David Sands

• Chalmers University of Technology

This paper proposes a reconciliation of two different theories of information. The first, originally proposed in a lesser-known work by Claude Shannon (some five years after the publication of his celebrated quantitative theory of communication), describes how the information content of channels can be described qualitatively , but still abstractly...

This paper proposes a reconciliation of two different theories of information. The first, originally proposed in a lesser-known work by Claude Shannon, describes how the information content of channels can be described qualitatively, but still abstractly, in terms of information elements, i.e. equivalence relations over the data source domain. Shan...

Static program analysis, once seen primarily as a tool for optimising programs, is now increasingly important as a means to provide quality guarantees about programs. One measure of quality is the extent to which programs respect the privacy of user data. Differential privacy is a rigorous quantified definition of privacy which guarantees a bound o...

In this paper, we consider the runtime verification problem of safety hyperproperties for deterministic programs. Several security and information-flow policies such as data minimality, non-interference, integrity, and software doping are naturally expressed formally as safety hyperproperties. Although there are monitoring results for hyperproperti...

Data minimisation is a privacy enhancing principle, stating that personal data collected should be no more than necessary for the specific purpose consented by the user. Checking that a program satisfies the data minimisation principle is not easy, even for the simple case when considering deterministic programs-as-functions. In this paper we prove...

Conventional security policies for software applications are adequate for managing concerns on the level of access control. But standard abstraction mechanisms of mainstream programming languages are not sufficient to express how information is allowed to flow between resources once access to them has been obtained. In practice we believe that such...

Data minimisation is a privacy-enhancing principle considered as one of the pillars of personal data regulations. This principle dictates that personal data collected should be no more than necessary for the specific purpose consented by the user. In this paper we study data minimisation from a programming language perspective. We define a data min...

Data minimisation is a privacy-enhancing principle considered as one of the pillars of personal data regulations. This principle dictates that personal data collected should be no more than necessary for the specific purpose consented by the user. In this paper we study data minimisation from a programming language perspective. We assume that a giv...

Differentially private mechanisms enjoy a variety of composition properties. Leveraging these, McSherry introduced PINQ (SIGMOD 2009), a system empowering non-experts to construct new differentially private analyses. PINQ is an LINQ-like API which provides automatic privacy guarantees for all programs which use it to mediate sensitive data manipula...

Information flow policies are often dynamic; the security concerns of a program will typically change during execution to reflect security-relevant events. A key challenge is how to best specify, and give proper meaning to, such dynamic policies. A large number of approaches exist that tackle that challenge, each yielding some important, but unconn...

Differential privacy provides a way to get useful information about sensitive data without revealing much about any one individual. It enjoys many nice compositionality properties not shared by other approaches to privacy, including, in particular, robustness against side-knowledge. Designing differentially private mechanisms from scratch can be a...

Differential privacy provides a way to get useful information about sensitive data without revealing much about any one individual. It enjoys many nice compositionality properties not shared by other approaches to privacy, including, in particular, robustness against side-knowledge. Designing differentially private mechanisms from scratch can be a...

Security policies are naturally dynamic. Reflecting this, there has been a growing interest in studying information-flow properties which change during program execution, including concepts such as declassification, revocation, and role-change. A static verification of a dynamic information flow policy, from a semantic perspective, should only need...

Environmentalnoise(e.g.heat,ionizedparticles,etc.)causes transient faults in hardware, which lead to corruption of stored values. Mission-critical devices require such faults to be mitigated by fault-tolerance --- a combination of techniques that aim at preserving the functional behaviour of a system despite the disruptive effects of transient faul...

We demonstrate Paragon, a Java-based programming language with integrated information-flow control. We show how the use of information-flow policies combined with encapsulation allows for simple yet powerful and flexible policy libraries tailored to the needs of a particular application or system.

This paper is about ensuring security in unreliable systems. We study systems which are subject to transient faults – soft errors that cause stored values to be corrupted. The classic problem of fault tolerance is to modify a system so that it works despite a limited number of faults. We introduce a novel variant of this problem. Instead of demandi...

Conventional security policies for software applications are adequate for managing concerns on the level of access control. But standard abstraction mechanisms of mainstream programming languages are not sufficient to express how information is allowed to flow between resources once access to them has been obtained. In practice we believe that such...

