CONCEPT Cited by 1 source

Information flow control (IFC)

Definition

Information flow control (IFC) is the classical security / privacy primitive that controls how data is processed and transferred at runtime — not just who can read it at rest. Each data element carries a security label; as the element flows through code, the runtime checks at every transfer that the destination's label is compatible with the source's, blocking or allowing the transfer accordingly.

The foundational academic references (cited by the 2024-08-31 Meta PAI post):

• Denning, D. E., "A lattice model of secure information flow" (CACM 1976) — dl.acm.org/doi/10.1145/360051.360056.
• Fenton, J. S., "Memoryless subsystems" (1974) / Bell-LaPadula / Lampson, B. W., "A note on the confinement problem" (CACM 1973) — dl.acm.org/doi/10.1145/363516.363526.

Contrast with point-checking + lineage

Prior to IFC, privacy enforcement typically used point-checking controls (if statements + ACLs at the point of access) optionally augmented by data lineage (a post-hoc graph of source → sink relationships). Both are detection-time or audit-time primitives; IFC is execution-time. Meta's 2024-08-31 framing:

"The information flow control (IFC) model offers a more durable and sustainable approach by controlling not only data access but also how data is processed and transferred in real-time, rather than relying on point checking or out-of-band audits."

Runtime mechanics

IFC makes three things first-class at runtime:

1. Encapsulation — data elements carry labels (see concepts/data-annotation).
2. Propagation — labels flow with data through function calls, return values, and cross-system transfers; the receiving context becomes a zone (in Meta's terminology) inheriting the policy.
3. Evaluation — at every transfer, the runtime checks compatibility between source and destination labels against a policy lattice.

Seen in

• sources/2024-08-31-meta-enforces-purpose-limitation-via-privacy-aware-infrastructure — Meta adopts IFC (via Policy Zones) as its primitive for enforcing purpose limitation at scale across HHVM / Presto / Spark. Canonical wiki instance of IFC applied to privacy enforcement at hyperscale.

Related

• concepts/purpose-limitation — the privacy principle IFC enforces at Meta.
• concepts/policy-lattice — Denning's lattice model.
• concepts/data-annotation — the label primitive.
• concepts/data-flow-violation — the event IFC detects.
• concepts/point-checking-controls — the contrast primitive.
• concepts/data-lineage — augmentation primitive, not a replacement.
• systems/meta-policy-zones — canonical industrial IFC system on this wiki.
• patterns/runtime-information-flow-enforcement — the pattern.
• companies/meta