Privacy-Sensitive Information Flow with JML

  • Guillaume Dufay
  • Amy Felty
  • Stan Matwin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3632)


In today’s society, people have very little control over what kinds of personal data are collected and stored by various agencies in both the private and public sectors. We describe an approach to addressing this problem that allows individuals to specify constraints on the way their own data is used. Our solution uses formal methods to allow developers of software that processes personal data to provide assurances that the software meets the specified privacy constraints. In the domain of privacy, it is often not sufficient to express properties of interest as a relation between the input and output of a program as is done for general program correctness. Here we consider a stronger class of properties that allows us to express constraints on information flow. In particular, we can express that an algorithm does not leak any information from particular “sensitive” values. We describe a general methodology for expressing this kind of information flow property as Hoare-style program verification judgments. We begin with the Java Modelling Language (JML), which is a behavioral interface specification language designed for Java, and we extend the language to include new concepts and keywords for expressing such properties. We use the Krakatoa tool which starts from JML-annotated Java programs, generates proof obligations in the Coq Proof Assistant, and helps to automate their proofs. We extend the Krakatoa tool to understand our extensions to JML and to generate the new form of required proof obligations. We illustrate our method on several data mining algorithms implemented in Java.


Proof Obligation Data Mining Algorithm Java Modeling Language Loop Invariant Data Mining Software 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop, p. 253. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  2. 2.
    Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 100–114. IEEE Computer Society, Los Alamitos (2004)CrossRefGoogle Scholar
  3. 3.
    Felty, A., Matwin, S.: Privacy-oriented data mining by proof checking. In: Elomaa, T., Mannila, H., Toivonen, H. (eds.) PKDD 2002. LNCS (LNAI), vol. 2431, p. 138. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Ferrari, E., Samarati, P., Bertino, E., Jajodia, S.: Providing flexibility in information flow control for object-oriented systems. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy (May 1997)Google Scholar
  5. 5.
    Filliâtre, J.-C.: Why: A multi-language multi-prover verification tool. Research Report 1366, LRI, Université Paris Sud (March 2003)Google Scholar
  6. 6.
    Giambiagi, P., Dam, M.: Verification of confidentiality properties for Java Card applets. Manuscript (2003)Google Scholar
  7. 7.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of 1982 IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  8. 8.
    Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 302–313. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commununications of ACM 12(10), 576–580 (1969)zbMATHCrossRefGoogle Scholar
  10. 10.
    JACK: Java Applet Correctness Kit.,
  11. 11.
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Behavioral Specifications of Businesses and Systems, pp. 175–188. Kluwer Academic Publishers, Dordrecht (1999), Google Scholar
  12. 12.
    Marché, C., Paulin-Mohring, C., Urbain, X.: The Krakatoa Tool for Certification of Java/JavaCard Programs annotated in JML. Journal of Logic and Algebraic Programming 58(1–2), 86–106 (2004)Google Scholar
  13. 13.
    Matwin, S., Felty, A., Hernádvölgyi, I., Capretta, V.: Privacy in data mining using formal methods. In: Proceedings of the Seventh International Conference on Typed Lambda Calculi and Applications. LNCS, vol. 2841, Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Coq Development Team. The Coq Proof Assistant Reference Manual – Version 8.0 (2004),
  15. 15.
    Information and Privacy Commissioner/Ontario. Data mining: Staking a claim on your privacy (January 1998),
  16. 16.
    Meyer, B.: Object-Oriented Software Construction, 2nd edn. Prentice Hall, Englewood Cliffs (1997)zbMATHGoogle Scholar
  17. 17.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Symposium on Principles of Programming Languages (POPL), January 1999, pp. 228–241 (1999)Google Scholar
  18. 18.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 172–186. IEEE Computer Society, Los Alamitos (2004)CrossRefGoogle Scholar
  19. 19.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  20. 20.
    Smith, G.: A new type system for secure information flow. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, p. 115. IEEE Computer Society, Los Alamitos (2001)CrossRefGoogle Scholar
  21. 21.
  22. 22.
    Witten, I.H., Frank, E.: Data Mining. Morgan Kaufmann, San Francisco (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Guillaume Dufay
    • 1
  • Amy Felty
    • 1
  • Stan Matwin
    • 1
    • 2
  1. 1.SITEUniversity of Ottawa.OttawaCanada
  2. 2.Institute of Computer SciencePolish Academy of SciencesWarsawPoland

Personalised recommendations