This work is about specifying and ensuring security in unreliable systems. We study systems which are subject to transient faults -- soft errors that cause stored values to be corrupted. Transient faults occur in hardware when a high-energy particle strikes a transistor, resulting in a spontaneous bit-flip. Such events have been acknowledged as the...

Tutorial on programming with Paragon. Read it interactively on http://paragon.nowplea.se/

Broberg and Sands (POPL'10) introduced a logic-based pol-icy language, Paralocks, suitable for static information-flow control in programs. Although Paralocks comes with a precise information-flow se-mantics for programs, the logic-based semantics of policies, describing how policies are combined and compared, is less well developed. This makes the...

We consider the problem of logical data erasure, contrasting with physical erasure in the same way that end-to-end information flow control contrasts with access control. We present a semantic hierarchy for erasure policies, using a possibilistic knowledge-based semantics to define policy satisfaction such that there is an intuitively clear upper b...

The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of top- level security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable c...

Hunt and Sands (POPL’06) studied a flow sensitive type (FST) system for multi-level security, parametric in the choice of lattice of security levels. Choosing the powerset of program variables as the security lattice yields a system which was shown to be equivalent to Amtoft and Banerjee’s Hoare-style independence logic (SAS’04). Moreover, using th...

Security or privacy-critical applications often require access to sensi-tive information in order to function. But in accordance with the principle of least privilege – or perhaps simply for legal compliance – such applications should not retain said information once it has served its purpose. In such scenarios, the timely disposal of data is known...

Phung et al (ASIACCS'09) describe a method for wrapping built-in functions of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construct...

This paper presents Paralocks, a language for building expressive but statically verifiable fine-grained information flow policies. Par- alocks combine the expressive power of Flow Locks (Broberg & Sands, ESOP'06) with the ability to express policies involving run- time principles, roles (in the style of role-based access control), and relations (s...

This paper presents Paralocks, a language for building expressive but statically verifiable fine-grained information flow policies. Paralocks combine the expressive power of Flow Locks (Broberg & Sands, ESOP'06) with the ability to express policies involving run-time principles, roles (in the style of role-based access control), and relations (such...

Side channel attacks have emerged as a serious threat to the security of both networked and embedded systems -- in particular through the implementations of cryptographic operations. Side channels can be difficult to model formally, but with careful coding and program transformation techniques it may be possible to verify security in the presence o...

Dynamic information flow policies, such as declassification, are essential for practically useful information flow control systems. However, most systems proposed to date that handle dynamic information flow policies suffer from a common drawback. They build on semantic models of security which are inherently flow insensitive, which means that many...

Hunt and Sands (ESOP'08) studied a notion of information erasure for systems which receive secrets intended for limited-time use. Erasure demands that once a secret has fulfilled its purpose the subsequent behaviour of the system should reveal no information about the erased data. In this paper we address a shortcoming in that work: for erasure to...

Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community h...

Dynamic information flow policies, such as declassification , are essential for practically useful information flow contr ol systems. However, most systems proposed to date that han- dle dynamic information flow policies suffer from a common drawback. They build on semantic models of security which are inherently flow insensitive, which means that...

Information flow policies that evolve over time (including, for example, declassification) are widely recognised as an essential ingredient in useable information flow control system. In previous work ([BS06a, BS06b]) we have shown one approach to such policies, flow locks, which is a very general and flexible system capable of encoding many other...

Tools for analysing secure information flow are almost exclusively based on ideas going back to Denning's work from the 70's. This appro ach em- bodies an imperfect notion of security which turns a blind eye to information flows which are encoded in the termination behaviour of a program. In ex change for this weakness many more programs are deemed...

This paper introduces a method to control JavaScript exe- cution. The aim is to prevent or modify inappropriate be- haviour caused by e.g. malicious injected scripts or poorly designed third-party code. The approach is based on mod- ifying the code so as to make it self-protecting: the protec- tion mechanism (security policy) is embedded into the c...

Current tools for analysing information flow in programs bui ld upon ideas going back to Denning's work from the 70's. These syste ms enforce an imperfect notion of information flow which has become known a s termination- insensitive noninterference. Under this version of noninterference, information leaks are permitted if they are transmitted pure...

