Note on a simple type system for non-interference

We consider CCS with value passing and elaborate a notion of noninterference for the process calculi, which matches closely that of the programming language. The idea is to view channels as information carriers rather than as “events”, so that emitting a secret on output channel can be considered safe, while inputting a secret may lead to some kind of leakage. This is in contrast with the standard notion of noninterference for the process calculi where any causal dependency of low-level action from any high-level action is forbidden.

💡 Research Summary

The paper investigates non‑interference for a value‑passing variant of CCS in which each channel is annotated with a security level drawn from a lattice (L, ≤). The authors argue that the traditional process‑algebraic view of non‑interference—where any causal dependency of a low‑level action on a high‑level action is forbidden—does not capture the intuition common in language‑based security. In programming‑language settings, only high‑level inputs that influence low‑level outputs are considered dangerous; high‑level outputs are harmless because they merely emit secret data without revealing it to an observer. To reflect this, the authors treat channels as “information carriers” rather than as mere events. Consequently, a process that outputs a secret on a high‑level channel and later outputs the same value on a low‑level channel is regarded as secure, whereas a process that first receives a secret on a high‑level channel and then sends it on a low‑level channel is insecure.

The paper first formalises two semantic notions of non‑interference. The weaker notion, BNDC (Bisimulation‑based Non‑Deducibility on Composition), requires that for every high‑level context Π, the restricted composition (ν H)(P | Π) be weakly bisimilar to (ν H) P. This definition, however, does not distinguish between high‑level inputs and outputs, and therefore classifies some intuitively insecure processes as secure and vice‑versa. To overcome this, the authors adopt the stronger notion P‑BNDC (Persistent BNDC), which demands that the BNDC condition hold after any sequence of internal τ‑steps. P‑BNDC is expressed using a “weak bisimulation up‑to‑high” relation that abstracts away any number of τ‑steps when a high‑level action occurs. Under P‑BNDC, any process that can reach a state where a high‑level input blocks a subsequent low‑level action is considered insecure, matching the language‑based intuition.

Next, the authors adapt Pottier’s “simple type system”—originally devised for the π‑calculus—to their CCS setting. Types are security levels assigned to channel names in a typing environment Γ. The typing rules (NIL, SUB, COMP, REC, SUM, RESTR) enforce that every prefix in a process carries the same security level as the channel it uses, and that all branches of a guarded choice share a common level. The key property is subject reduction: if Γ ⊢ P : ℓ and P →α P′ then Γ ⊢ P′ : ℓ. Consequently, any well‑typed process cannot leak secret data during execution. The authors prove that every typeable process satisfies P‑BNDC, establishing that the simple type system is a sound static analysis for the stronger semantic notion.

However, the converse does not hold. The paper presents processes that are P‑BNDC‑secure but not typeable (e.g., a_h(x).b_l⟨e⟩). This demonstrates that the type system is conservative: it rejects some secure processes but never accepts an insecure one. The authors argue that this conservatism is acceptable for static verification because it yields a decidable, easy‑to‑implement analysis.

Finally, to align the type system more closely with the language‑based view, the authors propose a refined typing discipline that treats high‑level outputs as harmless. The refined system only restricts high‑level inputs; it allows a high‑level output to be followed by a low‑level output of the same value (e.g., a_h⟨v⟩.b_l⟨v⟩), which was previously untypeable. This modification yields a type system whose notion of security coincides with the intuitive non‑interference condition: secret inputs must not affect public outputs.

In summary, the paper makes four contributions: (1) a reinterpretation of non‑interference for process calculi that distinguishes inputs from outputs, (2) an adaptation of Pottier’s simple type system to CCS and a proof that it characterises the semantic notion P‑BNDC, (3) a demonstration that the type system is strictly weaker than P‑BNDC (i.e., some secure processes are not typeable), and (4) a refined type system that captures the language‑based non‑interference intuition while remaining simple. These results bridge the gap between process‑algebraic security models and language‑based information‑flow analysis, providing a practical static‑analysis tool for verifying confidentiality in concurrent systems.