Reconciling progress-insensitive noninterference and declassification

Abstract: Practitioners of secure information flow often face a design challenge: what is the right semantic treatment of leaks via termination? On the one hand, the potential harm of untrusted code calls for strong progress-sensitive security. On the other hand, when the code is trusted to not aggressively exploit termination channels, practical concerns, such as permissiveness of the enforcement, make a case for settling for weaker, progressinsensitive security. This binary situation, however, provides no suitable mid… Show more