Lecture 014

Termination-sensitive non-interference with respect to policy \Sigma: \Sigma \models \alpha \text{ secure }^\infty

\begin{align*} &\Sigma \models \alpha \text{ secure }^\infty\\ \iff& (\forall \omega_1, \omega_2, \nu_1, \ell_1)(\Sigma \vdash \omega_1 \approx_l \omega_2 \land \omega_1 [[\alpha]] \nu_1\\ \implies& (\exists \nu_2)(\Sigma \vdash \nu_1 \approx_l \nu_2 \implies \omega_2 [[\alpha]] \nu_2))\\ \end{align*}
\begin{align*} &\frac{\Sigma(x) = l}{\Sigma \vdash x : l} \text{ var } F\\ &\frac{}{\Sigma \vdash c: \bot} \text{ const } F\\ &\frac{\Sigma \vdash e_1 : l_1 \quad \Sigma \vdash e_2 : l_2}{\Sigma \vdash e_1 + e_2 : l_1 \sqcup l_2} + F\\ \frac{\Sigma \vdash e : l \quad l' = \Sigma(pc) \sqcup l \quad l' \sqsubseteq \Sigma(x)}{\Sigma \vdash x := e \ \text{ secure }} := F &\frac{\Sigma \vdash e : l \quad l' = \Sigma(pc) \sqcup l \quad l' \sqsubseteq \Sigma(x)}{\Sigma \vdash x := e \ \text{ secure }^\infty} := F^\infty\\ \frac{\Sigma \vdash \alpha \text{ secure } \quad \Sigma \vdash \beta \text{ secure }}{\Sigma \vdash \alpha; \beta \text{ secure }} ; F &\frac{\Sigma \vdash \alpha \text{ secure }^\infty \quad \Sigma \vdash \beta \text{ secure }^\infty}{\Sigma \vdash \alpha; \beta \text{ secure }^\infty} ; F^\infty\\ \frac{}{\Sigma \vdash \text{ skip } \text{ secure }} \text{ skip } F &\frac{}{\Sigma \vdash \text{ skip } \text{ secure }^\infty} \text{ skip } F^\infty\\ \frac{\Sigma \vdash P : l \quad l' = \Sigma(pc) \sqcup l \quad \Sigma' = \Sigma[pc \mapsto l'] \quad \Sigma' \vdash \alpha \text{ secure } \quad \Sigma' \vdash \beta \text{ secure }}{\Sigma \vdash \text{ if } P \text{ then } \alpha \text{ else } \beta \text{ secure }} \text{ if } F &\frac{\Sigma \vdash P : l \quad l' = \Sigma(pc) \sqcup l \quad \Sigma' = \Sigma[pc \mapsto l'] \quad \Sigma' \vdash \alpha \text{ secure }^\infty \quad \Sigma' \vdash \beta \text{ secure }^\infty}{\Sigma \vdash \text{ if } P \text{ then } \alpha \text{ else } \beta \text{ secure }^\infty} \text{ if }^\infty F\\ \frac{}{\Sigma \vdash \text{ test } P \text{ secure }} \text{ test } F &\frac{\Sigma \vdash P : \bot \quad \Sigma(pc) = \bot}{\Sigma \vdash \text{ test } P \text{ secure }^\infty}\text{ test }^\infty F\\ \frac{\Sigma \vdash P : l \quad l' = \Sigma(pc) \sqcup l \quad \Sigma' = \Sigma[pc \mapsto l'] \quad \Sigma' \vdash \alpha \text{ secure }}{\Sigma \vdash \text{ while } P \; \alpha \text{ secure }} \text{ while } F &\frac{\Sigma \vdash P : \bot \quad \Sigma(pc) = \bot \quad \Sigma \vdash \alpha \text{ secure }^\infty}{\Sigma \vdash \text{ while } P \; \alpha \text{ secure }^\infty} \text{ while }^\infty F\\ &\frac{\Sigma \vdash e_1 : l_1 \quad \Sigma \vdash e_2 : l_2}{\Sigma \vdash e_1 \leq e_2 : l_1 \sqcup l_2} \leq F\\ &\frac{}{\Sigma \vdash \top : \bot} \top F\\ &\frac{\Sigma \vdash P : l_1 \quad \Sigma \vdash Q : l_2}{\Sigma \vdash P \land Q : l_1 \sqcup l_2} \land F\\ \end{align*}

Soundness of termination-sensitive information flow types: if \Sigma \vdash \alpha \text{ secure }^\infty then \Sigma \models \alpha \text{ secure }^\infty.

Termination-sensitive non-interference is strictly stronger than termination-insensitive non-interference: \Sigma \models \alpha \text{ secure }^\infty \implies \Sigma \models \alpha \text{ secure }.

Table of Content