A. Mário, S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith, Measuring Information Leakage Using Generalized Gain Functions, 2012 IEEE 25th Computer Security Foundations Symposium (CSF) IEEE, 2012. [AF09] Thomas H Austin and Cormac Flanagan. Efficient purelydynamic information flow analysis. SIGPLAN Notices, pp.265-279, 2009.

H. Thomas, C. Austin, and . Flanagan, Permissive Dynamic Information Flow Analysis, PLAS '10: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp.1-12, 2010.

[. Askarov, S. Hunt, A. Sabelfeld, and D. Sands, Termination-Insensitive Noninterference Leaks More Than Just a Bit, Computer Security -ESORICS 2008, 2008.
DOI : 10.3233/JCS-1996-42-304

A. Assaf, J. Signoles, F. Tronel, and E. Totel, Moniteur hybride de flux d'information pour un langage supportant des pointeurs, SARSSI -8` eme Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d'Information, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00909293

A. Assaf, J. Signoles, and F. Tronel, Program Transformation for Non-interference Verification on Programs with Pointers, Security and Privacy Protection in Information Processing Systems, pp.231-244, 2013.
DOI : 10.1007/978-3-642-33826-7_16

URL : https://hal.archives-ouvertes.fr/hal-00814671

G. Gilles-barthe, J. D. Betarte, C. Campo, D. Luna, and . Pichardie, System-level non-interference for BIBLIOGRAPHY constant-time cryptography. IACR Cryptology ePrint Archive Hybrid information flow monitoring against web tracking, Computer Security Foundations Symposium (CSF), pp.422-2013, 2013.

[. Braun, K. Chatzikokolakis, and C. Palamidessi, Quantitative Notions of Leakage for One-try Attacks, Electronic Notes in Theoretical Computer Science, vol.249, pp.75-91, 2009.
DOI : 10.1016/j.entcs.2009.07.085

URL : https://hal.archives-ouvertes.fr/inria-00424852

[. Barthe, R. Pedro, T. Argenio, and . Rezk, Secure information flow by self-composition, Computer Security Foundations Workshop Proceedings. 17th IEEE, pp.100-114, 2004.
DOI : 10.1109/csfw.2004.1310735

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

[. Barthe, R. Pedro, T. Argenio, and . Rezk, Secure information flow by self-composition, Mathematical Structures in Computer Science, vol.4, issue.06, pp.1207-1252, 2011.
DOI : 10.1145/5397.5399

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

[. Backes, B. Köpf, and A. Rybalchenko, Automatic Discovery and Quantification of Information Leaks, 2009 30th IEEE Symposium on Security and Privacy, pp.141-153, 2009.
DOI : 10.1109/SP.2009.18

S. Blazy and X. Leroy, Mechanized Semantics for the Clight Subset of the C Language, Journal of Automated Reasoning, vol.29, issue.6, pp.263-288, 2009.
DOI : 10.1007/s10817-009-9148-3

URL : https://hal.archives-ouvertes.fr/inria-00352524

[. Barthe, D. Pichardie, and T. Rezk, A certified lightweight non-interference Java bytecode verifier, Mathematical Structures in Computer Science, vol.11, issue.05, pp.1032-1081, 2013.
DOI : 10.1109/JSAC.2002.806121

URL : https://hal.archives-ouvertes.fr/hal-00915189

[. Barthe, T. Rezk, and M. Warnier, Preventing Timing Leaks Through Transactional Branching Instructions, Electronic Notes in Theoretical Computer Science, vol.153, issue.2, pp.33-55, 2006.
DOI : 10.1016/j.entcs.2005.10.031

P. Cousot and R. Cousot, Static determination of dynamic properties of programs, Proceedings of the second International Symposium on Programming, pp.106-130, 1976.

