Declassification of Information with Complex Filter Functions

Kurt Stenzel, Kuzman Katkalov, Marian Borek, Wolfgang Reif


Many applications that handle private or confidential data release part of this data in a controlled manner through filter functions. However, it can be difficult to reason formally about exactly what or how much information is declassified. Often, anonymity is measured by reasoning about the equivalence classes of all inputs to the filter that map to the same output. An observer or attacker that sees the output of the filter then only knows that the secret input belongs to one of these classes, but not the exact input. We propose a technique suitable for complex filter functions together with a proof method, that additionally can provide meaningful guarantees. We illustrate the technique with a DistanceTracker app in a leaky and a non-leaky version.


  1. Alvim, M. S., Andres, M. E., Chatzikokolakis, K., and Palamidessi, C. (2011). On the relation between differential privacy and quantitative information flow. In ICALP 2011, Part II, pages 60-76. Springer LNCS 6756.
  2. Backes, M., Köpf, B., and Rybalchenko, A. (2009). Automatic discovery and quantification of information leaks. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P 2009), pages 141-153. IEEE Computer Society.
  3. Ben Said, N., Abdellatif, T., Bensalem, S., and Bozga, M. (2014). Model-driven information flow security for component-based systems. In Bensalem, S., Lakhneck, Y., and Legay, A., editors, From Programs to Systems. The Systems perspective in Computing, volume 8415 of Lecture Notes in Computer Science, pages 1-20. Springer Berlin Heidelberg.
  4. Chatzikokolakis, K., Andrs, M. E., Bordenabe, N. E., and Palamidessi, C. (2013). Broadening the scope of differential privacy using metrics. In PETS 2013, pages 82-102. Springer LNCS 7981.
  5. Clark, D., Hunt, S., and Malacaria, P. (2007). A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur., 15(3):321-371.
  6. Cohen, E. S. (1978). Information transmission in sequential programs. In DeMillo, R. A., Dobkin, D. P., Jones, A. K., and Lipton, R. J., editors, Foundations of Secure Computation, pages 301-339. Academic Press.
  7. Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. (2011). A study of android application security. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 21-21, Berkeley, CA, USA. USENIX Association.
  8. Ernst, G., Pfähler, J., Schellhorn, G., Haneberg, D., and Reif, W. (2014). KIV: overview and VerifyThis competition. International Journal on Software Tools for Technology Transfer, pages 1-18.
  9. Giacobazzi, R. and Mastroeni, I. (2005). Adjoining declassification and attack models by abstract interpretation. In Proc. European Symp. on Programming, pages 295-310. Springer LNCS 3444.
  10. Goguen, J. and Meseguer, J. (1982). Security policies and security models. In IEEE Symposium on Security and privacy, volume 12.
  11. Hammer, C. and Snelting, G. (2009). Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 8(6):399-422. Supersedes ISSSE and ISoLA 2006.
  12. Heldal, R., Schlager, S., and Bende, J. (2004). Supporting confidentiality in UML: A profile for the decentralized label model. In Proceedings, 3rd International Workshop on Critical Systems Development with UML, Lisbon, Portugal, pages 56-70, Munich, Germany. TU Munich Technical Report TUM-I0415.
  13. Joshi, R. and Leino, K. R. M. (2000). A semantic approach to secure information flow. Science of Computer Programming, 37(1-3):113138.
  14. Katkalov, K., Stenzel, K., Borek, M., and Reif, W. (2013). Model-driven development of information flow-secure systems with IFlow. ASE Science Journal, 2(2):65-82.
  15. Katkalov, K., Stenzel, K., Borek, M., and Reif, W. (2015). Modeling information flow properties with UML. In 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). IEEE Conference Publications.
  16. Klebanov, V. (2014). Precise quantitative information flow analysisa symbolic approach. Theoretical Computer Science 538, Elsevier, pages 124-139.
  17. Rushby, J. (1992). Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report CSL-92-02, SRI International. available at˜rushby/reports/csl-92- 2.dvi.Z.
  18. Sabelfeld, A. and Sands, D. (2001). A PER model of secure information flow in sequential programs. Higher Order and Symbolic Computation, 14(1):59-91.
  19. Sabelfeld, A. and Sands, D. (2009). Declassification: Dimensions and principles. Journal of Computer Security, 17(5):517-548.
  20. Seehusen, F. (2009). Model-Driven Security: Exemplified for Information Flow Properties and Policies. PhD thesis, Faculty of Mathematics and Natural Sciences, University of Oslo.
  21. Smith, G. (2011). Quantifying information flow using minentropy. In Eighth International Conference on Quantitative Evaluation of SysTems. IEEE.
  22. Stenzel, K., Katkalov, K., Borek, M., and Reif, W. (2014). A model-driven approach to noninterference. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 5(3):30-43.
  23. van der Meyden, R. (2007). What, indeed, is intransitive noninterference? (extended abstract). In Proc. European Symposium on Research in Computer Security, volume 4734, pages 235-250. Springer LNCS. An extended technical report is available from
  24. Volpano, D., Irvine, C., and Smith, G. (1996). A sound type system for secure flow analysis. J. Comput. Secur., 4(2-3):167-187.

Paper Citation

in Harvard Style

Stenzel K., Katkalov K., Borek M. and Reif W. (2016). Declassification of Information with Complex Filter Functions . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 490-497. DOI: 10.5220/0005782904900497

in Bibtex Style

author={Kurt Stenzel and Kuzman Katkalov and Marian Borek and Wolfgang Reif},
title={Declassification of Information with Complex Filter Functions},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Declassification of Information with Complex Filter Functions
SN - 978-989-758-167-0
AU - Stenzel K.
AU - Katkalov K.
AU - Borek M.
AU - Reif W.
PY - 2016
SP - 490
EP - 497
DO - 10.5220/0005782904900497