Unexpected information flow can result in vulnerabilities that can compromise the security and availability of software; this can have serious financial, legal and ethical consequences. Current programming languages such as Java do not provide effective mechanisms for preventing unexpected information flow and it is important to develop such mechanisms and advance their usage in software practice.
This paper proposes run-time information flow models, and new static information flow inference analysis. The analysis is context-sensitive, cubic, and works both on complete programs and software components. We perform experiments on several Java components which show that the analysis is precise and practical. Thus, the analysis can be incorporated in program understanding and verification tools and help verify security properties in a light-weight, practical manner.