Just Forget It – The Semantics and Enforcement of Information Erasure

  • Sebastian Hunt
  • David Sands
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4960)


There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive” noninterference property. (ii) By a judicious choice of language construct to support erasure policies, we successfully adapt this result to an interactive setting. (iii) We use this result to design a type system which guarantees that well typed programs are properly erasing. Although erasure policies have been discussed in earlier papers, this appears to be the first static analysis to enforce erasure.


Credit Card Type System Policy Language Payment System Security Level 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AB04]
    Amtoft, T., Banerjee, A.: Information Flow Analysis in Logical Form. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 100–115. Springer, Heidelberg (2004)Google Scholar
  2. [AB05]
    Almeida Matos, A., Boudol, G.: On declassification and the non-disclosure policy. In: Proc. IEEE Computer Security Foundations Workshop (June 2005)Google Scholar
  3. [CH07]
    Clark, D., Hunt, S.: Observation, nondeterminism and nondeducability on strategies. In: Workshop presentation at PLID 2007, 3rd International Workshop on Programming Language Dependence and Independence (August 2007)Google Scholar
  4. [CM05]
    Chong, S., Myers, A.C.: Language-based information erasure. In: Proc. IEEE Computer Security Foundations Workshop (June 2005)Google Scholar
  5. [FG95]
    Focardi, R., Gorrieri, R.: A classification of security properties for process algebras. J. Computer Security 3(1), 5–33 (1995)Google Scholar
  6. [GM04]
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 186–197 (2004)Google Scholar
  7. [HP06]
    Hansen, R.R., Probst, C.W.: Non-interference and erasure policies for java card bytecode. In: 6th International Workshop on Issues in the Theory of Security (WITS 2006) (2006)Google Scholar
  8. [HS06]
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006, Proceedings of the 33rd Annual. ACM SIGPLAN - SIGACT. Symposium. on Principles of Programming Languages (January 2006)Google Scholar
  9. [OCC06]
    O’Neill, K.R., Clarkson, M.R., Chong, S.: Information-flow security for interactive programs. In: Proc. IEEE Computer Security Foundations Workshop, pp. 190–201. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  10. [Ros95]
    Roscoe, A.W.: CSP and determinism in security modeling. In: Proc. IEEE Symp. on Security and Privacy, May 1995, pp. 114–127 (1995)Google Scholar
  11. [SS01]
    Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)zbMATHCrossRefGoogle Scholar
  12. [SS05]
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proceedings of the 18th IEEE Computer Security Foundations Workshop, pp. 255–269. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  13. [WJ90]
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, pp. 144–161 (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sebastian Hunt
    • 1
  • David Sands
    • 2
  1. 1.City UniversityLondon 
  2. 2.Chalmers university of TechnologySweden

Personalised recommendations