and ↗ c . The first two premises of the rule ensure that the obligation ob of thread i at position may be fulfilled next. In the fourth premise, ob is specialized to ob ′ . Recall from Section III-B, that specialize Ψ returns for an obligation ?@x r the set of all instantiations that are possible under the write-atomicity relaxations in Ψ. Otherwise, specialize Ψ returns the singleton set containing the given obligation. The last three premises remove the obligation ob from the path, append the event ob ′ to the trace of thread i , and update the global state according to the effect of ob ′ .
The third rule captures how a thread fulfills an obligation ∥, which the thread assumed due to a fence command. A fence command prevents re-orderings across this command, hence, its name. In our operational semantics, this is realized by the combination of the fourth premise of the first rule in Figure 5 , the premise ob / ∈ Fe of the second rule in Figure 5 , and the fact that if pa( ) = (i , ∥) and next Φ (pa, ) hold, then pa does not contain an obligations of thread i before position .
The last rule in Figure 5 captures how a thread fulfills an obligation ↗ c , which the thread assumed due to a spawn command. This rule models the creation of a new thread with a new identifier i ′ by enlarging the pre-image of ⃗ cs, ⃗ tr , and ⃗ reg by i ′ . Like the obligation ∥, the obligation ↗ c also cannot be re-ordered with other obligations, for the same reasons.
We formalize how a thread processes a command in terms of the command's immediate effects on the local memory, i.e. the registers of this thread, and in terms of an obligation that the thread assumes. We use the judgment ⟨c, pa, reg⟩ → i ⟨c ′ , pa ′ ⟩ to capture that if thread i processes the command c in the context of a path pa, and the current local memory reg, then, afterwards, the path is pa ′ and either a command c ′ ∈ remains to be executed or the thread has terminated (indicated by c ′ = ). The calculus for this judgment is depicted in Figure 6 . The rules for skip , conditionals and loops, leave the path unchanged. All other rules add a pair (i , ob) to the path to indicate that thread i has assumed the obligation ob. The particular obligation differs in the rules. Moreover, the rules for all commands that use values from registers, require that the path pa does not contain any unfulfilled obligations of thread i that might influence these registers. The reason for these premises in the rules is that values of registers are inserted into an obligation when the obligation is assumed, and this would be incorrect if updates to these registers were still pending. Otherwise, the rules in Figure 6 are straightforward.
We use the judgment ⟨c, mem⟩ ⇓ (Φ,Ψ) mem ′ to model that a run of program c starting in an initial memory mem terminates with final memory mem ′ . The only rule for this judgment is depicted in Figure 7 , where we use =⇒ * (Φ,Ψ)
to denote the transitive closure of the relation induced by the judgment for small steps on global configurations. The premises of the rule ensure that all registers are initialized with value 0 and that the program run starts in a well-formed global configuration. That the program, indeed, terminated is captured by the two premises pa
V. EXAMPLE MEMORY MODELS
We are now ready to formalize four examples of concrete memory models. The example memory models SC, IBM370, TSO, and PSO that we present correspond to sequential consistency, IBM 370, total store order, and partial store order, respectively. Each of these memory models had relevance in processor design: partial store order, total store order, and
⟨while r do c od, pa, reg⟩ → i ⟨c; while r do c od, pa⟩ Figure 6 . Processing a command and augmenting a path Figure 7 . Big-step semantics for commands IBM 370 are supported by SPARC, modern x86 processors, and in the processor IBM 370, respectively [11] , [16] . Following Definition 1, we define each memory model as a pair (Φ, Ψ) of two sets of predicates that capture the permitted program-order relaxations and write-atomicity relaxations.
Definition 2.
For each MM ∈ {SC, IBM370, TSO, PSO}, we define MM = (Φ MM , Ψ MM ) by the following table:
Let ℳℳ = {SC, IBM370, TSO, PSO} for the rest of this article. For each of the four models in ℳℳ, our choice of relaxations of sequential consistency in Definition 2 is equivalent to the one in [11] . In the following, we argue for the adequacy of Definition 2 further by relating our definitions to the original definitions of these memory models.
Proposition 1.
The memory model SC = (Φ SC , Ψ SC ) imposes the same constraints as sequential consistency [10] .
