Run-Time Principals in Information-Flow Type Systems

Information-flow type systems are a promising approach for enforcing strong end-to-end confidentiality and integrity policies. Such policies, however, are usually specified in terms of static information - data is labeled high or low security at compile time. In practice, the confidentiality of data may depend on information available only while the system is running. This paper studies language support for run-time principals, a mechanism for specifying security policies that depend on which principals interact with the system. The authors establish the basic property of noninterference for programs written in such language, and use run-time principals for specifying run-time authority in downgrading mechanisms such as declassification.