Traditional progress-insensitive noninterference in information-flow control is easy to enforce but prohibits essential security-downgrading operations—such as decryption and input endorsement—and fails to prevent leakage via attacker-controlled progress channels. This paper introduces Non-Malleable Progress Leakage (NMPL), the first security model unifying progress sensitivity with non-malleable information-flow theory. NMPL permits controlled progress information leakage while rigorously preserving confidentiality and integrity of security-downgrading operations. We define NMPL as a hyperproperty semantics, design the first type system supporting automatic inference of safe downgrading locations, and formally verify all key theorems in the Rocq proof assistant. Our work establishes a new paradigm for practical, high-assurance information-flow control.

Information-flow control systems often enforce progress-insensitive noninterference, as it is simple to understand and enforce. Unfortunately, real programs need to declassify results and endorse inputs, which noninterference disallows, while preventing attackers from controlling leakage, including through progress channels, which progress-insensitivity ignores. This work combines ideas for progress-sensitive security with secure downgrading (declassification and endorsement) to identify a notion of securely downgrading progress information. We use hyperproperties to distill the separation between progress-sensitive and progress-insensitive noninterference and combine it with nonmalleable information flow, an existing (progress-insensitive) definition of secure downgrading, to define nonmalleable progress leakage (NMPL). We present the first information-flow type system to allow some progress leakage while enforcing NMPL, and we show how to infer the location of secure progress downgrades. All theorems are verified in Rocq.