SIFTAL: A Typed Assembly Language for Secure Information Flow Analysis Eduardo Bonelli Adriana Compagnoni Ricardo Medel {ebonelli,abc,rmedel}@cs.stevens-tech.edu Stevens Institute of Technology Abstract We study information flow for a typed assembly language where security types restrict information flow. Inspired by recent work in continuation-based information flow analy- sis, our language, Secure Information Flow TAL (SIFTAL), uses low-level linear continuations in order to impose a stack discipline on the control flow of programs. The challenge posed by studying information flow analy- sis at the assembly language level is many-fold. On the one hand, the well behaved control constructs of high-level lan- guages are not available, and, on the other hand, the role of an unbounded number of variables is played by a finite number of registers that need to be reused not only with dif- ferent types, but also with different security levels. Non-interference refers to the desirable property of sys- tems of multilevel security architecture that states that infor- mation stored at a high security level does not affect com- puted low security level values. Our main contributions are a type system for checking that typed assembly language programs enjoy non-interference and its proof of soundness. Furthermore, SIFTAL is the first typed assembly lan- guage with security types for information flow analysis, and our proof is the first proof of non-interference for a MIPS- style typed assembly language. 1. Introduction The confidentiality of information handled by computing systems is of paramount importance in voting, electronic commerce, and in military, medical, and financial applica- tions, just to name a few relevant areas. However, standard mechanisms such as perimeter security in the form of ac- cess control or digital signatures for authentication and en- cryption fail to address the enforcement of information-flow policies. In this scenario, language-based strategies for se- curity offer a promising approach to information flow secu- rity. In this paper, we study confidentiality for an assembly language using a language-based approach to security via type-theory. In a multilevel security architecture information can range from having low to high security level, where low means public and high means confidential. Furthermore, following Denning’s work [13], the security levels can be represented as a lattice. Information flow analysis studies whether an attacker can obtain information about the in- put data by observing the output of the system. In other words, it studies whether low-security computation may be affected by high-level data. The notion of non-interference states that the computa- tion of low-level values cannot be affected by high-level data, which implies that two executions of the same pro- gram, where only the high-level inputs differ in both exe- cutions, should not exhibit any observable difference in the program’s output. In this paper we define SIFTAL, a typed assembly lan- guage for secure information flow analysis with security types. Among its non-standard features, SIFTAL has a stack of linear continuations that indicate the program points where different branches of code converge. Our develop- ment culminates with a proof that well-typed programs sat- isfy the non-interference property. The study of information leaking through covert chan- nels is outside the scope of this work. 1.1. Assembly Languages And Information Flow High-Level Control Flow. In information flow analy- sis, a security level is associated with each program execu- tion point –often called pc–. This security level is used to detect implicit information flow from high-level values to low-level values. Moreover, control flow analysis is crucial in allowing this security level to decrease where there is no risk of illicit flow of information. Consider the following example where x has high security level and b has low se- curity level. pc = low if x pc = high then a := 1 pc = high else a := 2 pc = low b := 3 Notice that a cannot have low security level, since x can be retrieved from a, violating the non-interference property, 1