Information Flow Refinement
- Information Flow Refinement is a framework that refines coarse information flow models into precise, security-preserving structures.
- It spans metric refinement, interface and contract enhancement, architectural abstraction, and proof-level invariant refinement to address security challenges.
- IFR enables compositional reasoning and operational interpretability, ensuring noninterference and bounded leakage across different system layers.
Searching arXiv for recent work on Information Flow Refinement and closely related interface/refinement/security papers. Information Flow Refinement (IFR) is a family of approaches for making information-flow reasoning progressively more precise through refinement of metrics, interfaces, architectures, policies, invariants, or implementations. Across the literature, the term does not denote a single formalism. Instead, it names a recurring methodological pattern: one starts from a coarse description of information flow—such as symmetric association, abstract noninterference, lattice-based policies, channel models, or contract-level no-flow constraints—and then refines that description into structures that support directionality, compositionality, operational interpretation, or implementation-level preservation. In the available arXiv literature, IFR appears in at least three major senses: metric refinement in quantitative information flow (Hussein, 2012), contract- and interface-based refinement of security requirements (Bartocci et al., 2020, Bartocci et al., 2024), architecture-level refinement of information-flow structures (Chong et al., 2014), behavior-preserving refinement calculi for information-flow architectures (Philipps et al., 2014), implementation-preserving refinement for noninterference in infrastructure and concurrent-system models (Kammüller, 2024, Sun et al., 10 Nov 2025), and proof-level refinement of relational invariants in formal hardware verification (Dai et al., 20 Jun 2026). A distinct but related usage appears in recent astrophysical work, where “information flow refinement” describes a hierarchy from Mutual Information to Transfer Entropy and Liang’s information flow rate in order to sharpen undirected co-evolution into directional coupling (G et al., 15 Jun 2026).
1. Conceptual scope and recurring structure
The literature uses IFR to address a common problem: coarse information-flow descriptions are often insufficient for reasoning about causality, compositional design, operational meaning, or preservation under implementation. The response is to refine the representation of information flow while preserving a stronger or more usable security interpretation.
One strand treats IFR as refinement of a quantitative leakage metric. “Refining a Quantitative Information Flow Metric” replaces an unbounded Kullback–Leibler-based accuracy metric with a Jensen–Shannon-based bounded metric, preserving the “accuracy-based, reality-aware, belief-based” structure while making leakage size-consistent and operationally meaningful in terms of exhaustive search effort (Hussein, 2012). Another strand treats IFR as refinement of contracts or interfaces: information-flow interfaces support “the composition and refinement of both assumptions and guarantees,” and later work shows that these interfaces admit a security-lattice semantics without changing the underlying refinement theory (Bartocci et al., 2020, Bartocci et al., 2024). A third strand treats IFR as refinement of abstract architectures, where abstract causal structures and filter functions are refined into more detailed information-flow architectures while preserving security properties proved at the abstract level (Chong et al., 2014). A fourth strand treats IFR as preservation of noninterference through refinement mappings between abstract and concrete state-transition systems, including infrastructures with actors and concurrent systems governed by intransitive policies (Kammüller, 2024, Sun et al., 10 Nov 2025). A fifth strand treats IFR as refinement of proof obligations and relational invariants inside model checking, as in guarded equivalence predicates for scalable hardware information-flow verification (Dai et al., 20 Jun 2026).
This suggests that IFR is best understood as a methodological umbrella rather than a single theorem schema. A plausible implication is that the unifying feature is not a fixed semantic domain, but the use of refinement to connect a higher-level information-flow description to a lower-level one while preserving a security-relevant notion of noninterference, bounded leakage, or directed influence.
2. Metric refinement and quantitative interpretations
In quantitative information flow, IFR appears as refinement of the metric itself. The central example is the refinement of the accuracy-based metric of Clarkson et al. in “Refining a Quantitative Information Flow Metric” (Hussein, 2012). The original metric is
with the Kullback–Leibler divergence, which simplifies to
The paper shows that can report leakage larger than the secret size, and that its range is
This violates the paper’s notion of a “size-consistent QIF quantifier,” namely a quantifier bounded by , where is the secret size (Hussein, 2012).
The refinement preserves the same accuracy-based structure but replaces KL divergence by
which is bounded in , and yields
with
0
Scaling by 1 gives the final refined metric
2
which satisfies
3
and therefore restores size-consistency (Hussein, 2012).
The significance of this refinement is operational rather than merely algebraic. The refined metric supports the interpretation that if an informing flow of 4 bits occurs, then the exhaustive search space needed to uncover the residual 5 bits is
6
and Theorem 2 in the paper gives a direct relation between a reported flow 7 and the posterior probability of the true secret: 8 In this sense IFR is metric refinement that preserves the conceptual premises of accuracy-based QIF while making the result bounded, interpretable, and suitable for program comparison (Hussein, 2012).
