On the (f)utility of Untrusted Data Sanitization
Data sanitization has been studied in the context of architectures for high assurance systems, language-based information flow controls, and privacy-preserving data publication. A range of sanitization strategies has been developed to address the wide variety of data content and contexts that arise in practice. It is therefore tempting to separate the complex downgrading operations into untrusted data sanitizers while leaving the verification of security policy to simpler trusted guards that mediate information flow between different sensitivity levels. The authors argue that this can be a false economy and may result in more restrictive information flow than is necessary.