There are many settings in which sensitive information is made avail- able to a system or organisation for a specific purpose, on the understan ding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit car d details to a payment system on the...

Abstract The lifecycle mismatch between vehicles and their IT sys- tem poses a problem for the automotive industry. Such sys- tems need to be open and extensible to provide customised functionalities and services. What is less clear is how to achieve this with quality and security guarantees. Recent studies in language-based security – the use of p...

Security is rarely a static notion. What is considered to be confidential or untrusted data varies over time according to changing events and states. The static verification of secure information flow has been a popular theme in recent programming language research, but in- formation flow policies considered are based on multilevel security which p...

This paper shows how the Improvement Theorem-a semantic condition for the total correctness of program transformation on higher-order functional programs-has practical value in proving the correctness of automatic techniques, including deforestation and supercompilation. This is aided by a novel formulation (and generalisation) of deforestation-lik...

This article investigates formal properties of a family of seman- tically sound o w-sensitive type systems for tracking information o w in simple While programs. The family is indexed by the choice of o w lattice. By choosing the o w lattice to be the powerset of program vari- ables, we obtain a system which, in a very strong sense, subsumes all ot...

With the ever increasing use of computers for critical systems, computer security that protects data and computer systems from intentional, malicious intervention, continues to attract significant attention. Among the methods for defense, the application of a tool to help the operator identify ongoing or already perpetrated attacks (intrusion detec...

A common theoretical assumption in the study of infor- mation flow security in Java-like languages is that point- ers are opaque - i.e., that the only properties that can be observed of pointers are the objects to which they point, and (at most) their equality. These assumptions often fail in practice. For example, various important operations in J...

Common protection mechanisms fail to provide end-to-end security; programs with legitimate access to secret information are not prevented from leaking this to the world. Information-flow aware analyses track the flow of information through the program to prevent such leakages, but often ignore information flows through covert channels even though t...

Computing systems often deliberately release (or declassify) sensitive information. A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more secret information than intended? While the security community h...

Most attempts at analysing secure information flow in programs are based on domain-specific logics. Though computationally feasible, these approaches suffer from the need for abstraction and the high cost of building dedicated tools for real programming languages. We recast the information flow problem in a general program logic rather than a probl...

Traditional noninterference cannot cope with common features of secure systems like channel control, information filtering, or explicit downgrading. Recent research has addressed the derivation and use of weaker security conditions that could support such features in a language-based setting. However, a fully satisfactory solution to the problem ha...

Most attempts at analysing secure information flow in programs are based on domain-specific logics. Though computationally feasible, these approaches suffer from the need for abstraction and the high cost of building dedicated tools for real programming languages. We recast the information flow problem in a general program logic rather than a probl...

The powerful abstraction mechanisms of functional programming languages provide the means to develop domain-specific programming languages within the language itself. Typically, this is realised by designing a set of combinators (higher-order reusable programs) for an application area, and by constructing individual applications by combining and co...

Innocent-looking program transformations can easily change the space complexity of lazy functional programs. The theory of space improvement seeks to characterise those local program transformations which are guaranteed never to worsen asymptotic space complexity of any program. Previous work by the authors introduced the space improvement relation...

The equational theories at the core of most functional pro- gramming are variations on the standard lambda calculus. The best- known of these is the call-by-value lambda calculus whose core is the value-beta computation rule (λx.M) V → M(V/x )w hereV is restricted to be a value rather than an arbitrary term. This paper investigates the transformati...

When can a program be trusted with your secret data? The setting which motivates this work is that of confidentiality and privacy in mobile code. Assume that some user wants to run a program that originates from an untrusted source. For example, the program can have been downloaded from an untrusted site on the Internet. When the program is run, it...

Innocent-looking program transformations can easily change the space complexity of lazy functional programs. The theory of space improvement seeks to characterize those local program transformations which are guaranteed never to worsen asymptotic space complexity of any program. Previous work by the authors introduced the space improvement relation...

Recent interest in methods for certifying programs for secure information flow (noninterference) have failed to raise a key question: can efficient algorithms be written so as to satisfy the requirements of secure information flow? In this paper we discuss how algorithms for searching and sorting can be adapted to work on collections of secret data...

