Information flow properties are a way of specifying security properties of systems, dating back to the work of Goguen and Meseguer in the eighties. In this framework, a system is modeled as having high-level (or confidential) events as well as low-level (or public) events, and a typical property requires that the high-level events should not "influence" the occurrence of low-level events. In this book we study the problem of model-checking the well-known trace-based and bisimulation-based information flow security properties for some popular classes of infinite-state system models, and state-based information flow properties for programs.