Declassification: Dimensions and Principles∗
Andrei Sabelfeld
David Sands
Department of Computer Science and Engineering
Chalmers University of Technology and the University of Göteborg
412 96 Göteborg, Sweden
www.cs.chalmers.se/˜{andrei, dave}
Abstract
Computing systems often deliberately release (or declassify) sensitive infor-
mation. A principal security concern for systems permitting information release
is whether this release is safe: is it possible that the attacker compromises the in-
formation release mechanism and extracts more secret information than intended?
While the security community has recognised the importance of the problem, the
state-of-the-art in information release is, unfortunately, a number of approaches
with somewhat unconnected semantic goals. We provide a road map of the main
directions of current research, by classifying the basic goals according to what in-
formation is released, who releases information, where in the system information
is released and when information can be released. With a general declassification
framework as a long-term goal, we identify some prudent principles of declassi-
fication. These principles shed light on existing definitions and may also serve as
useful “sanity checks” for emerging models.
1 Introduction
Computing systems often deliberately release (i.e., declassify or downgrade) sensitive
information. Without a possibility to leak secrets, some systems would be of no practi-
cal use. For example, releasing the average salary from a secret database of salaries is
sometimes needed for statistical purposes. Another example of deliberate information
release is information purchase. An information purchase protocol reveals the secret
information once a condition (such as “payment transferred”) has been fulfilled. Yet
another example is a password checking program that leaks some information about
the password. Some information is released even if a log-in attempt fails: the attacker
learns that the attempted sequence is not the same as the password.
Info