A Semantic Hierarchy for Erasure Policies

  • Filippo Del Tedesco
  • Sebastian Hunt
  • David Sands
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7093)


We consider the problem of logical data erasure, contrasting with physical erasure in the same way that end-to-end information flow control contrasts with access control. We present a semantic hierarchy for erasure policies, using a possibilistic knowledge-based semantics to define policy satisfaction such that there is an intuitively clear upper bound on what information an erasure policy permits to be retained. Our hierarchy allows a rich class of erasure policies to be expressed, taking account of the power of the attacker, how much information may be retained, and under what conditions it may be retained. While our main aim is to specify erasure policies, the semantic framework allows quite general information-flow policies to be formulated for a variety of semantic notions of secrecy.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur, R., Černý, P., Zdancewic, S.: Preserving Secrecy Under Refinement. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 107–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Askarov, A., Sabelfeld, A.: Gradual release: Unifying declassification, encryption and key release policies. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 207–221. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  3. 3.
    Balliu, M., Dam, M., Le Guernic, G.: Epistemic temporal logic for information flow security. In: ACM SIGPLAN Sixth Workshop on Programming Languages and Analysis for Security (June 2011)Google Scholar
  4. 4.
    Banerjee, A.: Expressive declassification policies and modular static enforcement. In: Proc. IEEE Symp. on Security and Privacy, pp. 339–353 (2008)Google Scholar
  5. 5.
    Broberg, N., Sands, D.: Flow-sensitive semantics for dynamic information flow policies. In: ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security (PLAS 2009), June 15. ACM (2009)Google Scholar
  6. 6.
    Cheney, J.: A formal framework for provenance security. In: The 24th IEEE Computer Security Foundations Symposium (June 2011)Google Scholar
  7. 7.
    Chong, S., Myers, A.: Language-based information erasure. In: 18th IEEE Workshop on Computer Security Foundations, CSFW-18 2005, pp. 241–254 (June 2005)Google Scholar
  8. 8.
    Chong, S.: Expressive and Enforceable Information Security Policies. Ph.D. thesis, Cornell University (August 2008)Google Scholar
  9. 9.
    Chong, S., Myers, A.C.: End-to-end enforcement of erasure and declassification. In: CSF, pp. 98–111. IEEE Computer Society (2008)Google Scholar
  10. 10.
    Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297–335. Academic Press (1978)Google Scholar
  11. 11.
    Cousot, P.: Semantic foundations of program analysis. In: Muchnick, S., Jones, N. (eds.) Program Flow Analysis: Theory and Applications, ch.10, pp. 303–342. Prentice-Hall, Inc., Englewood Cliffs (1981)Google Scholar
  12. 12.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 238–252 (January 1977)Google Scholar
  13. 13.
    Del Tedesco, F., Hunt, S., Sands, D.: A semantic hierarchy for erasure policies (extended version). In: International Conference on Information System Security (2011), http://arxiv.org/abs/1109.6914
  14. 14.
    Del Tedesco, F., Russo, A., Sands, D.: Implementing erasure policies using taint analysis. In: Aura, T. (ed.) The 15th Nordic Conference in Secure IT Systems. LNCS. Springer, Heidelberg (October 2010)Google Scholar
  15. 15.
    Del Tedesco, F., Sands, D.: A user model for information erasure. In: 7th International Workshop on Security Issues in Concurrency (SECCO 2009), pp. 16–30 (2009)Google Scholar
  16. 16.
    Focardi, R., Gorrieri, R.: A classification of security properties for process algebras. J. Computer Security 3(1), 5–33 (1995)CrossRefGoogle Scholar
  17. 17.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 186–197 (January 2004)Google Scholar
  18. 18.
    Hunt, S., Sands, D.: Just Forget it – The Semantics and Enforcement of Information Erasure. In: Gairing, M. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 239–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Hunt, S., Mastroeni, I.: The Per Model of Abstract Non-Interference. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 171–185. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Landauer, J., Redmond, T.: A lattice of information. In: Proc. IEEE Computer Security Foundations Workshop, pp. 65–70 (June 1993)Google Scholar
  21. 21.
    Mastroeni, I.: On the Rôle of Abstract Non-Interference in Language-Based Security. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 418–433. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    McLean, J.: Security models and information flow. In: Proc. IEEE Symp. on Security and Privacy, pp. 180–187 (May 1990)Google Scholar
  23. 23.
    Nanevski, A., Banerjee, A., Garg, D.: Verification of information flow and access control policies with dependent types. In: Proc. IEEE Symp. on Security and Privacy (2011)Google Scholar
  24. 24.
    O’Neill, K.R., Clarkson, M.R., Chong, S.: Information-flow security for interactive programs. In: CSFW 2006: Proceedings of the 19th IEEE Workshop on Computer Security Foundations, pp. 190–201. IEEE Computer Society, Washington, DC, USA (2006)Google Scholar
  25. 25.
    Plotkin, G.D.: A powerdomain construction. SIAM J. Comput. pp. 452–487 (1976)Google Scholar
  26. 26.
    Sabelfeld, A., Sands, D.: A Per Model of Secure Information Flow in Sequential Programs. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 40–58. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  27. 27.
    Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)CrossRefMATHGoogle Scholar
  28. 28.
    Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 15(5), 517–548 (2009)CrossRefGoogle Scholar
  29. 29.
    Sutherland, D.: A model of information. In: Proc. National Computer Security Conference, pp. 175–183 (September 1986)Google Scholar
  30. 30.
    Wei, M.Y.C., Grupp, L.M., Spada, F.E., Swanson, S.: Reliably erasing data from flash-based solid state drives. In: 9th USENIX Conference on File and Storage Technologies, San Jose, CA, USA, February 15-17, pp. 105–117. USENIX (2011)Google Scholar
  31. 31.
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, pp. 144–161 (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Filippo Del Tedesco
    • 1
  • Sebastian Hunt
    • 2
  • David Sands
    • 1
  1. 1.Chalmers University of TechnologySweden
  2. 2.City University LondonUK

Personalised recommendations