Formal Aspects of Computing

, Volume 24, Issue 1, pp 3–26 | Cite as

Compositional noninterference from first principles

  • Carroll Morgan
Original Article


The recently formulated Shadow Semantics for noninterference-style security of sequential programs avoids the Refinement Paradox by preserving demonic nondeterminism in those cases where reducing it would compromise security. The construction (originally) of the semantic domain for The Shadow, and the interpretation of programs in it, relied heavily on intuition, guesswork and the advice of others. That being so, it is natural after the fact to try to reconstruct an idealised “inevitable” path from first principles to where we actually ended up: not only does one learn (more) about semantic principles by doing so, but the “rational reconstruction” helps to expose the choices made, along the way, and to legitimise the decisions that resolved them. Unlike our other papers on noninterference, this one does not contain a significant case study: instead its aim is to provide the most accessible account we can of the methods we use and why our model, in its details, has turned out the way it has. In passing, it might give some insight into the general role and significance of compositionality and testing-with-context for program semantics. Finally, a technical contribution here is a new “Transfer Principle” that captures uniformly a large class of classical refinements that remain valid when noninterference is taken into account in our style.


Security Refinement Noninterference Refinement Paradox Compositionality Testing semantics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abr96.
    Abrial J-R (1996) The b book: assigning programs to meanings. Cambridge University Press, CambridgeCrossRefzbMATHGoogle Scholar
  2. AČZ06.
    Alur R, Černý P, Zdancewic S (2006) Preserving secrecy under refinement. In: ICALP ’06: Proceedings (Part II) of the 33rd international colloquium on automata, languages and programming. Springer, Berlin, pp 107–118Google Scholar
  3. BvW98.
    Back R-JR, von Wright J (1998) Refinement calculus: a systematic introduction. Springer, BerlinzbMATHGoogle Scholar
  4. Cer09.
    Černý P (2009) Private communication, February 2009Google Scholar
  5. Cha88.
    Chaum D (1988) The dining cryptographers problem: unconditional sender and recipient untraceability. J Cryptol 1(1): 65–75CrossRefzbMATHMathSciNetGoogle Scholar
  6. Dij76.
    Dijkstra EW (1976) A discipline of programming. Prentice-Hall, Englewood CliffszbMATHGoogle Scholar
  7. GM84.
    Goguen JA, Meseguer J (1984) Unwinding and inference control. In: Proceedings IEEE symp on security and privacy. IEEE Computer Society, pp 75–86Google Scholar
  8. Hay87.
    Hayes I (1987) Specification case studies. Prentice-Hall, Englewood Cliffs.
  9. Hoa69.
    Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10): 576–580 (see also pp 583)CrossRefzbMATHGoogle Scholar
  10. HSM97.
    He J, Seidel K, McIver AK (1997) Probabilistic models for the guarded command language. Sci Comput Program 28: 171–192CrossRefzbMATHMathSciNetGoogle Scholar
  11. Jac88.
    Jacob J (1988) Security specifications. In: IEEE Symposium on security and privacy, pp 14–23Google Scholar
  12. McI09.
    McIver AK (2009) The secret art of computer programming. In: Proceedings ICTAC 2009. LNCS, vol 5684, pp 61–78 (Invited presentation)Google Scholar
  13. MM05.
    McIver AK, Morgan CC (2005) Abstraction, refinement and proof for probabilistic systems. In: Tech Mono Comp Sci. Springer, New YorkGoogle Scholar
  14. MM09.
    McIver AK, Morgan CC (2009) Sums and lovers: case studies in security, compositionality and refinement. In: Cavalcanti A, Dams D (eds) Proceedings FM ’09. LNCS, vol 5850. Springer, New YorkGoogle Scholar
  15. MM10.
    McIver AK, Morgan CC (2010) Compositional refinement in agent-based security protocols. Formal Aspects Comput (To appear)Google Scholar
  16. MMM10.
    McIver AK, Meinicke LA, Morgan CC (2010) Compositional closure for Bayes risk in probabilistic noninterference. In: Abramsky S, Gavoille C, Kirchner C, Meyer auf der Heide F, Spiraki PG (eds), Proceedings ICALP 2010, LNCS, vol 6199, pp 223–235 (Extended abstract)Google Scholar
  17. MMS96.
    Morgan CC, McIver AK, Seidel K (1996) Probabilistic predicate transformers. ACM Trans Prog Lang Sys 18(3): 325–353. doi: CrossRefGoogle Scholar
  18. Mor87.
    Morris JM (1987) A theoretical basis for stepwise refinement and the programming calculus. Sci Comput Program 9(3): 287–306CrossRefzbMATHGoogle Scholar
  19. Mor94.
    Morgan CC (1994) Programming from specifications, 2nd edn. Prentice-Hall, Englewood Cliffs.
  20. Mor05.
    Morgan CC (2005) Of probabilistic wp and CSP. In: Abdallah A, Jones CB, Sanders JW (eds) Communicating sequential processes: the first 25 years. Springer, BerlinGoogle Scholar
  21. Mor06.
    Morgan CC (2006) The shadow knows: refinement of ignorance in sequential programs. In Uustalu T (ed) Math Prog Construction, vol 4014, Treats Dining Cryptographers. Springer, Berlin, pp 359–378Google Scholar
  22. Mor09a.
    Morgan CC (2009) How to brew-up a refinement ordering. In: Boiten E, Derrick J, Reeves S (eds) Proceedings international refinement workshop, Eindhoven, ENTCS, vol 259, pp 123–141Google Scholar
  23. Mor09b.
    Morgan CC (2009) The shadow knows: refinement of ignorance in sequential programs. Sci Comput Program 74(8): 2009 (Treats Oblivious Transfer)CrossRefGoogle Scholar
  24. Riv99.
    Rivest R (1999) Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, M.I.T.
  25. Smy78.
    Smyth MB (1978) Power domains. J Comp Syst Sci 16: 23–36CrossRefzbMATHMathSciNetGoogle Scholar
  26. Wir71.
    Wirth N (1971) Program development by stepwise refinement. Commun ACM 14(4): 221–227CrossRefzbMATHGoogle Scholar

Copyright information

© British Computer Society 2010

Authors and Affiliations

  1. 1.School of Computer Science and EngineeringUniversity of NSWSydneyAustralia

Personalised recommendations