Team for Research in
Ubiquitous Secure Technology

End-to-End Enforcement of Erasure and Declassification
Stephen Chong, Andrew C. Myers

Citation
Stephen Chong, Andrew C. Myers. "End-to-End Enforcement of Erasure and Declassification". Proceedings of the IEEE Computer Security Foundations Symposium, 98–111, June, 2008.

Abstract
_Declassification_ occurs when the confidentiality of information is weakened; _erasure_ occurs when the confidentiality of information is strengthened, perhaps to the point of completely removing the information from the system. This paper shows how to enforce erasure and declassification policies. A combination of a type system that controls information flow and a simple runtime mechanism to overwrite data ensures end-to-end enforcement of policies. We prove that well-typed programs satisfy the semantic security condition _noninterference according to policy_. We extend the Jif programming language with erasure and declassification enforcement mechanisms and use the resulting language in a large case study of a voting system.

Electronic downloads

Citation formats  
  • HTML 
    Stephen Chong, Andrew C. Myers. <a
href="http://www.truststc.org/pubs/454.html"
>End-to-End Enforcement of Erasure and
Declassification</a>, Proceedings of the IEEE Computer
Security Foundations Symposium, 98–111, June, 2008.
  • Plain text 
    Stephen Chong, Andrew C. Myers. "End-to-End Enforcement
of Erasure and Declassification". Proceedings of the
IEEE Computer Security Foundations Symposium,
98–111, June, 2008.
  • BibTeX 
    @inproceedings{ChongMyers08_EndtoEndEnforcementOfErasureDeclassification,
    author = {Stephen Chong and Andrew C. Myers},
    title = {End-to-End Enforcement of Erasure and
              Declassification},
    booktitle = {Proceedings of the IEEE Computer Security
              Foundations Symposium},
    pages = {98–111},
    month = {June},
    year = {2008},
    abstract = {_Declassification_ occurs when the confidentiality
              of information is weakened; _erasure_ occurs when
              the confidentiality of information is
              strengthened, perhaps to the point of completely
              removing the information from the system. This
              paper shows how to enforce erasure and
              declassification policies. A combination of a type
              system that controls information flow and a simple
              runtime mechanism to overwrite data ensures
              end-to-end enforcement of policies. We prove that
              well-typed programs satisfy the semantic security
              condition _noninterference according to policy_.
              We extend the Jif programming language with
              erasure and declassification enforcement
              mechanisms and use the resulting language in a
              large case study of a voting system.},
    URL = {http://www.truststc.org/pubs/454.html}
}

Posted by Andrew C. Myers, Ph.D. on 22 Aug 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.