Atomistic Galois insertions for flow sensitive integrity
Pages 82 - 107
Abstract
We develop the theory of atomistic Galois insertions to link abstract security policies with the results of static analyses.We use this to impose a content dependent information flow policy on a concurrent language with polyadic synchronous communication and local storage.The running example illustrates the approach on a multiplexerdemultiplexer scenario originating from avionics.We establish semantic soundness through an instrumented semantics dealing with explicit and implicit information flow. Several program verification techniques assist in showing that software adheres to the required security policies. Such policies may be sensitive to the flow of execution and the verification may be supported by combinations of type systems and Hoare logics. However, this requires user assistance and to obtain full automation we shall explore the over-approximating nature of static analysis.We demonstrate that the use of atomistic Galois insertions constitutes a stable framework in which to obtain sound and fully automatic enforcement of flow sensitive integrity. The framework is illustrated on a concurrent language with local storage and polyadic synchronous communication.
References
[1]
T. Amtoft, J. Dodds, Z. Zhang, A.W. Appel, L. Beringer, J. Hatcliff, A certificate infrastructure for machine-checked proofs of conditional information flow, Springer, 2012.
[2]
L.O. Andersen, University of Copenhagen, 1994.
[3]
G.R. Andrews, R.P. Reitman, An axiomatic approach to information flow in programs, ACM Trans Programming Languages Syst, 2 (1980) 56-76.
[4]
K.R. Apt, Ten years of Hoares logic: a surveypart 1, ACM Trans Programming Languages Syst, 3 (1981) 431-483.
[5]
C. Baier, J.-P. Katoen, MIT Press, 2008.
[6]
D. Bell, L. LaPadula, Secure computer systems: a mathematical model, MITRE Corporation, 1973.
[7]
J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Min, Static analysis and verification of aerospace software by abstract interpretation, Found Trends Programming Languages, 2 (2015) 71-190.
[8]
K.J. Biba, Integrity considerations for secure computer systems, MITRE Corporation, 1977.
[9]
C. Bodei, P. Degano, L. Galletta, F. Salvatori, Context-aware security: linguistic mechanisms and static analysis, J Comput Secur, 24 (2016) 427-477.
[10]
N. Broberg, D. Sands, Paralocks: role-based information flow control and beyond, ACM, 2010.
[11]
S. Chong, A.C. Myers, Decentralized robustness, IEEE Computer Society, 2006.
[12]
A. Chudnov, G. Kuan, D.A. Naumann, Information flow monitoring as abstract interpretation for relational logic, IEEE Computer Society, 2014.
[13]
Airlines Electronic Engineering Committee, ARINC 811: commercial aircraft information security concepts of operation and process framework, 2005.
[14]
P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Min, D. Monniaux, The ASTRE analyzer, Springer, 2005.
[15]
P. Cousot, R. Cousot, Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, ACM, 1977.
[16]
P. Cousot, R. Cousot, Systematic design of program analysis frameworks, ACM, 1979.
[17]
. Darvas, R. Hhnle, D. Sands, A theorem proving approach to analysis of secure information flow, Springer, 2005.
[18]
D.E. Denning, P.J. Denning, Certification of programs for secure information flow, Commun ACM, 20 (1977) 504-513.
[19]
D. Gollmann, Wiley, 2011.
[20]
G. Grtzer, Academic Press, 1978.
[21]
D. Greve, Rockwell Collins, 2011.
[22]
D. Hedin, A. Sabelfeld, Marktoberdorf Summerschool, 2011.
[23]
T. Maciazek, Technical University of Denmark, 2015.
[24]
Maciazek T., Nielson H.R., Nielson F. Content-dependent security policies in avionics. In: Proceedings of 2nd international workshop on MILS: architecture and assurance for secure systems, 2016. Electronic version: http://mils-workshop.euromils.eu/downloads/hipeac_literature_2016/07-Article.pdf.
[25]
I. Mastroeni, Abstract interpretation-based approaches to securitya survey on abstract non-interference and its challenging applications, 2013.
[26]
K. Mller, M. Paulitsch, R. Schwarz, S. Tverdyshev, H. Blasum, MILS-based information flow control in the avionic domain: a case study on compositional architecture and verification, 2012.
[27]
K. Mller, M. Paulitsch, S. Tverdyshev, H. Blasum, MILS-related information flow control in the avionic domain: a view on security-enhancing software architectures, IEEE, 2012.
[28]
A.C. Myers, B. Liskov, A decentralized model for information flow control, 1997.
[29]
A.C. Myers, B. Liskov, Protecting privacy using the decentralized label model, ACM Trans Softw Eng Methodol, 9 (2000) 410-442.
[30]
F. Nielson, Expected forms of data flow analysis, Springer, 1986.
[31]
F. Nielson, H.R. Nielson, C.L. Hankin, Springer, 1999.
[32]
H.R. Nielson, F. Nielson, Content dependent information flow control, J Logical Algebraic Methods Programming, 87 (2017) 6-32.
[33]
H.R. Nielson, F. Nielson, X. Li, Hoare logic for disjunctive information flow, Springer, 2015.
[34]
M.L. Pedersen, M.H. Srensen, D. Lux, U. Nyman, R.R. Hansen, The timed decentralised label model, in: Lecture notes in computer science, 9417, Springer, 2015, pp. 27-43.
[35]
J. Rushby, Separation and integration in MILS (the MILS constitution), SRI International, 2008.
[36]
A. Sabelfeld, D. Sands, Declassification: dimensions and principles, J Comput Secur, 17 (2009) 517-548.
[37]
C. Stirling, A generalization of OwickiGriess Hoare logic for a concurrent while language, Theor Comput Sci, 58 (1988) 347-359.
[38]
O. Tripp, S. Guarnieri, M. Pistoia, A.Y. Aravkin, ALETHEIA: improving the usability of static security analysis, ACM, 2014.
[39]
P. Vasilikos, Technical University of Denmark, 2016.
[40]
D.M. Volpano, G. Smith, C.E. Irvine, A sound type system for secure flow analysis, J Comput Secur, 4 (1996) 167-188.
[41]
M.W. Whalen, D.A. Greve, L.G. Wagner, Model checking information flow, Springer US, 2010.
[42]
E.R. Wognsen, H.S. Karlsen, M.C. Olesen, R.R. Hansen, Formalisation and analysis of Dalvik bytecode, Sci Comput Program, 92 (2014) 25-55.
[43]
L. Zheng, A.C. Myers, End-to-end availability policies and noninterference, IEEE Computer Society, 2005.
- Atomistic Galois insertions for flow sensitive integrity
Recommendations
Information flow query and verification for security policy of security-enhanced linux
IWSEC'06: Proceedings of the 1st international conference on SecurityThis paper presents a Colored Petri Nets (CPN) approach to analyze the information flow in the policy file of Security-Enhanced Linux (SELinux). The SELinux access control decisions are based on a security policy file that contains several thousands of ...
Information Flow Monitoring as Abstract Interpretation for Relational Logic
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations SymposiumA number of systems have been developed for dynamic information flow control (IFC). In such systems, the security policy is expressed by labeling input and output channels, it is enforced by tracking and checking labels on data. Systems have been proven ...
Hypercollecting semantics and its application to static analysis of information flow
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWe show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. ...
Comments
Information & Contributors
Information
Published In
Copyright © Elsevier Ltd.
Publisher
Elsevier Science Publishers B. V.
Netherlands
Publication History
Published: 01 December 2017
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 15 Oct 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in