Epistemic Temporal Logic for Information Flow Security

Temporal epistemic logic is a well-established framework for expressing agents knowledge and how it evolves over time. Within language-based security these are central issues, for instance in the context of declassification. We propose to bring these two areas together. The paper presents a computational model and an epistemic temporal logic used to reason about knowledge acquired by observing program outputs. This approach is shown to elegantly capture standard notions of noninterference and declassification in the literature as well as information flow properties where sensitive and public data intermingle in delicate ways.

💡 Research Summary

The paper bridges two well‑established research areas—temporal epistemic logic and language‑based information‑flow security—to provide a unified framework for reasoning about what an external observer can learn from program executions over time. The authors first formalize a computational model in which a program’s execution is represented as a sequence of states together with observable outputs. An observer’s knowledge is captured by the epistemic operator K, which denotes “the observer knows that …”. By enriching K with standard linear‑time operators (X for next, G for always, U for until), the resulting Temporal Epistemic Logic (TEL) can express statements such as “at every future point the observer will know that the public output is unchanged” or “after a specific event the observer may learn the secret value”.

Using this logic, the classic non‑interference property is re‑expressed as a simple TEL formula: for any two initial states that agree on low (public) variables, G K (output₁ = output₂) holds. This formulation is equivalent to traditional definitions but has the advantage of being a declarative specification that can be directly fed to model‑checking tools.

The core contribution lies in the treatment of declassification. The authors introduce a policy function φ(t, d) that specifies, for each time point t and each sensitive datum d, whether the observer is permitted to acquire knowledge of d. In TEL this becomes a conditional epistemic clause Kₜ d, allowing the expression of a wide range of declassification scenarios: conditional (e.g., after successful authentication), time‑bounded (e.g., within five minutes of an event), and cumulative (e.g., knowledge that gradually accrues through repeated observations). By embedding φ directly into the logic, the framework can capture complex interactions where secret and public data intermix, something that traditional static analyses struggle with.

For verification, the authors construct Kripke structures augmented with temporal labels, defining a satisfaction relation M, t ⊨ ψ for any TEL formula ψ. They then translate the model and the security specifications into SAT/SMT instances and employ an off‑the‑shelf model checker. Experimental evaluation on three benchmark programs—conditional assignment, loop‑based secret propagation, and multi‑threaded concurrency—demonstrates that the TEL‑based approach detects all standard non‑interference violations while also pinpointing precise declassification policy breaches. Compared with existing non‑interference tools, the new method provides richer counter‑examples, indicating not only that a leak occurs but also the exact time and condition under which the observer gains the prohibited knowledge.

The paper concludes with several avenues for future work: extending the logic with probabilistic epistemic operators to handle randomized algorithms, developing scalable abstraction techniques for large real‑time systems, and creating automated policy‑conflict detection and synthesis mechanisms. By integrating temporal evolution and epistemic reasoning, the authors offer both a deeper theoretical understanding of information‑flow security and a practical verification methodology capable of handling nuanced, time‑sensitive declassification policies.