article

A Per Model of Secure Information Flow in Sequential Programs

Authors:

Andrei Sabelfeld and

David SandsAuthors Info & Claims

Higher-Order and Symbolic Computation, Volume 14, Issue 1

Pages 59 - 91

https://doi.org/10.1023/A:1011553200337

Published: 01 March 2001 Publication History

Abstract

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of program analysis. The approach is inspired by (and in the deterministic case equivalent to) the use of partial equivalence relations in specifying binding-time analysis, and is thus able to specify security properties of higher-order functions and “partially confidential data”. We also show how the per approach can handle nondeterminism for a first-order language, by using powerdomain semantics and show how probabilistic security properties can be formalised by using probabilistic powerdomain semantics. We illustrate the usefulness of the compositional nature of the security specifications by presenting a straightforward correctness proof for a simple type-based security analysis.

References

[1]

1. Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. A core calculus of dependency. In POPL'99, Proceedings of the 26th Annual ACM Symposium on Principles of Programming Languages (January 1999), 1999.

Digital Library

[2]

2. Abadi, M. and Plotkin, G. A per model of polymorphism and recursive types. In Proceedings of the Fifth Annual Symposium on Logic in Computer Science, 1990, pp. 355-365.

[3]

3. Andrews, G.R. and Reitman, R.P. An axiomatic approach to information flow in programs. ACM TOPLAS 2(1) (1980) 56-75.

Digital Library

[4]

4. Banâtre, J.-P., Bryce, C., and Le Métayer, D. Compile-time detection of information flow in sequential programs. In Computer Security--ESORICS'94, 3rd European Symposium on Research in Computer Security, 1994, D. Gollmann (Ed.). pp. 55-73. Vol. 875 of Lecture Notes in Computer Science.

Digital Library

[5]

5. Bell, D. and LaPadula, L. Secure computer systems: Unified exposition and multics interpretation. MTR-2997, Rev. 1, The MITRE Corporation, Bedford, Mass, 1976.

[6]

6. Cohen, E.S. Information transmission in computational systems. ACM SIGOPS Operating Systems Review 11(5) (1977) 133-139.

Digital Library

[7]

7. Cohen, E.S. Information transmission in sequential programs. In Foundations of Secure Computation, R.A. DeMillo, D.P. Dobkin, A.K. Jones, and R.J. Lipton (Eds.). Academic Press, 1978, pp. 297-335.

[8]

8. Das, M., Reps, T., and Hentenryck, P.V. Semantic foundations of binding-time analysis for imperative programs. Partial Evaluation and Seman-tics-Based Program Manipulation. La Jolla, California, 1995, pp. 100-110.

Digital Library

[9]

9. Denning, D.E. A lattice model of secure information flow. Communications of the ACM 19(5) (1976) 236-243.

Digital Library

[10]

10. Denning, D.E. and Denning, P.J. Certification of programs for secure information flow. Communications of the ACM 20(7) (1977) 504-513.

Digital Library

[11]

11. Focardi, R. and Gorrieri, R. A classification of security properties for process algebra. J. Computer Security 3(1) (1994) 5-33.

[12]

12. Goguen, J. and Meseguer, J. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy, 1982.

[13]

13. Gray III, J. Probabilistic interference. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, 1990, pp. 170-179.

[14]

14. Hankin, C.L. and Le Métayer, D. A type-based framework for program analysis. In Proceedings of the First Static Analysis Symposium, 1994. Vol. 864 of LNCS.

[15]

15. Heintze, N. and Riecke, J.G. The slam calculus: Programming with secrecy and integrity. In Conference Record of POPL'98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, California 1998, pp. 365-377.

Digital Library

[16]

16. Henglein, F. and Sands, D. A semantic model of binding times for safe partial evaluation. In Proc. Programming Languages: Implementations, Logics and Programs (PLILP), Utrecht, The Netherlands, M. Hermenegildo and S.D. Swierstra (Eds.). 1995, pp. 299-320. Vol. 982 of Lecture Notes in Computer Science.

[17]

17. Hunt, L.S. Abstract interpretation of functional languages: From theory to practice. Ph.D. thesis, Department of Computing, Imperial College of Science, Technology and Medicine, 1991.

[18]

18. Hunt, S. PERs generalise projections for strictness analysis. In Draft Proceedings of the third glasgow Functional Programming Workshop. Ullapool, 1900.

[19]

19. Hunt, S. and Sands, D. Binding time analysis: A new perspective. In Proceedings of the ACM Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'91), 1991, pp. 154-164. ACM SIGPLAN Notices 26(9).

Digital Library

[20]

20. Jensen, T.P. Abstract interpretation in logical form. Ph.D. thesis, Imperial College, University of London. 1992. Available as DIKU Report 93/11 from DIKU, University of Copenhagen.

[21]

21. Jones, C. and Plotkin, G.D. A probabilistic powerdomain of evaluations. In Proceedings, Fourth Annual Symposium on Logic in Computer Science, Asilomar Conference Center, Pacific Grove, California, 1989, pp. 186-195.

Digital Library

[22]

22. Kozen, D. Semantics of probabilistic programs. Journal of Computer and System Sciences 22(1981) 328-350.

[23]

23. Kozen, D. A probabilistic PDL. Journal of Computer and System Sciences 30(1985) 162-178.

[24]

24. Launchbury, J. Projection factorisations in partial evaluation. Ph.D. thesis, Department of Computing, University of Glasgow, 1989.