P. Cousot and R. Cousot, Abstract interpretation, Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '77, pp.238-252, 1977.
DOI : 10.1145/512950.512973

URL : https://hal.archives-ouvertes.fr/hal-01108790

P. Cousot and R. Cousot, Constructive versions of Tarski???s fixed point theorems, Pacific Journal of Mathematics, vol.82, issue.1, pp.43-57, 1979.
DOI : 10.2140/pjm.1979.82.43

P. Cousot and R. Cousot, Systematic design of program analysis frameworks, Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '79, pp.269-282, 1979.
DOI : 10.1145/567752.567778

P. Cousot and R. Cousot, Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and PER analysis of functional languages), Proceedings of 1994 IEEE International Conference on Computer Languages (ICCL'94), pp.95-112, 1994.
DOI : 10.1109/ICCL.1994.288389

P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné et al., Combination of Abstractions in the ASTRÉEASTR´ASTRÉE Static Analyzer, Programming Languages and Systems, pp.272-300

M. Edmund and . Clarke, Orna Grumberg, and Doron Peled. Model Checking, 1999.

P. Cousot and N. Halbwachs, Automatic discovery of linear restraints among variables of a program, Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '78, pp.84-96, 1978.
DOI : 10.1145/512760.512770

D. Clark, S. Hunt, and P. Malacaria, A static analysis for quantifying information flow in a simple imperative language, Journal of Computer Security, vol.15, issue.3, pp.321-371, 2007.
DOI : 10.3233/JCS-2007-15302

F. Cuoq, N. Kirchner, and . Kosmatov, Virgile Prevosto , Julien Signoles, and Boris Yakobowski. Frama-C: A Program Analysis Perspective. Software Engineering and Formal Methods, pp.233-247, 2012.

D. Clark, Quantitative Information Flow, Relations and Polymorphic Types, Journal of Logic and Computation, vol.15, issue.2, pp.181-199, 2005.
DOI : 10.1093/logcom/exi009

[. Capizzi, A. Longo, V. Venkatakrishnan, and P. Sistla, Preventing Information Leaks through Shadow Executions, 2008 Annual Computer Security Applications Conference (ACSAC), pp.322-331, 2008.
DOI : 10.1109/ACSAC.2008.50

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

R. Michael, . Clarkson, C. Andrew, F. B. Myers, and . Schneider, Quantifying information flow with beliefs, Journal of Computer Security, vol.17, pp.655-701, 2009.

A. Chudnov, A. David, and . Naumann, Information Flow Monitor Inlining, 2010 23rd IEEE Computer Security Foundations Symposium, pp.200-214, 2010.
DOI : 10.1109/CSF.2010.21

E. Cohen, Information transmission in computational systems, SOSP '77: Proceedings of the sixth ACM symposium on Operating systems principles, pp.133-139, 1977.

[. Cousot, The calculational design of a generic abstract interpreter, NATO ASI SERIES F COMPUTER AND SYS- TEMS SCIENCES, vol.173, pp.421-506, 1999.

D. Cachera and D. Pichardie, A Certified Denotational Abstract Interpreter, Interactive Theorem Proving, pp.9-24, 2010.
DOI : 10.1007/978-3-642-14052-5_3

URL : https://hal.archives-ouvertes.fr/inria-00537810

M. Thomas, . Cover, A. Joy, and . Thomas, Elements of Information Theory 2nd Edition, 2006.

[. Denning, J. Peter, and . Denning, Certification of programs for secure information flow, Communications of the ACM, vol.20, issue.7, pp.504-513, 1977.
DOI : 10.1145/359636.359712

E. Dorothy, . Denning, J. Peter, S. Denning, and . Graham, On the derivation of lattice structured information flow policies, 1976.

E. Dorothy and . Denning, A Lattice Model of Secure Information Flow, Commun. ACM (), vol.19, issue.5, pp.236-243, 1976.

[. Denning, Cryptography and data security, 1982.

