Skip to content

CONCEPT Cited by 1 source

Data flow violation

Definition

In IFC systems like Meta's Policy Zones, a data flow violation is the runtime event raised when annotated data would flow into a destination whose annotation (or lack thereof) is not compatible with the source's flow rules.

The canonical Meta example

From the 2024-08-31 post's banana-data walkthrough:

  1. A web request BananaRequest loads data from BananaDB"data flow violation because the intent of the caller is unknown."
  2. Developer annotates BananaRequest with BANANA_DATA → a zone is created.
  3. Runtime programmatically checks the zone's outgoing flows → "new data flow violations from BananaRequest to logB and logC" flagged.
  4. Developer remediates: annotate logB as banana (safe flow), remove the logC write (unsafe flow cut off).
  5. Zone moves from logging mode to enforcement mode — after enforcement, "if a developer adds a write to a sink outside of the zone, it will be blocked automatically."

Three remediation cases

The post names three resolutions for any data flow violation:

  • Case 1 — Safe flow: the relevant data is used for an allowed purpose → annotate the sink with the same label.
  • Case 2 — Unsafe flow: the relevant data is used for a disallowed purpose → block data access and code execution to prevent further processing.
  • Case 3 — Reclassified flow: the relevant data is not used or propagated at the sink → annotate the data flow as reclassified (explicitly permitted).

Detection granularity

Policy Zones detects violations at the call-tree level for function-based systems (a zone "includes all functions that it calls directly or indirectly") and per-query for batch systems (Presto / Spark zones are created per SQL job). Violations are reported to PZM for remediation.

Seen in

Last updated · 319 distilled / 1,201 read