Article

From coupling relations to mated invariants for checking information flow

Author:

David A. NaumannAuthors Info & Claims

ESORICS'06: Proceedings of the 11th European conference on Research in Computer Security

Pages 279 - 296

https://doi.org/10.1007/11863908_18

Published: 18 September 2006 Publication History

Abstract

This paper investigates a technique for using automated program verifiers to check conformance with information flow policy, in particular for programs acting on shared, dynamically allocated mutable heap objects. The technique encompasses rich policies with forms of declassification and supports modular, invariant-based verification of object-oriented programs. The technique is based on the known idea of self-composition, whereby noninterference for a command is reduced to an ordinary partial correctness property of the command sequentially composed with a renamed copy of itself. The first contribution is to extend this technique to encompass heap objects, which is difficult because textual renaming is inapplicable. The second contribution is a systematic means to validate transformations on self-composed programs. Certain transformations are needed for effective use of existing automated program verifiers and they exploit conservative flow inference, e.g., from security type inference. Experiments with the technique using ESC/Java2 and Spec# verifiers are reported.

References

[1]

T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow in object-oriented programs. In ACM Symposium on Principles of Programming Languages (POPL), 2006.

[2]

T. Amtoft and A. Banerjee. Information flow analysis in logical form. In Static Analysis Symposium (SAS), 2004.

[3]

A. Banerjee and D. A. Naumann. Ownership confinement ensures representation independence for object-oriented programs. Journal of the ACM, 52(6):894-960, Nov. 2005.

[4]

A. Banerjee and D. A. Naumann. Stack-based access control for secure information flow. Journal of Functional Programming, 15(2):131-177, 2005.

[5]

A. Banerjee and D. A. Naumann. A logical account of secure declassification (extended abstract). Submitted, 2006.

[6]

M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# programming system: An overview. In G. Barthe, L. Burdy, M. Huisman, J.-L. Lanet, and T. Muntean, editors, Construction and Analysis of Safe, Secure, and Interoperable Smart Devices, International Workshop (CASSIS 2004), Revised Selected Papers, volume 3362 of LNCS, pages 49-69. Springer, 2005.

[7]

G. Barthe, P. R. D'Argenio, and T. Rezk. Secure information flow by self-composition. In IEEE Computer Security Foundations Workshop (CSFW), pages 100-114, 2004.

[8]

G. Barthe and T. Rezk. Non-interference for a JVM-like language. In M. Fähndrich, editor, Proceedings of TLDI'05, pages 103-112. ACM Press, 2005.

[9]

N. Benton. Simple relational correctness proofs for static analyses and program transformations. In ACM Symposium on Principles of Programming Languages (POPL), pages 14-25, 2004.

[10]

E. S. Cohen. Information transmission in sequential programs. In A. K. J. Richard A. De-Millo, David P. Dobkin and R. J. Lipton, editors, Foundations of Secure Computation, pages 297-335. Academic Press, 1978.

[11]

A. Darvas, R. Hähnle, and D. Sands. A theorem proving approach to analysis of secure information flow. In D. Hutter and M. Ullmann, editors, Proc. 2nd International Conference on Security in Pervasive Computing, volume 3450 of LNCS, pages 193-209. Springer, 2005.

[12]

A. Darvas and P. Müller. Reasoning about method calls in JML specifications. In ECOOP workshop on Formal Techniques for Java-like Programs, 2005.

[13]

W.-P. de Roever and K. Engelhardt. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press, 1998.

[14]

D. E. Denning. Cryptography and Data Security. Addison-Wesley, 1982.

[15]

G. Dufay, A. Felty, and S. Matwin. Privacy-sensitive information flow with JML. In Conference on Automated Deduction (CADE), 2005.

[16]

D. Gries. Data refinement and the tranform. In M. Broy, editor, Program Design Calculi. Springer, 1993. International Summer School at Marktoberdorf.

[17]

T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In ACM Symposium on Principles of Programming Languages (POPL), pages 58-70, 2002.