D. Devriese and F. Piessens, Noninterference through Secure Multi-execution, 2010 IEEE Symposium on Security and Privacy, pp.109-124, 2010.
DOI : 10.1109/SP.2010.15

URL : https://lirias.kuleuven.be/bitstream/123456789/265429/1/secure-multi-execution-final.pdf

D. Demange and D. Sands, All Secrets Great and Small, Programming Languages and Systems, pp.207-221
DOI : 10.1007/978-3-642-00590-9_16

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

P. Eckersley, How Unique Is Your Web Browser?, Privacy Enhancing Technologies, pp.1-18, 2010.
DOI : 10.1007/978-3-642-14527-8_1

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

[. Espinoza and G. Smith, Min-entropy as a resource, Information and Computation, vol.226, pp.57-75, 2013.
DOI : 10.1016/j.ic.2013.03.005

J. Filliâtre, L. Gondelman, and A. Paskevich, The Spirit of Ghost Code, CAV, vol.8559, issue.1, pp.1-16, 2014.

P. Flajolet and R. Sedgewick, Analytic combinatorics, 2009.
DOI : 10.1017/CBO9780511801655

URL : https://hal.archives-ouvertes.fr/inria-00072739

A. Joseph, J. Goguen, and . Meseguer, Security Policies and Security Models, IEEE Symposium on Security and Privacy, pp.11-20, 1982.

P. Granger, Static analysis of arithmetical congruences, International Journal of Computer Mathematics, vol.30, issue.3-4, 1989.
DOI : 10.1145/29873.29875

[. Hunt and D. Sands, On flow-sensitive security types, POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp.79-90, 2006.

[. Hedin and A. Sabelfeld, A Perspective on Information-Flow Control. Software Safety and Security, pp.319-347, 1987.

N. Kirchner and . Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. Frama-C: A Software Analysis Perspective, Formal Aspects of Computing, pp.1-37, 2015.

M. Dexter-kozen and . Patron, Certification of Compiler Optimizations Using Kleene Algebra with Tests, Computational Logic, pp.1861568-582, 2000.

[. Köpf and A. Rybalchenko, Approximation and Randomization for Quantitative Information-Flow Analysis, 2010 23rd IEEE Computer Security Foundations Symposium, pp.3-14, 2010.
DOI : 10.1109/CSF.2010.8

[. Köpf and A. Rybalchenko, Automation of Quantitative Information-Flow Analysis, SFM, vol.21, issue.1, pp.79381-79409, 2013.
DOI : 10.1007/978-3-642-00596-1_21

L. Lamport, How to Write a Proof, The American Mathematical Monthly, vol.102, issue.7, pp.600-608, 1995.
DOI : 10.2307/2974556

J. Ligatti, L. Bauer, and D. Walker, More enforceable security policies. Foundations of Computer Security Workshop, 2002.

[. Ligatti, L. Bauer, and D. Walker, Edit automata: enforcement mechanisms for run-time security policies, International Journal of Information Security, vol.3, issue.1-2, pp.2-16, 2005.
DOI : 10.1007/s10207-004-0046-8

X. Leroy, Formal verification of a realistic compiler, Communications of the ACM, vol.52, issue.7, pp.107-115, 2009.
DOI : 10.1145/1538788.1538814

URL : https://hal.archives-ouvertes.fr/inria-00415861

[. Guernic, Automaton-based Confidentiality Monitoring of Concurrent Programs. CSF, pp.218-232, 2007.
URL : https://hal.archives-ouvertes.fr/inria-00161019

G. Gurvan-le, Precise dynamic verification of confidentiality, Proceedings of the 5th International Verification Workshop in connection with IJCAR 2008, 2008.

