On the (f)utility of untrusted data sanitization

Data sanitization has been studied in the context of architectures for high assurance systems, language-based information flow controls, and privacy-preserving data publication. A range of sanitization strategies has been developed to address the wide variety of data content and contexts that arise in practice. It is therefore tempting to separate the complex downgrading operations into untrusted data sanitizers while leaving the verification of security policy to simpler trusted guards that mediate information flow between different sensitivity levels. We argue that this can be a false economy and may result in more restrictive information flow than is necessary. We also observe that the guarantees provided by language-based declassification algorithms do not hold without exacting requirements for the runtime environment, and that the satisfaction of these requirements is the precise goal of MILS architectures, making the two disciplines well-matched complements.