A different quantitative perspective appears in the algebraic channel model of quantitative information flow (Américo et al., 2018). There, the refinement relation is defined by post-processing: 9 and the “Coriaceous Theorem” states that this is equivalent to
0
for all priors 1 and gain functions 2 (Américo et al., 2018). This makes IFR a security-preserving preorder on channels. The same paper develops an algebra of operators—parallel composition, visible choice, and hidden choice—and studies which operators preserve refinement. Visible choice satisfies full relative monotonicity, whereas hidden choice does not (Américo et al., 2018). This establishes that IFR in quantitative settings is not only about defining a preorder but also about understanding which compositional contexts preserve it.
3. Contracts, interfaces, and lattice semantics
Information-flow interfaces recast IFR as refinement of assumptions and guarantees in contract-based design. The abstract of “Information-Flow Interfaces” states that the framework provides “a refinement relation and a composition operation that support both incremental design and independent implementability,” and that it develops both stateless and stateful information-flow interfaces (Bartocci et al., 2020). The same abstract also states that the stateful theory admits “three plausible trace semantics,” two corresponding to temporal logics for hyperproperties and a third defining “a new class of hyperproperties that lies between the other two” (Bartocci et al., 2020). Although the detailed definitions are absent from the supplied excerpt, the paper explicitly positions refinement as the core interface-theoretic mechanism for system-wide security contracts.
“Information-flow Interfaces and Security Lattices” supplies a semantic interpretation for that theory in terms of security lattices (Bartocci et al., 2024). The paper begins from information-flow contracts
3
where 4 and 5 are disjoint sets of input and output variables, 6 is the assumption, 7 is the guarantee, and 8 (Bartocci et al., 2024). A flow relation 9 is a transitive relation over variables that is reflexive over the target set. The new contribution is a translation from such flow relations to security lattices.
A security policy is written
0
with 1 finite, 2 a partial order, a unique lower bound, and 3 a least upper bound operator (Bartocci et al., 2024). Security lattice contracts have the same contract shape,
4
but now 5 and 6 are lattices over sets of variables (Bartocci et al., 2024). Algorithm 1 constructs a lattice 7 from a flow relation 8 by deriving labels from loops, defining 9 whenever 0, and then adding least-upper-bound labels until a bounded lattice is obtained (Bartocci et al., 2024). Theorem 1 states that 1 is a security lattice and is equivalent to the can-flow restrictions of 2; Theorem 2 states that translating back yields exactly the original flow relation: 3 Under natural structural assumptions, Theorem 3 gives the converse reconstruction result for lattices (Bartocci et al., 2024).
The paper then states that composition and refinement for security lattice contracts are defined “directly from their counterpart in information-flow contracts,” and that “information-flow contracts, just as for information-flow interfaces, satisfy incremental design and independent implementability” (Bartocci et al., 2024). IFR therefore persists unchanged under the move from flow-relation semantics to lattice semantics. This is significant because it aligns interface-based IFR with the Denning lineage of security lattices without requiring a new refinement calculus.
A plausible implication is that the lattice semantics makes IFR easier to integrate with existing IFC mechanisms—such as type systems and label-based analyses—while preserving the compositional refinement guarantees of interface theory.
4. Architectural and calculational refinement
A distinct line of work develops IFR directly at the level of information-flow architectures. “Using Architecture to Reason about Information Security” models an abstract architecture as 4, a reflexive information-flow policy on domains, and extends it to filtered architectures
5
with edges 6 labeled either by 7 or a filter function name 8 (Chong et al., 2014). The semantics is given by filtered transmission functions and 9 terms that generalize 0 from intransitive noninterference. FTA-compliance requires
1
for all domains 2 and traces 3 (Chong et al., 2014).
Architectural refinement is then defined via mappings 4. At the simplest level, 5 requires 6 to be surjective and to preserve flows: 7 (Chong et al., 2014). For interpreted extended architectures, semantic refinement requires
8
for all 9 (Chong et al., 2014). Theorem 4.1 states that semantic refinement preserves FTA-compliance from the concrete architecture to its abstraction (Chong et al., 2014). The paper further introduces T-refinement and strict refinement as more local sufficient conditions, and proves a chain of implications from strict refinement to T-refinement to semantic refinement, and hence to preservation of architectural security properties (Chong et al., 2014).
The same paper shows that epistemic security properties proved at the abstract level lift along refinement mappings. For formulas 0 over abstract domains, a syntactic pullback 1 replaces each group 2 by its preimage 3, and if the abstract architecture validates 4, then the refined architecture validates 5 (Chong et al., 2014). This is IFR in a strong architectural sense: security is proved once at a coarse level and inherited by more detailed architectures.
