A Decentralized Model for Information Flow Control

Andrew C. Myers    Barbara Liskov

MIT Laboratory for Computer Science
545 Technology Square, Cambridge, MA 02139


This paper presents a new model for controlling information flow in systems with mutual distrust and decentralized authority. The model allows users to share information with distrusted code (e.g., downloaded applets), yet still control how that code disseminates the shared information to others. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. The paper also shows how static program analysis can be used to certify proper information flows in this model and to avoid most run-time information flow checks.

This paper is also available in a PostScript version and a PDF version.

Published in the Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5-8 October 1997.

This research was supported in part by DARPA Contract N00014-91-J-4136, monitored by the Office of Naval Research, and in part by DARPA Contract F30602-96-C-0303, monitored by USAF Rome Laboratory.

Copyright ©1997 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or ``permissions@acm.org''

Andrew C. Myers, Barbara Liskov