This project applies recent techniques in transactional computing to the problem of preventing unwanted declassification of secure information. Regulating the nature and amount of information that is declassified for complex software system is difficult; even when leaks are identified, suitably repairing the computation is usually not possible. The project develops ideas inspired from language-centric transactional computing to support information flow security by encapsulating critical regions that (a) either cannot be analyzed effectively statically or (b) declassify some set of confidential data. Isolation and atomicity properties of transactional regions ensure the approach is safe even in a multi-threaded environment. The technical issues associated with controlled declassification are examined from an entirely new perspective--rather than attempting to prevent statically any leaks from occurring, this research explores approaches that dynamically monitor when leaks occur, transparently reverting program state to an earlier safe context when leaks are identified. This security model encapsulates untrusted operations and library functions within monitored regions, allowing only information explicitly marked as declassified to escape the region scope. As regions run in isolation, they ensure that they can not be influenced by non-monitored code, nor can they influence its outcome. The monitoring infrastructure leverages transactional mechanisms to track memory use, and restore program state when declassification violations are detected. The broader impacts are significant. Information flow and declassification are critical problems to cyber-infrastructure, homeland security, and commercial interests. Techniques that provide scalable, transparent, and effective solutions to this problem are of immediate benefit to current government and business initiatives.
