The PER Model of Abstract Non-interference

  • Sebastian Hunt
  • Isabella Mastroeni
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3672)


In this paper, we study the relationship between two models of secure information flow: the PER model (which uses equivalence relations) and the abstract non-interference model (which uses upper closure operators). We embed the lattice of equivalence relations into the lattice of closures, re-interpreting abstract non-interference over the lattice of equivalence relations. For narrow abstract non-interference, we show that the new definition is equivalent to the original, whereas for abstract non-interference it is strictly less general. The relational presentation of abstract non-interference leads to a simplified construction of the most concrete harmless attacker. Moreover, the PER model of abstract non-interference allows us to derive unconstrained attacker models, which do not necessarily either observe all public information or ignore all private information. Finally, we show how abstract domain completeness can be used for enforcing the PER model of abstract non-interference.


Information flow non-interference abstract interpretation language-based security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corp. Badford, MA (1973)Google Scholar
  2. 2.
    Clark, D., Hankin, C., Hunt, S.: Information flow for algol-like languages. Computer Languages 28(1), 3–28 (2002)zbMATHGoogle Scholar
  3. 3.
    Cohen, E.S.: Information transmission in sequential programs. In: Foundations of Secure Computation, pp. 297–335 (1978)Google Scholar
  4. 4.
    Cortesi, A., Filé, G., Winsborough, W.: The quotient of an abstract interpretation. Theor. Comput. Sci. 202(1-2), 163–192 (1998)zbMATHCrossRefGoogle Scholar
  5. 5.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of Conf. Record of the 4th ACM Symp. on Principles of Programming Languages (POPL 1977), pp. 238–252. ACM Press, New York (1977)Google Scholar
  6. 6.
    Cousot, P., Cousot, R.: Constructive versions of Tarski’s fixed point theorems. Pacific J. Math. 82(1), 43–57 (1979)zbMATHMathSciNetGoogle Scholar
  7. 7.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. of Conf. Record of the 6th ACM Symp. on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM Press, New York (1979)Google Scholar
  8. 8.
    Denning, D.E., Denning, P.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)zbMATHCrossRefGoogle Scholar
  9. 9.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. of the 31st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2004), pp. 186–197. ACM-Press, New York (2004)CrossRefGoogle Scholar
  10. 10.
    Giacobazzi, R., Mastroeni, I.: Adjoining declassification and attack models by abstract interpretation. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 295–310. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Giacobazzi, R., Ranzato, F., Scozzari, F.: Making abstract interpretations complete. J. of the ACM 47(2), 361–416 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Hunt, S.: Pers generalise projections for strictness analysis (extended abstract). In: Proc. 1990 Glasgow Workshop on Functional Programming, Workshops in Computing, Ullapool. Springer, Heidelberg (1991)Google Scholar
  13. 13.
    Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37, 113–138 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Landauer, J., Redmond, T.: A lattice of information. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 65–70. IEEE Computer Society Press, Los Alamitos (1993)Google Scholar
  15. 15.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Ranzato, F., Tapparo, F.: Strong preservation as completeness in abstract interpretation. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 18–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. on selected ares in communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  18. 18.
    Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)zbMATHCrossRefGoogle Scholar
  19. 19.
    Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP 2000, pp. 254–267. ACM Press, New York (2000)Google Scholar
  20. 20.
    Tarski, A.: A lattice theoretical fixpoint theorem and its applications. Pacific J. Math. 5, 285–310 (1955)zbMATHMathSciNetGoogle Scholar
  21. 21.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security 4(2,3), 167–187 (1996)Google Scholar
  22. 22.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 15–23. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Sebastian Hunt
    • 1
  • Isabella Mastroeni
    • 2
  1. 1.Department of Computing, School of InformaticsCity UniversityLondonUK
  2. 2.Department of Computing and Information SciencesKansas State UniversityManhattanUSA

Personalised recommendations