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of...

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of...

Recent interest in methods for certifying programs for secure information flow (noninterference) have failed to raise a key question: can efficient algorithms be written so as to satisfy the requirements of secure information flow? We discuss how algorithms for searching and sorting can be adapted to work on collections of secret data without leaki...

Abstract Recent interest in methods for certifying programs for secure information ow,(noninterference) have failed to raise a key question: can efcient algorithms be written so as to satisfy the requirements of secure information ow? In this paper we discuss how,algorithms for searching and sorting can be adapted to work on collections of secret d...

We present a probability-sensitive confidentiality specification -- a form of probabilistic noninterference -- for a small multi-threaded programming language with dynamic thread creation. Probabilistic covert channels arise from a scheduler which is probabilistic. Since scheduling policy is typically outside the language specification for multithr...

This paper shows how the Improvement Theorem — a semantic condition for establishing the total correctness of program transformation on higher-order functional programs — has practical value in proving the correctness of automatic techniques. To this end we develop and study a family of automatic program transformations. The root of this family is...

This paper is concerned with the time-analysis of functional programs. Techniques which enable us to reason formally about a program's execution costs have had relatively little attention in the study of functional programming. We concentrate here on the construction of equations which compute the time-complexity of expressions in a lazy higher-ord...

We investigate the soundness of a specialisation technique due to Scherlis, expression procedures, in the context of a higher-order non-strict functional language. An expression procedure is a generalised procedure construct providing a contextually specialised definition. The addition of expression procedures thereby facilitates the manipulation a...

Passive Steps We abstract the passive steps performable by a program via a (labeled) transition system with judgements of the form P R ; Q, where R is a set of reductions. As an auxiliary, we define a notion of 10 convergence for programs which is an abstraction of the convergence predicate for configurations. The abstract convergence predicate is...

Techniques for reasoning about extensional properties of functional programs are well understood, but methods for analysing the underlying intensional or operational properties have been much neglected. This paper begins with the development of a simple but useful calculus for time analysis of non-strict functional programs with lazy lists. One lim...

Machine The semantics presented in this section is essentially Sestoft's mark 1" abstract machine for laziness [Sestoft 1997]. In that paper, he proves his abstract machine 6 A. K. Moran and D. Sands h fx = Mg; x; S i ! h ; M; #x : S i (Lookup) h ; V; #x : S i ! h fx = V g; V; S i (Update) h ; M x; S i ! h ; M; x : S i (Unwind) h ; x:M; y : S i ! h...

We introduce a space-improvement relation on programs which guarantees that whenever M is improved by N, replacement of M by N in a program can never lead to asymptotically worse space (heap or stack) behaviour, for a particular model of garbage collection. This study takes place in the context of a call-by-need programming language. For languages...

Pure functional programming languages have been proposed as a vehicle to describe, simulate and manipulate circuit specifications. We propose an extension to Haskell to solve a standard problem when manipulating data types representing circuits in a lazy functional language. The problem is that circuits are finite graphs but viewing them as an alge...

In program optimisation an analysis determines some information about a portion of a program, which is then used to justify certain transformations on the code. The correctness of the optimisation can be argued monolithically by considering the behaviour of the optimiser and a particular analysis in conjunction. Alternatively, correctness can be es...

An improvement theory is a variant of the standard theories of observational approximation (or equivalence) in which the basic observations made of a functional program’s execution include some intensional information about, for example, the program’s computational cost. One program is an improvement of another if its execution is more efficient in...

The standard implementation technique for lazy functional languages is call-by-need, which ensures that an argument to a function in any given call is evaluated at most once. A significant problem with call-by-need is that it is difficult --- even for compiler writers --- to predict the effects of program transformations. The traditional theories f...

This paper proposes an extensional semanticsbased formal specification of secure informationflow properties in sequential programs based on representing degrees of security by partial equiv- Department of Computer Science, Chalmers University of Technology and the University of Goteborg, fandrei,daveg@cs.chalmers.se

Gamma is a minimal language based on local multiset rewriting with an elegant chemical reaction metaphor. The virtues of this paradigm in terms of systematic program construction and design of parallel programs have been argued in previous papers. Gamma can also be seen as a notation for coordinating independent programs in a larger application. In...

