In early computer systems only simple actions would be governed by security policies. However, computers are increasingly handling complex organizational tasks which may have complex preconditions and postconditions. As such, it is useful to be able to plan and schedule actions in advance in order to ensure that desired actions will be able to be carried out without violating the security policy. However, there is a possibility that planning systems could accidentally leak information about future plans which should be kept confidential. In this paper, we investigate how sensitive information could be leaked by a planning system which uses security policies to ensure that planned actions will be able to occur. We formally define information leakage in this context. Then we present two techniques which can be used to mitigate or eliminate this information leakage and prove their security.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, Oakland, CA, April 1982.
	2	Rachel Greenstadt and Michael D. Smith. Collaborative scheduling: Threats and promises. In Workshop on the Economics of Information Security, Cambridge, UK, June 2006.
	3	Keith Irwin , Ting Yu , William H. Winsborough, On the modeling and analysis of obligations, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180423]
	4	Sushil Jajodia and Ravi S. Sandhu. Toward a multilevel secure relational data model. In Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, editors, Information Security: An Integrated Collection of Essays. 1994.
	5	Sushil Ja jodia, Ravi S. Sandhu, and Barbara T. Blaustein. Solutions to the polyinstantiation problem. In Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, editors, Information Security: An Integrated Collection of Essays. 1994.
	6	Heiko Mantel, Possibilistic Definitions of Security - An Assembly Kit, Proceedings of the 13th IEEE workshop on Computer Security Foundations, p.185, July 03-05, 2000
	7	John McLean. Security models. In John Marciniak, editor, Encyclopedia of Software Engineering. 1994.
	8	John McLean, A General Theory of Composition for a Class of "Possibilistic" Properties, IEEE Transactions on Software Engineering, v.22 n.1, p.53-67, January 1996  [doi>10.1109/32.481534]
	9	Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States  [doi>10.1145/292540.292561]
	10	Andrei Sabelfeld and Andrew C. Myers. Language--based information flow security. IEEE Journal on Selected Areas in Communications, 21(1), January 2003.
	11	Vincent Simonet. Flow Caml in a nutshell. In Graham Hutton, editor, Proceedings of the first APPSEM-II workshop, pages 152--165, Nottingham, United Kingdom, March 2003.
	12	Thomas D. Garvey , Teresa F. Lunt, Cover Stories for Database Security, Results of the IFIP WG 11.3 Workshop on Database Security V: Status and Prospects, p.363-380, November 01, 1991
	13	Tom Wagner. Coordination decision support assistants (coordinators). http://www.darpa.mil/ipto/programs/coor/coor_concept.asp