Information Flow for Algol-like Languages David Clark a , Chris Hankin b,1 and Sebastian Hunt c a Department of Computer Science, King’s College, London WC2R 2LS b Department of Computing, Imperial College, London SW7 2BZ c Department of Computing, City University, London EC1V 0HB Abstract In this paper we present an approach to information flow analysis for a family of languages. We start with a simple imperative language. We present an information flow analysis using a flow logic. The paper contains detailed correctness proofs for this analysis. We next extend the analysis to a restricted form of Idealised Algol, a call-by-value higher-order extension of the simple imperative language (the key restriction being the lack of recursion). The paper concludes with a discussion of further extensions, including a probabilistic extension of Idealised Algol. 1 Introduction We are concerned here with Trojan horse confidentiality attacks. Suppose that H and L are two sets of variable names. H is the set of high-security inputs, which we wish to keep secret from the attacker (who supplies the program), and L is the set of low-security outputs, which all users (including the attacker) can read when the program terminates. We need to verify that the final values of variables in L give no information about the initial values of variables in H. The particular security property we are concerned with is a simple extensional non-interference property (our programs do not perform IO while executing, so observations of intermediate stores are not possible). Following Denning [2] we divide information flows into two classes: direct and indirect. Indirect flows are just the transitive flows (a flow from x to y followed by a flow from y to z implies a flow from x to z ). The direct flows are further divided: 1 This author partially funded by the EU FET Open project SecSafe. Preprint submitted to Elsevier Science 23 May 2002