Inference of Expressive Declassification Policies
Jeffrey A. Vaughan and Stephen Chong
Proceedings of the 2011 IEEE Symposium on Security and Privacy (Oakland), pages 180–195, May 2011.

We explore the inference of expressive human-readable declassification policies as a step towards providing practical tools and techniques for strong language-based information security.

Security-type systems can enforce expressive information-security policies, but can require enormous programmer effort before any security benefit is realized. To reduce the burden on the programmer, we focus on inference of expressive yet intuitive information-security policies from programs with few programmer annotations.

We define a novel security policy language that can express what information a program may release, under what conditions (or, when) such release may occur, and which procedures are involved with the release (or, where in the code the release occur). We describe a dataflow analysis for precisely inferring these policies, and build a tool that instantiates this analysis for the Java programming language. We validate the policies, analysis, and our implementation by applying the tool to a collection of simple Java programs.