[18]

B. Jacobs and E. Poll. Java program verification at Nijmegen: Developments and perspective. Technical Report NIII-R0318, Computing Science Institute, University of Nijmegen, 2003. In International Symposium on Software Security, volume 3233, of LNCS, pages 134-153. Springer, 2003.

[19]

G. T. Leavens, Y. Cheon, C. Clifton, C. Ruby, and D. R. Cok. How the design of JML accommodates both runtime assertion checking and formal verification. In F. S. de Boer, M. M. Bonsangue, S. Graf, and W.-P. de Roever, editors, Formal Methods for Components and Objects (FMCO 2002), volume 2852 of LNCS, pages 262-284. Springer, 2003.

[20]

P. Müller, A. Poetzsch-Heffter, and G. T. Leavens. Modular invariants for layered object structures. Technical Report 424, Department of Computer Science, ETH Zurich, 2004.

[21]

A. C. Myers. JFlow: Practical mostly-static information flow control. In ACM Symposium on Principles of Programming Languages (POPL), pages 228-241, 1999.

[22]

D. A. Naumann. Verifying a secure information flow analyzer. In J. Hurd and T. Melham, editors, 18th International Conference on Theorem Proving in Higher Order Logics TPHOLS, volume 3603 of LNCS pages 211-226. Springer, 2005.

[23]

D. A. Naumann and M. Barnett. Towards imperative modules: Reasoning about invariants and sharing of mutable state. To appear in Theoretical Computer Science, 2006.

[24]

F. Pottier and V. Simonet. Information flow inference for ML. ACM Transactions on Programming Languages and Systems, 25(1):117-158, Jan. 2003.

[25]

J. C. Reynolds. The Craft of Programming. Prentice-Hall, 1981.

[26]

J. C. Reynolds. Separation logic: a logic for shared mutable data structures. In IEEE Logic in Computer Science (LICS), pages 55-74, 2002.

[27]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5-19, Jan. 2003.

[28]

A. Sabelfeld and D. Sands. A per model of secure information flow in sequential programs. Higher-order and Symbolic Computation, 14(1):59-91, 2001.

[29]

A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In IEEE Computer Security Foundations Workshop (CSFW), 2005.

[30]

T. Terauchi and A. Aiken. Secure information flow as a safety problem. In 12th International Static Analysis Symposium (SAS), volume 3672 of LNCS, pages 352-367. Springer, 2005.

[31]

D. Volpano and G. Smith. A type-based approach to program security. In Proceedings of TAPSOFT'97, volume 1214 in LNCS, pages 607-621. Springer, 1997.

[32]

H. Yang. Relational separation logic. Theoretical Comput. Sci., 2004. To appear.

Cited By

Banerjee ANagasamudram RNaumann DNikouei M(2023)A Relational Program Logic with Data Abstraction and Dynamic FramingACM Transactions on Programming Languages and Systems10.1145/355149744:4(1-136)Online publication date: 10-Jan-2023
https://dl.acm.org/doi/10.1145/3551497
Nagasamudram RNaumann DGorla D(2021)Alignment completeness for relational hoare logicsProceedings of the 36th Annual ACM/IEEE Symposium on Logic in Computer Science10.1109/LICS52264.2021.9470690(1-13)Online publication date: 29-Jun-2021
https://dl.acm.org/doi/10.1109/LICS52264.2021.9470690
Unno HTerauchi TKoskinen E(2021)Constraint-Based Relational VerificationComputer Aided Verification10.1007/978-3-030-81685-8_35(742-766)Online publication date: 20-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-81685-8_35
Show More Cited By

Index Terms

From coupling relations to mated invariants for checking information flow

Recommendations

LLM-Generated Invariants for Bounded Model Checking Without Loop Unrolling
ASE '24: Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering

We investigate a modification of the classical Bounded Model Checking (BMC) procedure that does not handle loops through unrolling but via modifications to the control flow graph (CFG). A portion of the CFG representing a loop is replaced by a node ...
Model Checking Embedded C Software Using k-Induction and Invariants
SBESC '15: Proceedings of the 2015 Brazilian Symposium on Computing Systems Engineering (SBESC)

