Towards a logical account of declassification

Abstract

Declassification is a vital ingredient for practical use of secure systems. Several recent efforts to formulate an end-to-end policy for declassification seem inconclusive and have focused on apparently different aspects. (e.g., what values are involved, where in the code declassification occurs, when declassification happens and who (which principal) releases information.) In this informal paper, we argue that key security goals addressed by the proposed notions can be expressed using assertions and auxiliary state (such as event history), building on a recently developed logic for noninterference that provides for local reasoning about the heap