Date: Dec 6, 2002, 11am
Place: Columbia
It is a survey paper on static analysis techniques for ensuring end-to-end information flow security. Much of the paper concerns type systems for security. You can download the paper from its CiteSeer page. The CiteSeer page has links to other papers that seem very related.
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker s observations of system output; this policy regulates information flow.
Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Recently, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this article we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of recent work in the area and identify some important open challenges.