Protecting Information under Dynamic Policies: Specification, Conditions and Enforcement
Doktorsavhandling, 2016

Information-flow control enforces security policies on the information handled by computer applications. These policies often contain dynamic aspects, specifying how the confidentiality and integrity of information changes over time. This thesis focuses on the enforcement of such dynamic policies. The contributions are divided into three parts. Firstly, we need a means to specify our dynamic concerns in a manner that can be understood by a computer. The thesis builds on the Paralocks language as a suitable specification mechanism for such dynamic policies. Secondly, having specified a dynamic policy we require an understanding of what it means for a program to comply with that policy. The thesis identifies and addresses several of the challenges that the dynamic nature of policies introduces. Finally, given a policy specification and a definition of policy compliance, we explore how we can mechanically verify this compliance on programs. The thesis discusses two approaches: one static, using a type system, and one dynamic, using a run-time monitor.

dynamic policies

information flow control


security condition


Hörsalsvägen 14, HC 2
Opponent: Associate Professor Stephen Chong


Bart van Delft

Chalmers, Data- och informationsteknik, Programvaruteknik

Dynamic Enforcement of Dynamic Policies

PLAS 2015,; (2015)p. 28-41

Paper i proceeding

Paragon for Practical Programming with Information-Flow Control

Lecture Notes in Computer Science,; Vol. 8301(2013)p. 217-232

Paper i proceeding

Very static enforcement of dynamic policies

Lecture Notes in Computer Science,; Vol. 9036(2015)p. 32-52

Paper i proceeding

A Datalog Semantics for Paralocks

Lecture Notes in Computer Science,; Vol. 7783(2013)p. 305-320

Paper i proceeding

The Anatomy and Facets of Dynamic Policies

28th IEEE Computer Security Foundations Symposium (CSF), July 13-17, 2015, Verona, Italy,; (2015)p. 122-136

Paper i proceeding

Today, most of our valuable information is digital and processed by computer applications: cloud services store our pictures, apps on our smartphones update our contact lists, and web browsers access our bank accounts. Unfortunately, the security controls on this digital information are often more limited than we would like. If we want to allow our web browser to access our bank account and post on social networks, we can't prevent the browser from publishing our account's balance on Facebook. Information flow researchers have introduced various techniques that provide more fine-grained control on our digital data. This allows us to specify and enforce how we allow an application to process the information it has access too. In most existing work, we can only specify a single, non-changing security policy on our information. In practice however, we regularly change what information flows we do and do not want to allow. For example, we only want to share our pictures with social network contacts that are currently marked as friends. Or a company may only want to share its strategic plan with those employees who currently have a manager position. In this thesis we introduce support for such dynamic policies on our digital information. We discuss ways to specify these policies so that a computer can understand, update, and automatically enforce our security concerns.


Informations- och kommunikationsteknik


Data- och informationsvetenskap



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie

Hörsalsvägen 14, HC 2

Opponent: Associate Professor Stephen Chong

Mer information