By Elisavet Kozyri, UiT The Arctic University of Norway, Norway, firstname.lastname@example.org | Stephen Chong, Harvard University, USA, email@example.com | Andrew C. Myers, Cornell University, USA, firstname.lastname@example.org
Industries and governments are increasingly compelled by regulations and public pressure to handle sensitive information responsibly. Regulatory requirements and user expectations may be complex and have subtle implications for the use of data. Information flow properties can express complex restrictions on data usage by specifying how sensitive data (and data derived from sensitive data) may flow throughout computation. Controlling these flows of information according to the appropriate specification can prevent both leakage of confidential information to adversaries and corruption of critical data by adversaries. There is a rich literature expressing information flow properties to describe the complex restrictions on data usage required by today’s digital society. This monograph summarizes how the expressiveness of information flow properties has evolved over the last four decades to handle different threat models, computational models, and conditions that determine whether flows are allowed. In addition to highlighting the significant advances of this area, we identify some remaining problems worthy of further investigation.
With information comes responsibility: a responsibility to use information according to appropriate restrictions. Forced by regulations and public sentiment, technology companies are increasing the transparency of how personal data is used, allowing users to make more fine-grained decisions on how and where their information should flow. Work over the last four decades has led to the term Information flow properties being introduced. These can express complex restrictions on data usage by specifying how sensitive data may flow throughout computation.
In this monograph the authors match the demand of the digital society for expressing complex data-usage restrictions with the supply of information flow properties proposed in the literature. For the first time ever, the authors perform a large-scale systematization of such information flow properties. In doing so, they survey the wide variety of information flow properties that have been formulated within the last four decades, compare their expressive power, and suggest research directions for a faster convergence between future technological demand and literature supply.
This concise overview of such a diverse topic provides the reader with an invaluable reference when implementing security technologies into all types of information systems. It is particularly useful for students, researchers and practitioners working on modern day information security problems.