On Declassification and the Non-Disclosure Policy (*) Ana Almeida Matos (†) and G´ erard Boudol INRIA Sophia Antipolis, France Abstract We address the issue of declassification in a language-based security approach. We introduce, in a Core ML-like language with concurrent threads, a declassification mechanism that takes the form of a local flow policy declaration. The computation in the scope of such a declaration is allowed to implement information flow according to the local policy. To take intoaccount declassification, and more generally dynamic flow policies, we introduce a generalization of non-interference, that we call the non-disclosure policy, and we design a type and effect system for our language that enforces this policy. Besides dealing with declassification, our type system improves over previous systems for checking information flow in two directions: first, we show that the typing of terminations leaks can be largely improved, by particularizing the case where the alternatives in a conditional branching both terminate. Moreover, we also provide a quite precise way of approximating the confidentiality level of an expression, by ignoring the level of values that are only used for side-effects. 1. Introduction This paper addresses the issue of declassification in a language-based security approach. We are therefore more generally concerned with the confidentiality aspect of security. It has often been argued (see [14, 23, 35, 41] for instance) that the standard techniques used for access control are not enough to fully protect confidential information. Ideally, one would like to have a way of controlling how this information is used by subjects having the required clearance. Indeed, it is useless to restrict access to confidential information if one does not have some guarantee that the authorized subjects will not publicly disclose a significant part of this information. In other words, one should be interested in how information flows in a computer system. Since Bell and La Padula and Denning’s pioneering works [5, 14], the classical approach to secure information flow is to use a lattice of security levels (see for instance the survey [45] for the use of security lattices). The “objects” – information containers – of a system are then labelled by security levels, and information is allowed to flow from one object to another if the source object has a lower confidentiality level than the target one. That is, the ordering relation on security levels determines the legal flows, and a program is secure if, roughly speaking, it does not set up illegal flows from inputs to outputs. This was first formally stated via a notion of strong dependency by Cohen in [12], and is also referred to as non-interference according to the terminology used by Goguen and Meseguer in [19]. (*) Work partially supported by the CRISS project of the ACI S´ ecurit´ e Informatique. The first author was supported by the PhD scholarship POSI/SFRH/BD/7100/2001. (†) Current affiliation: SQIGT-IT and IST Lisbon, Portugal 1