“Refinement of Information Flow Architectures” develops a separate but related calculus for stepwise refinement of asynchronous communication architectures (Philipps et al., 2014). A component is 6, where 7 is a relation on timed communication histories. Systems have a glass-box view 8 and a black-box view
9
where 0 is parallel composition with implicit feedback (Philipps et al., 2014). Architectural refinement is defined on black-box behavior: 1 for systems with the same external interface (Philipps et al., 2014).
The calculus includes rules for behavioral refinement of a component, adding and removing input/output channels, adding and removing components, expanding a component into a subarchitecture, folding a subarchitecture into a component, and behavioral refinement under global invariants (Philipps et al., 2014). Most structural rules preserve black-box behavior exactly; behavioral refinement yields proper refinement. This makes IFR a calculational discipline: internal information-flow structure may change substantially, provided the external behavior is preserved or narrowed.
The architecture paper and the calculus paper differ in semantic setting—FTA on domains with epistemic properties versus timed stream-processing architectures—but both embody IFR as a formally justified transition from coarse information-flow structure to finer one.
5. Security-preserving refinement for noninterference
Another major use of IFR concerns preservation of noninterference under implementation refinement. “Security Engineering in IIIf, Part II -- Refinement and Noninterference” addresses the classical refinement paradox in the Isabelle Insider and Infrastructure framework (Kammüller, 2024). In IIIf, noninterference is formulated as a 2-run property using an indistinguishability relation indexed by an observer 2, with an explicit theorem stating that if two states are initially indistinguishable, then every transition of one can be matched by the other so as to preserve indistinguishability (Kammüller, 2024). The paper shows that standard Kripke-structure refinement does not preserve this property: a refined “speed” component in the Flightradar example leaks high information through low-visible speed values (Kammüller, 2024).
The proposed solution generalizes Morgan’s shadow-based approach. For confidential components such as critloc and critpos, the framework introduces shadow components representing the set of values still possible from the attacker’s viewpoint. Initial shadows encode maximal ignorance, such as
9
(Kammüller, 2024). The invariant 3 states that shadows do not shrink along transitions. The paper proves that this shadow invariant is equivalent to noninterference in the given setting (Kammüller, 2024).
IFR is then formulated through a refinement map 4 between abstract and concrete systems, together with shadow compatibility and injectivity conditions. The key theorem is: 00 which states that the abstract shadow invariant implies the concrete shadow invariant under the refinement hypotheses (Kammüller, 2024). Combined with the shadow/noninterference equivalence, this yields information-flow-preserving refinement for infrastructures with actors, decentralization, and policies.
“Generalized Security-Preserving Refinement for Concurrent Systems” extends this preservation story to concurrent systems and potentially intransitive policies (Sun et al., 10 Nov 2025). The system model is a state machine
5
with information-flow configuration
6
and unwinding conditions Local Respect (LR) and Step Consistency (SC) (Sun et al., 10 Nov 2025). Intransitive noninterference is defined using 7 and 8, and Theorem 1 states that
9
The refinement relation of interest is
0
meaning that LR and SC of the abstraction imply LR and SC of the concrete system (Sun et al., 10 Nov 2025). A constructive sufficient condition is an unwinding-preserving simulation
1
where 2 is a state relation preserving indistinguishability and 3 maps each concrete step either to a silent step or to a matching abstract action with the same domain (Sun et al., 10 Nov 2025). Theorem 2 states that such a simulation implies the security-preserving refinement relation (Sun et al., 10 Nov 2025). The same paper develops a compositional rely-guarantee version for concurrent components and applies it to ARINC 653 multicore IPC and a sealed-bid auction (Sun et al., 10 Nov 2025).
These two papers instantiate IFR as preservation of hyperproperties across abstraction layers. The common structure is that plain functional refinement is insufficient; one needs a refinement notion that preserves epistemic indistinguishability, unwinding conditions, or shadow ignorance.
6. Proof-level and directed-information refinements
In hardware verification, IFR appears as refinement of relational proof obligations. “Guarded Equivalence Predicates for Scalable Formal Hardware Information-Flow Verification” works in a self-composed hardware model where proving noninterference reduces to proving equality of low-observable outputs across two copies (Dai et al., 20 Jun 2026). Existing PDR-based techniques use global cross-copy equivalence predicates 4, but these are often too coarse: many equalities are valid only in a control phase, transaction window, loop state, or protocol region (Dai et al., 20 Jun 2026).
The paper introduces guarded equivalence predicates of the form
5
where 6 and the violating region is
7
with 8 (Dai et al., 20 Jun 2026). Rather than assuming 9, the verifier submits 0 as an auxiliary blocking obligation; only if PDR proves that region unreachable does the guarded equality influence the proof (Dai et al., 20 Jun 2026). Candidate guards are extracted from relational counterexamples-to-induction using CTI-local extraction and state-split search (Dai et al., 20 Jun 2026).
