Donald Bren School of Information and Computer Sciences

A protection model is presented for a multi-user dataflow computing system which is incorporated into its functional high-level language. The model is based on tags attached as 'seals' to values exchanged among processes to prevent leaking of information. A tag attached to a value, as a 'seal' does not prevent that value from being propagated to any place within the system; rather, it guarantees that the value cannot leave the system unless a matching tag is presented. Any function applied to sealed values will produce results that carry the union of all seals carried by the argument values. Thus, it is also guaranteed that no information derived from a sealed value will be able to leave the system unless it is explicitly unsealed.

The functioning of the system is demonstrated by giving solutions to well known protection problems, for example from the area of proprietary services, such as the 'Selective Confinement Problem' and the 'Trojan Horse Problem.'