Proof sketch: As explained in Section III-B, sequential consistency is equivalent to the conjunction of two requirements: firstly, the commands of each thread must take effect in program order and, secondly, the commands of all threads must take effect in a single sequential order. These two requirements are satisfied by our memory model SC = (Φ SC , Ψ SC ), where Φ SC = ∅ and Ψ SC = ∅ according to Definition 2.
The first rule in Figure 5 and the rules for sequential composition in Figure 6 is a premise in the second, third, and fourth rule in Figure 5 , obligations are fulfilled by a thread in the order in which they have been assumed by this thread. That is, commands of each thread take effect in program order.
Moreover [19] .
Proof sketch: As described in [11] the memory model IBM 370 [19] relaxes the requirement that commands of each thread must take effect in program order. More concretely, a read command of a thread may take effect before a write command of the same thread against program order if the two commands are not conflicting, i.e., the source in the read must differ from the sink in the write. This is the only relaxation of sequential consistency that the memory model IBM 370 permits. These requirements are also satisfied by our memory model IBM370 (recall Φ IBM370 = { WR } and Ψ IBM370 = ∅).
The first rule in Figure 5 and the rules for sequential composition in Figure 6 Since Ψ IBM370 = ∅, obligations can have an effect on variables, registers, and other obligations only when they are fulfilled. The argument is identical to the one for SC. Hence, obligations of all threads take effect in one single order.
In [20] , the memory models total store order and partial store order are defined by lists of axioms. These axioms impose constraints on the order of load and store operations wrt. a memory order ≤ and a program order i . For a given derivation of the judgment ⟨c, mem⟩ ⇓ (Φ,Ψ) mem ′ , we define ; i as the order in which thread i assumes obligations in the derivation (by application of the 1st rule in Figure 5 ) and ≤ as the order in which obligations are fulfilled in the derivations (by applications of the 2nd, 3rd, and 4th rule in Figure 5 ). Figure 5 , TSO allows read obligations of a thread to be fulfilled before write obligations of the same thread against the program order like total store order in [20] .
Proposition 3. The memory model TSO = (Φ TSO
We now argue that TSO is no more permissive than total store order. The axioms Atomicity and Termination in [20] impose constraints on atomic load-store operations and on diverging runs. These two axioms are trivially fulfilled in the context of this article because our example language does not incorporate atomic load-store operations and the judgment ⟨c, mem⟩ ⇓ (Φ,Ψ) mem ′ captures only terminating runs. The other four axioms are also fulfilled by our memory model TSO (recall Φ TSO = { WR , ROwn } and Ψ TSO = { ROwn }). The axiom Order in [20] requires all store and flush operations to be totally ordered by ≤. Our example language does not incorporate flush operations, but fence commands instead. The order ≤ induced by a derivation of ⟨c, mem⟩ ⇓ (Φ,Ψ) mem ′ is a total order on write and fence obligations. The axiom Value requires that the value of a load from a location x is the value written by a most recent store to this location:
The two possible cases for determining the value of the load in this equation correspond to the two cases in our definition of specialize. In the first case, the value of the variable is directly retrieved from the global memory (and, hence, this value equals the value stored by the write obligation that was fulfilled last for this location) and, in the second case, the value is retrieved from the most recently assumed write obligation of the same thread that has not yet been fulfilled. The axiom LoadOp requires for each operation after a given load operation in the program order of a processor i , that this operation takes effect after the load operation. Since Φ TSO = { WR , ROwn }, TSO does not allow an obligation to be fulfilled before a given read obligation against the program order according to the definitions of WR and ROwn . The axiom StoreStore requires that store and flush operations take effect in the relative order in which they occur in the program order. Again, our definition of TSO does not allow that write or fence obligations are fulfilled against the program order according to the definitions of WR and ROwn . Figure 5 , PSO allows read as well as write obligations of a thread to be fulfilled before write obligations of the same thread against the program order like partial store order in [20] .
