Confidentiality enforcement by hybrid control of information flows

An information owner, possessing diverse data sources, might want to offer information services based on these sources to cooperation partners and to this end interact with these partners by receiving and sending messages, which the owner on his part generates by program execution. Independently from data representation or its physical storage, information release to a partner might be restricted by the owner's confidentiality policy on an integrated, unified view of the sources. Such a policy should even be enforced if the partner as an intelligent and only semi-honest attacker attempts to infer hidden information from message data, also employing background knowledge. For this problem of inference control, we present a framework for a unified, holistic control of information flow induced by program-based processing of the data sources to messages sent to a cooperation partner. Our framework expands on and combines established concepts for confidentiality enforcement and its verification and is instantiated in a Java environment. More specifically, as a hybrid control we combine gradual release of information via declassification, enforced by static program analysis using a security type system, with a dynamic monitoring approach. The dynamic monitoring employs flow tracking for generalizing values to be declassified under confidentiality policy compliance.