Current standard security practices do not provide substantial assurance that the end-to-end
behavior of a computing system satisfies important security policies such as confidentiality …

A promising technique for protecting privacy and integrity of sensitive data is to statically
check information flow within programs that manipulate the data. While previous work has …

Ensuring secure information flow within programs in the context of multiple sensitivity levels
has been widely studied. Especially noteworthy is Denning's work in secure flow analysis …

This paper presents a new model for controlling information flow in systems with mutual
distrust and decentralized authority. The model allows users to share information with …

Stronger protection is needed for the confidentiality and integrity of data, because programs
containing untrusted code are the rule rather than the exception. Information flow control …

Notions of program dependency arise in many settings: security, partial evaluation, program
slicing, and call-tracking. We argue that there is a central notion of dependency common to …

The SLam calculus is a typed λ-calculus that maintains security information as well as type
information. The type system propagates security information for each object in four forms …

Previously, we developed a type system to ensure secure information flow in a sequential,
imperative programming language [VSI96]. Program variables are classified as either high …

Noninterference is a property of sequential programs that is useful for expressing security
policies for data confidentiality and integrity. However, extending noninterference to …

We describe a framework for adding type qualifiers to a language. Type qualifiers encode a
simple but highly useful form of subty**. Our framework extends standard type rules to …