Tracking Dependencies for Security and Privacy
Doktorsavhandling, 2013

Information Flow Control is a well established field of research, providing a suite of theoretical and practical results. However, adoption to real world systems has yet to catch up. This thesis seeks to expand the boundaries of this field, in particular with the aim of making Information Flow Control more applicable to real world scenarios. To this end, it studies several areas for improvement. These range from fundamental notions of policies for specifying limitations on data dependencies induced by programs, to mechanisms for enforcing such policies both statically and dynamically. We aim to push the current state of the art by identifying and addressing areas where current policy definitions and enforcement mechanisms fall short in terms of providing information confidentiality and integrity. On the policy side, we examine existing, incomparable notions of integrity. We present a generalized integrity framework that features a range of integrity facets including correctness to data dependency. We demonstrate how all the facets at once can be enforced by a single execution monitor. We also consider information leaked in multiple runs, which traditional non-interference policies address poorly. Employing a knowledge-based policy, we show that only minor adjustments are needed to standard type systems to cover the multi-run case. We apply data-dependency policies and tracking to provide a flexible programming model on top of differentially private databases. On the enforcement side, we demonstrate how a language endowed with capabilities can directly enforce information flow control policies using such primitives, through a program transformation. The thesis then considers the permissiveness of dynamic monitors, and shows that it can be improved mechanically through the use of random testing and program rewriting. Following that, we explore the challenges, and their solutions, of implementing a dynamic monitor for the full language of JavaScript, including its built-in libraries and APIs. Finally, we develop a framework of integrity-protected capabilities that support attenuated delegation and contextual bindings. In particular, contextual bindings allow the capability to encode dependencies between the invokers context, the resource it refers to and the hosts context, that must be satisfied for proper authorization. We show that our construction applies well to cheap but powerful authentication protocols for distributed systems and cloud services.

Programming Languages

Software Security

Web Security

VV12, Sven Hultins gata 6, Chalmers.
Opponent: Prof. Michael Hicks, Department of Computer Science, University of Maryland, USA.


Arnar Birgisson

Chalmers, Data- och informationsteknik, Programvaruteknik

Capabilities for information flow

ACM SIGPLAN Workshop on Programming Languages and Analysis for Security,; (2011)p. article no. 5-

Paper i proceeding

Unifying Facets of Information Integrity

Lecture Notes in Computer Science,; Vol. 6503(2010)p. 48-65

Paper i proceeding

Multi-run security

Lecture Notes in Computer Science,; (2011)p. 372-391

Paper i proceeding

Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing

Lecture Notes in Computer Science,; Vol. 7459(2012)p. 55-72

Artikel i vetenskaplig tidskrift

Position Paper: Differential Privacy with Information Flow Control

Proceedings of ACM SIGPLAN Sixth Workshop on Programming Languages and Analysis for Security,; (2011)

Paper i proceeding


Informations- och kommunikationsteknik





Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 3610

VV12, Sven Hultins gata 6, Chalmers.

Opponent: Prof. Michael Hicks, Department of Computer Science, University of Maryland, USA.