Proposition 4. The memory model PSO = (Φ PSO
We now argue that PSO is no more permissive than partial store order. Again, the axioms Atomicity and Termination in [20] are trivially fulfilled. The axioms Order, Value, and LoadOp are the same ones as for total store order. These three axioms are fulfilled by the memory model PSO (recall Φ PSO = { WR , ROwn , WW } and Ψ PSO = { ROwn }). The argument for the fulfillment of these three axioms is analogous to the one for TSO. The additional program order relaxation WW might affect the order in which write obligations are fulfilled, but there still exists a total order in which write obligations are fulfilled. Due to the relaxation WW , two write obligations of the same thread might be fulfilled against the program order. However, this is only permitted if the sinks of these write obligations differ, and, hence, the fulfillment of axiom Value is not affected. Finally, WW does not permit any re-ordering wrt. the fulfillment of read obligations and, hence, the axiom LoadOp is fulfilled. The axiom StoreStore in the partial store order model is different from the axiom with this name in the total store order model. For partial store order, the axiom StoreStore requires that store operations that are separated by a STBAR operation take effect in program order. In our language, fence commands take the role of STBAR operations. Since Φ PSO does not permit to re-order fence obligations, this variant of the axiom StoreStore is fulfilled. The axiom StoreStoreEq requires that store operations with the same sink take effect in program order. The condition sinks(obs[ ])∩sinks(last(obs)) = ∅ in the definition of WW ensures that write obligations can, indeed, only be re-ordered if they have disjoint sinks.
VI. INFORMATION FLOW SECURITY
The novel model of computation and its instantiation with a concrete language, which we described in Sections II-V, originated as a side-product of studying the impact of different memory models on information flow security. Two crucial features of our model of computation are its operational flavor and that it can be instantiated with different memory models. These features provide the basis for comparing the effects of different memory models on noninterference.
The main result in this section is Theorem 1. This theorem clarifies the effects of the four memory models from Definition 2 (i.e., PSO, TSO, IBM370, and SC) on noninterference. The formulation of the theorem is crisp, but proving it, was not an easy exercise. We describe the three-step proof technique that we employed as it might be interesting itself.
A. Noninterference under Weak Memory Models
We consider a termination-sensitive definition for a twolevel security lattice, where the intuitive requirement is that information must not flow from the level High to Low.
We use a function lev : → {Low, High} to associate each variable in a program with one of these security levels. As usual, we assume the initial values of each variable x ∈ with lev (x ) = High to be secret, and the initial and final values of each x ′ ∈ with lev (x ′ ) = Low to be public. We define two global memories mem, mem ′ ∈ Mem to be Low-equal if lev (x ) = Low =⇒ mem(x ) = mem ′ (x ) holds for each x ∈ and denote this fact by mem = mem ′ . This means, if mem = mem ′ holds then two global memories mem, mem ′ ∈ Mem differ only in secrets.
Definition 3. A program c ∈ is MM -noninterfering (denoted by c ∈ MM ), if the following condition holds:
MM holds and c is run under the memory model MM in two initial memories that are Low-equal, then, after the runs of c terminate, the resulting memories are also Low-equal. This means that the final value of each variable x ′ ∈ with lev (x ′ ) = Low is independent of the initial values of all variables x ∈ with lev (x ) = High. In other words, running c cannot leak secret information.
Theorem 1. Noninterference under MM does not imply noninterference under MM
′ , for each pair of distinct memory
In total, Theorem 1 expresses twelve non-implications for noninterference under different memory models, including the two non-implications that were proven by Vaughan and Millstein in [13] . Vaughan and Millstein showed that noninterference under sequential consistency does not imply noninterference under total store order and vice versa. Our theorem demonstrates that this observation is not just a peculiarity of one specific memory model. Beyond this, our theorem clarifies the relationship between different weak memory models.
B. Proof Sketch
For the proof of Theorem 1, we developed a three-step proof technique that we find interesting in itself.
In the first step, we define three pairs of conditions on memory models, namely ( 1 , 1 ), ( 2 , 2 ), and ( 3 , 3 ) such that the two conditions within each pair are contradictory. That is (¬ ) ∨ (¬ ) holds for each ∈ {1, 2, 3}.
In the second step, we show that the three pairs of conditions can be used to discriminate between any two memory models in ℳℳ. We show for all MM , MM ′ ∈ ℳℳ that there exists ∈ {1, 2, 3} such that either
Note that at most one of the two conditions can be true because and are contradictory. Hence, ( , ) discriminates between MM and MM ′ .
In the third step, we specify for each index ∈ {1, 2, 3} two programs c + , c − ∈ and show that the following four implications hold for each MM ∈ ℳℳ:
The combination of these three steps allows one to conclude that, for each pair of two distinct memory models (MM , MM ′ ) ∈ ℳℳ × ℳℳ, there exists a program c ∈ such that c ∈ NI MM holds and c ∈ NI MM ′ does not hold. This proposition is equivalent to the one in Theorem 1.
Before developing this proof technique, we started to prove Theorem 1 by providing two programs c, c ′ for each pair of memory models MM , MM ′ and by showing that the programs are discriminating for these memory models, i.e., that
hold. This led to proofs that shared many similarities. Our proof technique can be viewed as a systematic solution to factor out these similarities, thus reducing both, the size of proofs and the effort to construct them. Our proof technique can also be viewed as a systematic solutions to uniformly structure proofs that pairs of programs are discriminating. Finally, we found the conditions ( , ) helpful for finding pairs of discriminating programs. However, creativity is also needed with our proof technique, namely to determine suitable pairs of discriminating conditions ( , ) and to determine, for each of these pairs, a suitable pair of programs c
In the remainder of this section, we elaborate the three steps in more detail. In particular, we provide formal definitions of the three pairs of conditions, show that they discriminate the memory models in ℳℳ, and present, for each pair of conditions, two programs that fulfill the implications in (1).
We define the conditions 1 , 2 , and 3 :
We define the conditions 1 , 2 , and 3 in Figure 8 . With our definitions of ( 1 , 1 ), ( 2 , 2 ), and ( 3 , 3 ) , the disjunction (¬ ) ∨ (¬ ) holds for each ∈ {1, 2, 3}. That is, the two conditions within each pair are contradictory.
Here, we show this for = 1 only, the other two cases are similar: We assume that both 1 (Φ, Ψ) and 1 (Φ, Ψ) hold, and derive a contradiction. We consider the path pa = [(0, x 0@r 1 )]::[(0, 0@y r 2 )]. For this path, WR (pa, 1) holds, because isWrite(x 0@r 1 ), isRead (0@y r 2 ), and sinks(x 0@r 1 ) ∩ sources(0@y r 2 ) = ∅ hold (see Figure 1 ). From our assumption 1 (Φ, Ψ), we obtain WR ∈ Φ. Together, this implies that next Φ (pa, 1) holds. From next Φ (pa, 1), pa [1] = (0, 0@y r 2 ), pa[0] = (0, x 0@r 1 ), isRead (0@y r 2 ) and our assumption 1 (Φ, Ψ), we can conclude that isWrite(x 0@r 1 ) does not hold. This is a contradiction, as x 0@r 1 is a write obligation. Table II shows which of our conditions 1 , 2 , 3 , 1 , 2 , and 3 are satisfied by which of the memory models in ℳℳ. The argument for each entry in this table is straightforward. Figure 8 . Definitions of 1 , 2 , and 3 
holds. This means that our choice of ( 1 , 1 ), ( 2 , 2 ), and ( 3 , 3 ) is suitable for discriminating the memory models in ℳℳ.
The following three lemmas refer to the programs c 
For the domain assignment lev with lev (h) = High and lev (x ) = Low for all x ∈ ∖ {h}, the following four propositions hold for each MM ∈ ℳℳ:
This concludes our proof sketch. The theorem follows from the three lemmas, as explained in the outline of our proof technique at the beginning of this subsection. A more detailed proof of Theorem 1 is made available under http://www.mais.informatik.tu-darmstadt.de /assets/publications/CSF2014-mps.pdf . 
VII. A SOUND ANALYSIS FOR WEAK MEMORY MODELS
In this section we present our transforming security type system. This type system inserts fences to ensure security under the four memory models SC, IBM370, TSO, and PSO.
To capture that a command c ∈ is transformed to c ′ ∈ , we introduce the judgment pc, pt ⊢ lev c ⋄(pt ′ , c ′ ), where lev : ( ∪ ℛ) → {Low, High} and pc, pt, pt ′ ∈ {Low, High}. Note that we use lev to assign security levels to both, variables and registers in this section. The domain assignment lev defines the policy that the transformation shall establish. The program counter pc is an upper bound on the security level on which it depends whether the command c is executed. The path-types pt and pt ′ are lower bounds on the security levels of variables and registers for which updates might be pending. Figure 12 defines the rules of our transforming type system. ′ under SC with an initial memory mem where mem(x) = 1 and mem(y) = 0 can never result in a final memory mem ′ with mem ′ (l 2 ) = 1. To reach such a final memory, the obligations of load 6 r 5 y and load 7 r 6 x must both update their target registers to a nonzero value such that the obligation of and 9 r 8 r 5 r 6 updates r 8 to 1 and the obligation of store 11 l 2 r 8 updates l 2 to 1. Since the initial value of y is 0, the variable y must be updated before fulfilling the obligation of load 6 r 5 y. The only obligation that updates y is the obligation of store 13 y r 3 . Since SC does not permit any reordering, this implies that store 12 x r 2 must also be fulfilled before the obligation of load 6 r 5 y and, consequently, also before the obligation of load 7 r 6 x.
[SK] pc, pt ⊢ lev skip ⋄ (pt, skip )
pc, pt ⊢ lev while r do c od ⋄ (pt ⊓ pt ′ , while r do c ′ od) Figure 12 . Transforming security type system for SC, IBM370, TSO, and PSO This means that the obligation of load 7 r 6 x will update its register to 0 in this case and, consequently, the final value of l 2 is 0. However, the program-order relaxation write-to-write of PSO allows fulfilling the obligation of store 13 y r 3 before the obligation store 12 x r 2 . Consequently, it is possible that the obligation of load 6 r 5 y and load 7 r 6 x both update their target register to 1. lev (h) = lev (r 1 ) = High, lev (x ) = Low for all x ∈ ∖ {h} lev (r ) = Low for all r ∈ ℛ ∖ {r 1 }. 
Theorem 4. Let c, c
′ ∈ and pc, pt ∈ {Low, High}. If
Theorems 2 and 3 show that it is possible to enforce noninterference under multiple memory models without having to establish sequential consistency. This means that programs resulting from the application of our type system may still gain performance from relaxed consistency guarantees.
Theorem 4 shows that our transforming security type system accepts all programs that resulted from an application of this type system. Moreover, a repeated application of our transforming security type system does not result in an additional increase of the size of a program.
VIII. RELATED WORK
Work on information flow analysis for concurrent programs was pioneered by Reitman and Andrews [21] . To present information flow analyses in the form of type systems together with a soundness proof against a declarative noninterferencelike condition has become popular since the seminal work by Volpano, Smith, and Irvine [22] . Volpano and Smith also proposed security type systems for concurrent programs together with soundness proofs [23] , [24] . Many further information flow analysis for concurrent programs have been proposed since, e.g., [6] , [25] , [26] , [27] , [28] .
To our knowledge, the only prior publication on information flow security that considers weak memory models is [13] . Vaughan and Millstein investigated noninterference for the memory model total store order. They showed that noninterference under sequential consistency does not imply noninterference under total store order and vice versa. Our work generalizes their result to further memory models.
Vaughan and Millstein proposed a security type system that is sound for total store order and showed how to make this security type system more precise by adding a flow-sensitive tracking of a security type for their write buffer. In our security type system, we perform a flow sensitive tracking of the security type of the path. However, we track this security type for a different purpose, namely to establish portable security guarantees, i.e. security guarantees that are valid for all four memory models sequential consistency, IBM 370, total store order, and partial store order.
The body of related work on memory consistency outside security is rich. Lamport defined sequential consistency as a consistency criterion for computations on multi-processor systems in [10] . While sequential consistency is very intuitive, it reduces the possibilities for effective use of hardware and compiler optimizations. To overcome this, memory models with relaxed consistency guarantees were developed. Adve and Gharachorloo gave in [11] , [12] an informal overview on memory models with relaxed security guarantees and proposed a taxonomy based on three program-order relaxations (writeto-read, write-to-write, and write-to-read/write), the writeatomicity relaxation read-others-write early, and the relaxation read-own-writes-early. Their work inspired the modular representation of relaxations of sequential consistency in our model of computation. This modularity enables us to clearly distinguish between the various program-order relaxations and write-atomicity relaxations.
