Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow.

Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Recently, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. This talk is intended to give a big picture of recent and current research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. The talk is based on a survey article (to appear in IEEE J-SAC) wrtitten jointly with Andrew Myers, available via http://www.cs.cornell.edu/~andrei/Papers/jsac.ps