Controlling Dependencies for Security and Privacy

Licentiate thesis, 2011

This thesis explores several ways to diversify the field of Information Flow Control. At the heart of the field lie on one hand policies for describing limitations on information dependencies induced by a program, and on the other hand mechanisms to enforce such policies. We aim to improve the current state of the art by pointing out areas where current policy definitions and enforcement mechanisms fall short in terms of providing information confidentiality and integrity. We identify that integrity properties often must go beyond simple data dependencies, and provide a notion of {\em generalized invariants} for describing certain program correctness properties and show their enforcement can be incorporated in a standard monitor for Information Flow Control. For confidentiality, we show that termination insensitive security definitions may not be appropriate when programs can be invoked multiple times by an attacker, and suggest an improvement to type-based enforcement that extends the security definition to the multirun case. Furthermore, we seek overlaps between Information Flow Control and other fields. We explore the application of capability systems to enforce Information Flow Control policies, with positive results. We also study how tracking of data dependencies can be applied to improve the programming model for Differential Privacy, a framework providing strong theoretical guarantees regarding privacy preserving use of data.