We present a proof by induction algorithm, which combines k-induction with invariants to model check embedded C software with bounded and unbounded loops. The k-induction algorithm consists of three cases: in the base case, we aim to find a ...
Verification of Linear Duration Invariants by Model Checking CTL Properties
Proceedings of the 5th international colloquium on Theoretical Aspects of Computing

Linear duration invariants (LDI) are important safety properties of real-time systems. They can be easily formulated in terms of a class of chop-free formulas in the Duration Calculus (DC). Compared to other temporal logics, the specification in DC is ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ESORICS'06: Proceedings of the 11th European conference on Research in Computer Security

September 2006

548 pages

ISBN:354044601X

Editors:
Dieter Gollmann
Institute for Security in Distributed Applications, Hamburg University of Technology, Hamburg, Germany
,
Jan Meier
Institute for Security in Distributed Applications, TU Hamburg-Harburg, Harburger Schlossstr. 20, Hamburg-Harburg, Germany
,
Andrei Sabelfeld
Department of Computer Science and Engineering, Chalmers University of Technology, Harburger Schlossstr. 20, Göteborg, Sweden

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 18 September 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Banerjee ANagasamudram RNaumann DNikouei M(2023)A Relational Program Logic with Data Abstraction and Dynamic FramingACM Transactions on Programming Languages and Systems10.1145/355149744:4(1-136)Online publication date: 10-Jan-2023
https://dl.acm.org/doi/10.1145/3551497
Nagasamudram RNaumann DGorla D(2021)Alignment completeness for relational hoare logicsProceedings of the 36th Annual ACM/IEEE Symposium on Logic in Computer Science10.1109/LICS52264.2021.9470690(1-13)Online publication date: 29-Jun-2021
https://dl.acm.org/doi/10.1109/LICS52264.2021.9470690
Unno HTerauchi TKoskinen E(2021)Constraint-Based Relational VerificationComputer Aided Verification10.1007/978-3-030-81685-8_35(742-766)Online publication date: 20-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-81685-8_35
Maillard KHriţcu CRivas EVan Muylder A(2019)The next 700 relational program logicsProceedings of the ACM on Programming Languages10.1145/33710724:POPL(1-33)Online publication date: 20-Dec-2019
https://dl.acm.org/doi/10.1145/3371072
Bastys IPiessens FSabelfeld AAlvim MDelaune S(2018)Prudent Design Principles for Information Flow ControlProceedings of the 13th Workshop on Programming Languages and Analysis for Security10.1145/3264820.3264824(17-23)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3264820.3264824
Grimm NMaillard KFournet CHriţcu CMaffei MProtzenko JRamananandro TRastogi ASwamy NZanella-Béguelin SAndronick JFelty A(2018)A monadic framework for relational verification: applied to information security, program equivalence, and optimizationsProceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3167090(130-145)Online publication date: 8-Jan-2018
https://dl.acm.org/doi/10.1145/3167090
Antonopoulos TGazzillo PHicks MKoskinen ETerauchi TWei S(2017)Decomposition instead of self-composition for proving the absence of timing channelsACM SIGPLAN Notices10.1145/3140587.306237852:6(362-375)Online publication date: 14-Jun-2017
https://dl.acm.org/doi/10.1145/3140587.3062378
Antonopoulos TGazzillo PHicks MKoskinen ETerauchi TWei SCohen AVechev M(2017)Decomposition instead of self-composition for proving the absence of timing channelsProceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3062341.3062378(362-375)Online publication date: 14-Jun-2017
https://dl.acm.org/doi/10.1145/3062341.3062378
Ernst MJust RMillstein SDietl WPernsteiner SRoesner FKoscher KBarros PBhoraskar RHan SVines PWu EAhn GYung MLi N(2014)Collaborative Verification of Information Flow for a High-Assurance App StoreProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660343(1092-1104)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660343
Scheben CSchmitt P(2014)Efficient Self-composition for Weakest Precondition CalculiProceedings of the 19th International Symposium on FM 2014: Formal Methods - Volume 844210.1007/978-3-319-06410-9_39(579-594)Online publication date: 12-May-2014
https://dl.acm.org/doi/10.1007/978-3-319-06410-9_39
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents