Foundations and Trends® in Privacy and Security > Vol 3 > Issue 1

Expressing Information Flow Properties

By Elisavet Kozyri, UiT The Arctic University of Norway, Norway, elisavet.kozyri@uit.no | Stephen Chong, Harvard University, USA, chong@seas.harvard.edu | Andrew C. Myers, Cornell University, USA, andru@cs.cornell.edu

 
Suggested Citation
Elisavet Kozyri, Stephen Chong and Andrew C. Myers (2022), "Expressing Information Flow Properties", Foundations and Trends® in Privacy and Security: Vol. 3: No. 1, pp 1-102. http://dx.doi.org/10.1561/3300000008

Publication Date: 19 Jan 2022
© 2022 E. Kozyri, S. Chong and A.C. Myers
 
Subjects
Information flow,  Language-based security and privacy,  Security and privacy policies,  Privacy,  Security,  Programming Language Security
 

Free Preview:

Download extract

Share

Download article
In this article:
1. Introduction
2. Noninterference
3. Labels
4. Threat Model
5. Computational Models
6. Reclassification
7. Information Flow Policies and Authorization
8. Quantitative Information Flow Properties
9. Future Directions
Acknowledgements
References

Abstract

Industries and governments are increasingly compelled by regulations and public pressure to handle sensitive information responsibly. Regulatory requirements and user expectations may be complex and have subtle implications for the use of data. Information flow properties can express complex restrictions on data usage by specifying how sensitive data (and data derived from sensitive data) may flow throughout computation. Controlling these flows of information according to the appropriate specification can prevent both leakage of confidential information to adversaries and corruption of critical data by adversaries. There is a rich literature expressing information flow properties to describe the complex restrictions on data usage required by today’s digital society. This monograph summarizes how the expressiveness of information flow properties has evolved over the last four decades to handle different threat models, computational models, and conditions that determine whether flows are allowed. In addition to highlighting the significant advances of this area, we identify some remaining problems worthy of further investigation.

DOI:10.1561/3300000008
ISBN: 978-1-68083-936-4
118 pp. $80.00
Buy book (pb)
 
ISBN: 978-1-68083-937-1
118 pp. $145.00
Buy E-book (.pdf)
Table of contents:
1. Introduction
2. Noninterference
3. Labels
4. Threat Model
5. Computational Models
6. Reclassification
7. Information Flow Policies and Authorization
8. Quantitative Information Flow Properties
9. Future Directions
Acknowledgements
References

Expressing Information Flow Properties

With information comes responsibility: a responsibility to use information according to appropriate restrictions. Forced by regulations and public sentiment, technology companies are increasing the transparency of how personal data is used, allowing users to make more fine-grained decisions on how and where their information should flow. Work over the last four decades has led to the term Information flow properties being introduced. These can express complex restrictions on data usage by specifying how sensitive data may flow throughout computation.

In this monograph the authors match the demand of the digital society for expressing complex data-usage restrictions with the supply of information flow properties proposed in the literature. For the first time ever, the authors perform a large-scale systematization of such information flow properties. In doing so, they survey the wide variety of information flow properties that have been formulated within the last four decades, compare their expressive power, and suggest research directions for a faster convergence between future technological demand and literature supply.

This concise overview of such a diverse topic provides the reader with an invaluable reference when implementing security technologies into all types of information systems. It is particularly useful for students, researchers and practitioners working on modern day information security problems.

 
SEC-008