Compiling Information-Flow Security to Minimal Trusted Computing Bases

  • Cédric Fournet
  • Jérémy Planul
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6602)


Information-flow policies can express strong security requirements for programs run by distributed parties with different levels of trust. However, this security is hard to preserve as programs get compiled to distributed systems with (potentially) compromised machines. For instance, many programs involve computations too sensitive to be trusted to any of those machines. Also, many programs are not perfectly secure (non-interferent); as they selectively endorse and declassify information, their relative security becomes harder to preserve.

We develop a secure compiler for distributed information flows. To minimize trust assumptions, we rely on cryptographic protection, and we exploit hardware and software mechanisms available on modern architectures, such as secure boots, trusted platform modules, and remote attestation.

We present a security model for these mechanisms in an imperative language with dynamic code loading. We define program transformations to generate trusted virtual hosts and to run them on untrusted machines. We obtain confidentiality and integrity theorems under realistic assumptions, showing that the compiled distributed system is at least as secure as the source program.


Trusted Platform Module Source Program Typing Rule Trust Computing Group Remote Attestation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Abadi, M., Wobber, T.: A logical account of NGSCB. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 1–12. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. AMD. AMD64 virtualization: Secure virtual machine architecture reference manualGoogle Scholar
  3. Askarov, A., Myers, A.: A semantic framework for declassification and endorsement. Prog. Languages and Systems, 64–84 (2010)Google Scholar
  4. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: CSF (2009)Google Scholar
  5. Balfe, S., Paterson, K.G.: e-EMV: Emulating EMV for internet payments using trusted computing technology. In: STC 2008, pp. 81–92 (2008)Google Scholar
  6. Chong, S., Myers, A.C.: Decentralized robustness. In: 19th IEEE CSFW 2006, p. 12 (2006)Google Scholar
  7. Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications via automatic partitioning. In: CACM (2009)Google Scholar
  8. Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its application to trusted computing. In: S&P 2009, pp. 221–236 (2009)Google Scholar
  9. Denning, D.E.: A lattice model of secure information flow. In: CACM (1976)Google Scholar
  10. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE TIT (1976)Google Scholar
  11. Fournet, C., Rezk, T.: Cryptographically sound implementations for typed information-flow security. In: POPL 2008, pp. 323–335 (January 2008)Google Scholar
  12. Fournet, C., Le Guernic, G., Rezk, T.: A security-preserving compiler for distributed programs: from information-flow policies to cryptographic mechanisms. In: CCS 2009, ACM, New York (2009)Google Scholar
  13. Grawrock, D.: TCG Specification Architecture Overview, Rev. 1.4 (2007)Google Scholar
  14. Gürgens, S., Rudolph, C., Scheuermann, D., Atts, M., Plaga, R.: Security evaluation of scenarios based on the TCGs TPM specification. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 438–453. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. Halderman, J., Schoen, S., Heninger, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: cold-boot attacks on encryption keys. In: CACM (2009)Google Scholar
  16. Intel. Intel Trusted Execution Technology Software Development Guide (2009)Google Scholar
  17. McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: 3rd ACM SIGOPS/EuroSys, pp. 315–328. ACM, New York (2008)Google Scholar
  18. McCune, J., Qu, N., Li, Y., Datta, A., Gligor, V., Perrig, A.: Efficient TCB Reduction and Attestation. CMU-CyLab-09-003 9 (2009)Google Scholar
  19. Microsoft. Windows BitLocker drive encryption (2006)Google Scholar
  20. Millen, J., Guttman, J., Ramsdell, J., Sheehy, J., Sniffen, B., Bedford, M.: Analysis of a measured launch. In: MITRE (2007)Google Scholar
  21. Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: 19th IEEE Symposium on Research in Security and Privacy (RSP), Oakland, California (May 1998)Google Scholar
  22. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. In: TOSEM (2000)Google Scholar
  23. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001)Google Scholar
  24. Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. JCS 14(2), 157–196 (2006)CrossRefGoogle Scholar
  25. Pottier, F., Simonet, V.: Information flow inference for ML. In: ACM TOPLAS (2003)Google Scholar
  26. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. In: IEEE J-SAC (2003)Google Scholar
  27. Sabelfeld, A., Myers, A.C.: A model for delimited information release. Software Security-Theories and Systems, 174–191 (2004)Google Scholar
  28. Trusted Computing Group. Client Specific TPM Interface Specification (TIS), Version 1.2 (2005)Google Scholar
  29. Trusted Computing Group. TCG Software Stack (TSS 1.2). Trusted Computing Group (2006)Google Scholar
  30. Zdancewic, S., Myers, A.C.: Robust declassification. In: CSFW 2001, pp. 15–23 (2001)Google Scholar
  31. Zdancewic, S., Zheng, L., Nystrom, N., Myers, A.C.: Secure program partitioning. In: TOCS (2002)Google Scholar
  32. Zheng, L., Chong, S., Myers, A.C., Zdancewic, S.: Using replication and partitioning to build secure distributed systems. In: 15th IEEE Symposium on Security and Privacy (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Cédric Fournet
    • 1
    • 2
  • Jérémy Planul
    • 1
  1. 1.MSR-INRIAFrance
  2. 2.Microsoft ResearchUSA

Personalised recommendations