[. Guernic, A. Banerjee, P. Thomas, . Jensen, A. David et al., Automata-Based Confidentiality Monitoring, ASIAN'06: Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues, 2006.
DOI : 10.1007/11555827_21

URL : https://hal.archives-ouvertes.fr/inria-00130210

P. Malacaria, Assessing security threats of looping constructs, ACM SIGPLAN Notices, pp.225-235

P. Malacaria, Risk assessment of security threats for looping constructs*, Journal of Computer Security, vol.18, issue.2, pp.191-228, 2010.
DOI : 10.3233/JCS-2010-0360

S. Moore and S. Chong, Static Analysis for Efficient Hybrid Information-Flow Control, 2011 IEEE 24th Computer Security Foundations Symposium, pp.146-160, 2011.
DOI : 10.1109/CSF.2011.17

J. Mclean, A general theory of composition for trace sets closed under selective interleaving functions, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pp.79-93, 1994.
DOI : 10.1109/RISP.1994.296590

A. Miné, Symbolic Methods to Enhance the Precision of Numerical Abstract Domains, Verification, Model Checking, and Abstract Interpretation, pp.348-363, 2006.
DOI : 10.1007/11609773_23

A. Miné, The octagon abstract domain. Higher-order and symbolic computation, pp.31-100, 2006.

J. Midtgaard, P. Thomas, and . Jensen, A Calculational Approach to Control-Flow Analysis by Abstract Interpretation, SAS, vol.5079, pp.347-362, 2008.
DOI : 10.1007/978-3-540-69166-2_23

[. Mardziel, S. Magill, M. Hicks, and M. Srivatsa, Dynamic Enforcement of Knowledge-Based Security Policies, 2011 IEEE 24th Computer Security Foundations Symposium, pp.114-128, 2011.
DOI : 10.1109/CSF.2011.15

C. Andrew, N. Myers, L. Nystrom, S. Zheng, and . Zdancewic, Jif: Java Information Flow Software release, 2001.

L. Mauborgne and X. Rival, Trace Partitioning in Abstract Interpretation Based Static Analyzers, ESOP'05: Proceedings of the 14th European conference on Programming Languages and Systems, pp.5-20, 2005.
DOI : 10.1007/978-3-540-31987-0_2

[. Magazinius, A. Russo, and A. Sabelfeld, Onthe-fly Inlining of Dynamic Security Monitors, Security and Privacy ? Silver Linings in the Cloud, pp.173-186, 2010.

[. Magazinius, A. Russo, and A. Sabelfeld, Onthe-fly inlining of dynamic security monitors, Computers & Security, issue.7, pp.31827-843, 2012.

[. Meng and G. Smith, Calculating bounds on information leakage using two-bit patterns, Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, PLAS '11, p.1, 2011.
DOI : 10.1145/2166956.2166957

C. Andrew, A. Myers, S. Sabelfeld, and . Zdancewic, Enforcing robust declassification and qualified robustness, Journal of Computer Security, 2006.

C. Andrew and . Myers, JFlow: Practical Mostly-Static Information Flow Control, pp.228-241, 1999.

[. Nielson, R. Hanne, C. Nielson, and . Hankin, Principles of Program Analysis, 1999.
DOI : 10.1007/978-3-662-03811-6

D. Gordon and . Plotkin, A structural approach to operational semantics, 1981.

D. Gordon and . Plotkin, A structural approach to operational semantics, J. Log. Algebr. Program. (), vol.60, pp.17-139, 2004.

D. Perrin and J. Pin, Infinite words : automata, semigroups, logic and games
URL : https://hal.archives-ouvertes.fr/hal-00112831

A. Rényi, On measures of entropy and information, the Fourth Berkeley Symposium on Mathematical Statistics and Probability, 1961.

X. Rival and L. Mauborgne, The trace partitioning abstract domain, ACM Transactions on Programming Languages and Systems, vol.29, issue.5, p.26, 2007.
DOI : 10.1145/1275497.1275501

A. Russo and A. Sabelfeld, Dynamic vs. Static Flow-Sensitive Security Analysis, 2010 23rd IEEE Computer Security Foundations Symposium, pp.186-199, 2010.
DOI : 10.1109/CSF.2010.20

B. Fred and . Schneider, Enforceable security policies, ACM Transactions on Information and System Security, vol.3, issue.1, pp.30-50, 2000.

E. Claude and . Shannon, A Mathematical Theory of Communication. The Bell System Technical Journal, pp.379-423, 1948.

[. Simonet, The Flow Caml System: documentation and user's manual Software release, 2003.

