Attacker Control and Impact for Confidentiality and Integrity

Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be characterized in terms of the influence that declassification and endorsement allow to the attacker. The new framework introduces two notions of security to describe the influence of the attacker. Attacker control defines what the attacker is able to learn from observable effects of this code; attacker impact captures the attacker’s influence on trusted locations. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.

💡 Research Summary

**
The paper addresses a fundamental limitation of classic non‑interference based security: it is too rigid for real‑world programs that need controlled releases of secret data (declassification) and controlled use of untrusted inputs (endorsement). To reason precisely about the security guarantees of programs that employ these downgrading mechanisms, the authors introduce a novel semantic framework built around two dual notions: Attacker Control and Attacker Impact.

Attacker Control captures what an attacker can learn from the low‑level (public) events that a program emits. Low events consist of assignments to public variables, termination signals, and optionally divergence signals. By defining the attacker’s knowledge as the set of initial memories compatible with the observed low trace, the framework quantifies information leakage: the knowledge set shrinks as the attacker observes more events. The authors further refine this notion into progress knowledge, which records what the attacker can infer after seeing a low event followed by any further public activity, and divergence knowledge, which also accounts for the ability to detect non‑termination.

Attacker Impact, the dual concept, describes how much influence the attacker has over trusted (high‑integrity) locations. When an untrusted input is allowed to affect a trusted variable, this influence is modeled as a relation between the attacker’s control over the input and the resulting change in the trusted state. By combining the two relations, the framework can express security policies that simultaneously constrain confidentiality (what the attacker learns) and integrity (what the attacker can cause).

Using these foundations, the paper revisits robust declassification—the property that declassification should not be exploitable by an attacker to leak additional secrets. Prior definitions suffered from two drawbacks: they only applied to terminating programs, and they largely ignored endorsement, treating it as a nondeterministic “choice” by the attacker. The new definitions are progress‑sensitive (considering the exact point at which execution stops) and progress‑insensitive (ignoring termination channels), thereby covering both terminating and non‑terminating systems such as servers.

A major contribution is the formalization of checked endorsement, a construct already used in languages like Jif but lacking precise semantics. Checked endorsement first validates a low‑integrity value (e.g., ensuring a timestamp is in the past) and only then promotes it to high integrity. In the authors’ model, this operation is a restricted form of attacker impact: the attacker may influence the value, but only within a guard that the program verifies. This yields a stronger, more compositional notion of robust integrity that subsumes earlier “qualified robustness” ideas while avoiding probabilistic reasoning.

To enforce the newly defined security conditions, the authors present a security type system. Types annotate each variable with a confidentiality label (Public or Secret) and an integrity label (Trusted or Untrusted). The typing rules enforce that declassification can only occur in a trusted context and that endorsement (including checked endorsement) requires a preceding validation step. The system is shown sound: any well‑typed program satisfies the attacker‑control and attacker‑impact constraints for both the progress‑sensitive and progress‑insensitive variants. The authors also sketch how the type system can be extended to enforce the stricter, progress‑sensitive versions.

The paper includes several illustrative examples: a service that releases confidential data only after an embargo time, a sanitization routine that validates user input before endorsing it, and an authentication protocol that uses checked endorsement to ensure timestamps are not forged. In each case, the semantics clarify why the program is secure (or insecure) under the proposed definitions, and the type system successfully verifies the secure examples.

In summary, the work makes three intertwined advances: (1) a dual attacker‑centric semantic model that cleanly separates what the attacker can learn from what the attacker can cause; (2) refined robustness notions that handle both declassification and endorsement, applicable to both terminating and non‑terminating programs; and (3) a practical type‑checking discipline that enforces these notions. By providing precise semantics for checked endorsement and integrating it into a sound type system, the paper bridges a gap between theoretical information‑flow security and the needs of modern language designers, offering a robust foundation for building safe systems that must deliberately downgrade confidentiality or integrity.