Across 12 IFV benchmarks and two backends, guarded predicates “convert two contextual baseline timeouts into completed proofs within 34.2--89.5s under an 1800s limit, while reducing proof time by up to 10.8x on additional benchmarks” (Dai et al., 20 Jun 2026). Here IFR is not a refinement of the policy itself but of the inductive invariants used to prove the policy: a global invariant 1 is refined into a contextual invariant 2.
A very different but conceptually related refinement appears in “Co-evolution of bar and spiral arms in TNG50 simulations using Information Theory” (G et al., 15 Jun 2026). There, the authors describe a hierarchy from static association to directional influence: MI is used first,
3
with normalized form
4
to establish a strong association between bar and spiral parameters (G et al., 15 Jun 2026). Then Transfer Entropy
5
with first-order embedding 6, Freedman–Diaconis binning, shuffled bias correction, and windowing is used to refine that association into direction-specific dynamic coupling (G et al., 15 Jun 2026). Liang’s information flow rate
7
and its normalized form
8
then provide a continuous-time, covariance-based directional measure that decomposes the receiver’s entropy-rate budget into transfer, intrinsic, and noise terms (G et al., 15 Jun 2026).
The paper explicitly calls this a “hierarchical refinement of information flow diagnostics”: from static, symmetric MI to dynamic, nonparametric, directed TE, and finally to model-based IFR with entropy-rate decomposition (G et al., 15 Jun 2026). Although this is outside computer security, it exemplifies the same methodological intuition: refine an initial information-flow notion until the desired granularity of directionality and mechanism is reached.
7. Synthesis, common themes, and limits
Across these literatures, IFR consistently serves four functions.
First, it resolves mismatch between abstraction level and security claim. Size-consistent QIF refines an unbounded metric into one bounded by secret size (Hussein, 2012). Architectural IFR refines abstract domain graphs into detailed filtered architectures while preserving epistemic guarantees (Chong et al., 2014). Interface IFR refines system requirements into component assumptions and guarantees while retaining compositionality (Bartocci et al., 2020, Bartocci et al., 2024). Security-preserving refinement in IIIf and concurrent systems refines abstract secure models into concrete implementations without triggering the refinement paradox (Kammüller, 2024, Sun et al., 10 Nov 2025).
Second, it enables compositional reasoning. Channel refinement and operator algebra support modular leakage reasoning but also reveal limits of monotonicity (Américo et al., 2018). Interface and lattice contracts explicitly support incremental design and independent implementability (Bartocci et al., 2020, Bartocci et al., 2024). Architectural refinement supports top-down development by abstraction of information-security proofs (Chong et al., 2014). Stream-based architectural calculi support local transformation rules justified by black-box refinement (Philipps et al., 2014).
Third, it sharpens semantics. In metric QIF, refinement improves interpretability (Hussein, 2012). In astrophysical information theory, it sharpens undirected association into directional coupling (G et al., 15 Jun 2026). In hardware verification, it sharpens global equalities into contextual guarded equalities (Dai et al., 20 Jun 2026). In concurrent-system verification, it sharpens plain simulation into a step-mapping discipline that respects policy-relevant domains and unwinding conditions (Sun et al., 10 Nov 2025).
Fourth, it makes explicit the conditions under which refinement is security-preserving. These conditions vary sharply across domains: post-processing in channel models (Américo et al., 2018), shadow compatibility and injectivity in IIIf (Kammüller, 2024), observer and action matching in machine refinement (Amorim et al., 2015), or strict/T-/semantic refinement mappings in architecture theory (Chong et al., 2014). This suggests that IFR is never purely syntactic. Its soundness depends on a semantic account of what counts as the same or less information.
The main limitation of IFR as a general concept is precisely its heterogeneity. The papers do not present a single, domain-independent calculus. Some frameworks are possibilistic and hyperproperty-oriented (Bartocci et al., 2020, Chong et al., 2014, Kammüller, 2024, Sun et al., 10 Nov 2025); others are quantitative (Hussein, 2012, Américo et al., 2018); others are proof-engineering techniques (Dai et al., 20 Jun 2026); still others are not security papers at all (G et al., 15 Jun 2026). This suggests that “Information Flow Refinement” is best treated as a research program centered on refinement-based control of information-flow semantics rather than as a single formal definition.
A plausible implication is that future unification would require an explicit cross-domain account of refinement that can encompass hyperproperties, quantitative leakage, lattice semantics, and proof obligations simultaneously. The current literature instead offers a toolkit of domain-specific IFR mechanisms, each tightly aligned with its semantic setting and preservation theorem.