This paper presents a novel approach to the problem of implementing programs in Gamma, a computation model of chemical-reaction-like multiset transformations, by translating them into a process calculus with broadcasting communication, CBS. The concurrent message reception of broadcasting communication fits very naturally to the implicit parallelis...

Structural Operational Semantics (SOS) is a widely used formalism for specifying the computational meaning of programs, and is commonly used in specifying the semantics of functional languages. Despite this widespread use there has been relatively little work on the imetatheoryj for such semantics. As a consequence the operational approach to reaso...

ion. A common form of transformation, which is easily justified by appealing to reversibility, is abstraction. The abstraction transformation lifts some instances of subexpressions from the right-hand sides of a set of definitions and replaces them with function calls for some new functions. The abstraction process can be used in conjunction with a...

The goal of program transformation is to improve efficiency while preserving meaning. One of the best known transformation techniques is Burstall and Darlington's unfold-fold method. Unfortunately the unfold-fold method itself guarantees neither improvement in efficiency nor total-correctness. The correctness problem for unfold-fold is an instance...

We consider operational semantics of contexts (terms with holes) in the setting of lazy functional languages, with the aim of providing a balance between operational and compositional reasoning, and a framework for semantics-based program analysis and manipulation. Introduction In this note we initiate a new direction in the semantics of functional...

This paper studies composed reduction systems: a system of programs built up from the reduction relations of some reduction system, by means of parallel and sequential composition operators. The trace-based compositional semantics of composed reduction systems is considered, and a new graph-representation is introduced as an alternative basis for t...

The salient feature of the composition operators for Gamma programs is that for termination, the parallel composition operator demands that its operands must terminate synchronously. This paper studies the inequational partial correctness properties of the combination of sequential and parallel composition operators for Gamma programs, provable fro...

We present a set of primitive program schemes, which to- gether with just two basic combining forms provide a suprisingly ex- pressive parallel programming language. The primitive program schemes (called tropes) take the form of parameterised conditional rewrite rules, and the computational model is a variant of the Gamma style, in which computatio...

The Gamma model is a minimal programming language based on local multiset rewriting (with an elegant chemical reaction metaphor); Hankin et al derived a calculus of Gamma programs built from basic reactions and two composition operators, and applied it to the study of relationships between parallel and sequential program composition, and related pr...

Gamma is a minimal language based on conditional multiset rewriting. The virtues of this paradigm in terms of systematic program construction and design of programs for highly parallel machines have been demonstrated in previous papers. We introduce here sequential and parallel operators for combining Gamma programs and we study their properties. T...

In this paper we address the technical foundations essential to the aim of providing a semantic basis for the formal treatment of relative eeciency in functional languages. For a general class of \functional" computation systems, we deene a family of improvement preorderings which express, in a variety of ways, when one expression is more eecient t...

Techniques for reasoning about extensional properties of functional programs are wellunderstood, but methods for analysing the underlying intensional, or operational properties have been much neglected. This paper presents the development of a simple but practically useful calculus for time analysis of non-strict functional programs with lazy lists...

)David SandsyDepartment of Computing, Imperial College180 Queens Gate, London SW7 2BZemail: ds@uk.ac.ic.docAbstractIn this paper we address the technical foundations essential to the aim ofproviding a semantic basis for the formal treatment of relative efficiency infunctional languages. For a general class of "functional" computation systems,we def...

Given a description of the parameters in a program that will be known at partial evaluation time, a binding time analysis must determine which parts of the program are dependent solely on these known parts (and therefore also known at partial evaluation time). In this paper a binding time analysis for the simply typed lambda calculus is presented....

Recent interest in methods for certifying programs for se- cure information flow (noninterference) have failed to rais e a key question: can efficient algorithms be written so as to satisfy the requirements of secure information flow? In this paper we discuss how algorithms for searching and sorting can be adapted to work on collections of secret d...

Security is rarely a static notion. What is considered to be confidential or untrusted data varies over time according to changing events and states. The static verification of secure information flow has been a popular theme in recent programming language research, but information flow policies considered are based on multilevel security which pre...