Information-Flow Security for Interactive Programs

Abstract

Interactive programs allow users to engage in input and output throughout execution. The ubiquity of such pro- grams motivates the development of models for reasoning about their information-flow security, yet no such models seem to exist for imperative programming languages. Fur- ther, existing language-based security conditions founded on noninteractive models permit insecure information flows in interactive imperative programs. This paper formulates new strategy-based information-flow security conditions for a simple imperative programming language that includes input and output operators. The semantics of the lan- guage enables a fine-grained approach to the resolution of nondeterministic choices. The security conditions lever- age this approach to prohibit refinement attacks while still permitting observable nondeterminism. Extending the lan- guage with probabilistic choice yields a corresponding def- inition of probabilistic noninterference. A soundness theo- rem demonstrates the feasibility of statically enforcing the security conditions via a simple type system. These re- sults constitute a step toward understanding and enforcing information-flow security in real-world programming lan- guages, which include similar input and output operators.