A. Sabelfeld, C. Andrew, and . Myers, Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, vol.21, issue.1, pp.5-19, 2003.
DOI : 10.1109/jsac.2002.806121

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

A. Sabelfeld, C. Andrew, and . Myers, A Model for Delimited Information Release, Software Security -Theories and Systems, pp.174-191, 2004.
DOI : 10.1007/978-3-540-37621-7_9

[. Smith, On the Foundations of Quantitative Information Flow, Proceedings of the 12th International Conference on Foundations of Software Science and Computational Structures: Held As Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, FOSSACS '09, pp.288-302, 2009.
DOI : 10.1137/060651380

[. Smith, Quantifying Information Flow Using Min-Entropy, 2011 Eighth International Conference on Quantitative Evaluation of SysTems
DOI : 10.1109/QEST.2011.31

A. Sabelfeld and D. Sands, Declassification: Dimensions and principles, Journal of Computer Security, vol.17, issue.5, 2009.
DOI : 10.3233/jcs-2009-0352

URL : http://doi.org/10.3233/jcs-2009-0352

A. Tarski, A lattice-theoretical fixpoint theorem and its applications, Pacific Journal of Mathematics, vol.5, issue.2, pp.285-309, 1955.
DOI : 10.2140/pjm.1955.5.285

[. Volpano, C. Irvine, and G. Smith, A sound type system for secure flow analysis, Journal of Computer Security, vol.4, issue.2-3, pp.167-187, 1996.
DOI : 10.3233/JCS-1996-42-304

D. Volpano and G. Smith, Eliminating covert flows with minimum typings, Proceedings 10th Computer Security Foundations Workshop, pp.156-168, 1997.
DOI : 10.1109/CSFW.1997.596807

D. Volpano and G. Smith, Verifying secrets and relative secrecy, Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages , POPL '00, pp.268-276, 2000.
DOI : 10.1145/325694.325729

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

G. Winskel, The formal semantics of programming languages: an introduction. The formal semantics of programming languages: an introduction, 1993.

H. Yasuoka and T. Terauchi, On Bounding Problems of Quantitative Information Flow, Computer Security ? ESORICS 2010, pp.357-372, 2010.

H. Yasuoka and T. Terauchi, Quantitative Information Flow - Verification Hardness and Possibilities, 2010 23rd IEEE Computer Security Foundations Symposium, pp.15-27, 2010.
DOI : 10.1109/CSF.2010.9

H. Yasuoka and T. Terauchi, On bounding problems of quantitative information flow, Journal of Computer Security, vol.19, issue.6, pp.1029-1082, 2011.
DOI : 10.3233/JCS-2011-0437

[. Zdancewic, Programming languages for information security, 2002.

S. Zdancewic, C. Andrew, and . Myers, Robust declassification, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.15-23, 2001.
DOI : 10.1109/CSFW.2001.930133

?. Hence-?k, A change of variable k ? k ? 1 gives the desired result, knowing that D(a 2 ) = D(x) + 1 by 52 and typing. 58, p.61

E. That-means-that, M ? ? v ?(a 1 ,0) (notice that c 2 T also assigns ?(a 1 , 0) But since it just propagates r-values of L L (a 1 ) ? pc which are already propagated by c 0 T , the value of ?(a 1 , 0) keeps being equal

E. Q. ?-?-51, Proof: Since ?(x, 0) in not modified by T [a 1 = a 2 , pc]. a 1 = a 2 modifies only locations in Loc(P ). c 2 T do not modify ?(x, 0) since E(x) / ? S P (a 1 = a 2 ). c 1 T modifies only pointers and ?(x, 0) is not

?. , M. T. , ?. Holds, E. ?. , ?. et al., Proof: Since assignment pc ? does not modify neither locations in Loc(P ) nor locations associated to shadow variables defined by Additionally, pc ? = s a ? pc where s a is the result of r-value evaluation of a in