To investigate and compare which program runs are possible under different memory models, generic execution models have been proposed. One prominent framework is the one by Alglave et al [29] , [30] , [15] . Like the original definition of total store order and partial store order in [20] , this framework is defined in an axiomatic style. Program runs are captured by read and write events, and by relations on these events. Event structures and execution witnesses are constructed from such events and relations. A given pair of an event structure and an execution witness describes one or more terminated program runs. That is, two different program runs might have the same representation. However, two given program runs might also have different representations in terms of event structures and execution witnesses. Not being able to distinguish program runs based on their representation, complicates the definition of noninterference and makes it difficult to prove noninterference in a compositional fashion. In contrast, our model of computation provides a unique representation of each program run and an explicit representation of intermediate states. The latter facilitates reasoning about noninterference compositionally in terms of individual computation steps.
An operational approach as it is taken for instance in [31] provides easier access to intermediate states. Boudol and Petri's execution model in [31] is tied to a particular memory model, which is defined by a combination of the relaxations write-to-read, write-to-write, read-own-writes-early, and readothers-writes-early. In [32] , Boudol, Petri and Serpette propose a generic execution model with a similar flavor. This execution model provides a small-step semantics for different memory models. The programming language considered is a -calculus with concurrency features including thread creation, but without recursion or loops. To describe weak memory models a temporary store is introduced in [32] that, similar to our concept of paths, buffers reads and writes until they take effect. The key concepts for describing permitted relaxations of sequential consistency, a commutability predicate and a write grain, build on the intuition of program-order and writeatomicity relaxations from [11] , [12] , similar to our predicates for program-order and write-atomicity relaxations. However, in contrast to our modular approach that allows one to compose pre-defined predicates to define a memory model, there is no support for defining the commutability predicate in [32] . Another important difference is that our states assign values to both memory locations and registers, while states in [32] assign values to memory locations only. Instead of referring to registers, a write event in [32] refers to the read event on which the value to be written depends until this value can be retrieved. As also pointed out in [32] for reasoning about lowlevel models an explicit representation of registers is desirable. Program transformations that establish information flow security have been proposed before, e.g., in [33] , [6] , [34] , [35] . Many of these transformations aim at the elimination of internal timing leaks in concurrent programs. To the best of our knowledge, fence insertion techniques have not been applied in the area of information flow security before.
Fence insertion techniques themselves, however, have been studied in depth, e.g., in [36] , [37] , [38] , [39] , [40] , [41] . Many fence insertion techniques aim at establishing sequential consistency. In our transformation, we avoid to establish sequential consistency as this would reduce the benefits of weak memory models. One motivation for relaxing sequential consistency is to gain performance, but this gain is lost, if sequentially consistent behavior is established, despite the weak memory model. To minimize the insertion of fences, we guide our transformation by the rules of our type system.
IX. CONCLUSION
The aim of our research was to better clarify the impact of weak memory models on information flow security. In this article, we showed that one cannot rely on the preservation of noninterference if one gives up sequential consistency. This was already known for total store order [13] , but it was not clear for the memory models partial store order and IBM 370 before. In addition, we showed that one cannot rely on the preservation of noninterference when migrating between weak memory models. While it might not be surprising that this can happen if one migrates from one weak memory model to another, we found it surprising that noninterference is not preserved no matter which two memory models one considers and no matter in which direction one migrates. In this article, we studied information flow security under four memory models. There are further relaxations of sequential consistency, whose impact on noninterference remains to be clarified.
The transforming type system that we presented is, to our knowledge, the first solution for soundly establishing noninterference under multiple weak memory models. At this point, we just employ a simple fence-insertion technique. To eliminate further insecurities, it would be desirable to integrate more sophisticated program modifications, however, without endangering sound enforcement of noninterference.
Altogether the study of information flow security under relaxed consistency guarantees has just begun.
ACKNOWLEDGMENTS.
We thank Andrei Sabelfeld, Barbara Sprick, and the reviewers for valuable criticism and constructive comments. This work was funded by the DFG under the project RSCP (MA 3326/4-2) in the priority program RS 3 (SPP 1496).
