Type Based Information Flow Analysis
Francois Pottier  INRIA

Bob-Counselor-Secretary Problem
  -- Bob has to trust the counselor
  -- What if counselor is replaced?
      - replaced by a Computer System
  -- Bob needs to trust the computer system
  
  Information flow control requires the computer system
  to conform to Bob's condidentiality policy.

  Language-based Information flow control consists of an
  analysis of a single piece of software with a well-defined
  semantics

  Bob needs: noninterference.
	     the data sent to the secretary does not depend
	     on Bob's income.

  Solution 1:
    L : low level (identity, letter)
    H : high level (income, tax form)
    L < H, and one allows information to flow up only.

    specification:
      string^L x int^H -> string^H x int^L

IF in Pure Functional Languages
  An overview of DCC
    Abadi, Banerjee, Heintze and Riecke (1999)
    a call-by-name \lambda calculus with products and sums
    extended with two constructs that allow "marking" a value
    and "using" a marked value
      e ::= x | \lamda x.e | e e | ... | H:e | use x = e in e
      t ::= t->t | unit | t + t | t x t| H(t)

    Types (only the two new constructs have nonstandard typing rules)

    Protected types: \triangle t is defined inductively meaning t
    is protected. Product type is protected, and the unit type is
    protected.

    PER, partial equivalence relation, a symmetric transitive relation
    on A.

    A model of DCC
      - object : cpo |t| equipped with a PER
      - morphism : is a continuous function f such that f:t -> u
    types are interpreted by objects and typing judgements by morphisms
      
    Interpreting types
      the marked type H(t) (the other interpretation is standard) is 
      interpreted as the cpo |t|, equipped with the "everywhere true"
      relation

    Interpreting typing judgments
      
  DCC with multiple security levels
    Defined over an arbitrary security lattice L:
      e ::= x | \lamda x.e | e e | ... | l:e | use x = e in e
      t ::= t->t | unit | t + t | t x t| T_l(t)

    Types:
      - Mark
      - Use

    Protected types:

    Subtyping: DCC does not have subtyping. It can be simulated, by using
    coercions, i.e., functions that have no computational content.

  A proof by encoding into DCC
    
  A direct, syntactic proof
    Inspired by Abadi et.al (1996), Pottier (2000)

