Flow-sensitive dynamic enforcement mechanisms for information flow labels offer increased permissiveness.
However, these mechanisms may leak sensitive information when deciding to block insecure executions.
When enforcing two labels (e.g., secret and public), sensitive information is leaked from the context in which this decision is taken.
When enforcing arbitrary labels, additional sensitive information is leaked from the labels
involved in the decision to block an execution.
We give examples where, contrary to a common belief, a mechanism designed to enforce
two labels may not be able to enforce arbitrary labels, due to this additional leakage.
In fact, it is not trivial to design
a dynamic enforcement that offers increased permissiveness,
handles multiple labels, and does not introduce information leakage due to blocking insecure executions.
In this paper, we present a dynamic enforcement mechanism of information flow labels
that has all these three attributes.
Our mechanism is not purely dynamic, since it uses a light-weight, on-the-fly,
static analysis of untaken branches. We prove that the set of all normally terminated
and blocked traces of a program, which is executed under our mechanism, satisfies
noninterference, against principals that make observations throughout execution.