[25]

25. Leino, K.R.M. and Joshi, R. A semantic approach to secure information flow. In MPC'98, 1998.

Digital Library

[26]

26. Leino, K.R.M. and Joshi, R. A semantic approach to secure information flow. Science of Computer Programming 37(1-3) (2000) 113-138.

Digital Library

[27]

27. Manes, E. Graduate Texts in Mathematics. Vol. 26, 1976, Springer-Verlag.

[28]

28. McCullough, D. Specifications for multi-level security and hook-up property. In Proceedings of the IEEE Symposium on Security and Privacy, 1987, pp. 161-166.

[29]

29. McLean, J. Security models and information flow. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, 1990a, pp. 180-187.

[30]

30. McLean, J. The specification and modeling of computer security. Computer 23(1) (1990b) 9-16.

Digital Library

[31]

31. McLean, J. Security models. In Encyclopedia of Software Engineering, J. Marciniak (Ed.). Wiley & Sons. 1994.

[32]

32. Mizuno, M. and Schmidt, D. A security flow control algorithm and its denotational semantics correctness proof. Formal Aspects of Computing 4(6A) (1992) 727-754.

[33]

33. Moskowitz, I.S. and Costich, O.L. A classical automata approach to noninterference type problems. In The Computer Security Foundations Workshop V proceedings, the Franconia Inn, Franconia, New Hampshire. June 16-18, 1992, pp. 2-8.

[34]

34. Nielson, F. Two-level semantics and abstract interpretation. Theoretical Computer Science--Fundamental Studies 69(1989) 117-242.

Digital Library

[35]

35. Ørbæk, P. Can you trust your data?. In Proceedings of the TAPSOFT/FASE'95 Conference, P.D. Mosses, M.I. Schwartzbach, and M. Nielsen (Eds.). Aarhus, Denmark, 1995, pp. 575-590.

Digital Library

[36]

36. Ørbæk, P. Trust and dependence analysis. Ph.D. thesis, Dept. of Computer Science, Univ. of Aarhus. BRICS report DS-97-2, 1997.

[37]

37. Ørbæk, P. and Palsberg, J. Trust in the ¿-calculus. Journal of Functional Programming 7(4) (1997).

Digital Library

[38]

38. Plotkin, G. Post-graduate lecture notes in advanced domain theory (incorporating the "Pisa Notes"). Dept. of Computer Science, Univ. of Edinburgh. 1981.

[39]

39. Plotkin, G.D. A powerdomain construction. SIAM Journal on Computing 5(3) (1976) 452-487.

[40]

40. Reynolds, J.C. Types, abstraction and parametric polymorphism. In Proceedings 9th IFIP World Computer Congress, Information Processing'83, Paris, France, 19-23 Sept. 1983, R.E.A. Mason (Ed.). North Holland, Amsterdam; 1983, pp. 513-523.

[41]

41. Sabelfeld, A. and Sands, D. A per model of secure information flow in sequential programs. In Proceedings of the 8th European Symposium on Programming, ESOP'99, Amsterdam, 1999, pp. 40-58.

[42]

42. Sabelfeld, A. and Sands, D. Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Computer Security Foundations Workshop, Cambridge, England, 2000.

Digital Library

[43]

43. Smith, G. and Volpano, D. Secure information flow in a multi-threaded imperative language. In Conference Record of POPL'98: The 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1998, pp. 355-364.

Digital Library

[44]

44. Smyth, M.B. Powerdomains. Journal of Computer and Systems Sciences 16(1) (1978) 23-36.

[45]

45. Thiemann, P. and Klaeren, H. Binding-time analysis by security analysis. Universitt Tübingen, 1997.

[46]

46. Volpano, D. and Smith, G. Eliminating covert flows with minimum typings. In Proc. 10th IEEE Computer Security Foundations Workshop, 1997, pp. 156-168.

Digital Library

[47]

47. Volpano, D. and Smith, G. Probabilistic noninterference in a concurrent language. Journal of Computer Security 7(2,3) (1999) 231-253.

Digital Library

[48]

48. Volpano, D., Smith, G., and Irvine, C. A sound type system for secure flow analysis. J. Computer Security 4(3) (1996) 1-21.

Digital Library

[49]

49. Wadler, P. Theorems for free. Functional Programming Languages and Computer Architecture. 1989, pp. 347-359.

Digital Library

[50]

50. Wadler, P. and Hughes, R.J.M. Projections for strictness analysis. In 1987 Conference on Functional Programming and Computer Architecture, Portland, Oregon, 1987, pp. 385-407.

Digital Library

Cited By

Li JWang EZhang Y(2024)Compiling Probabilistic Programs for Variable Elimination with Information FlowProceedings of the ACM on Programming Languages10.1145/36564488:PLDI(1755-1780)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656448
Hunt SSands DStucki S(2023)Reconciling Shannon and Scott with a Lattice of Computable InformationProceedings of the ACM on Programming Languages10.1145/35717407:POPL(1987-2016)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571740
Bocci AGuanciale RForti SFerrari GBrogi A(2022)Secure Partitioning of Composite Cloud ApplicationsService-Oriented and Cloud Computing10.1007/978-3-031-04718-3_3(47-64)Online publication date: 22-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-031-04718-3_3
Show More Cited By

Index Terms

A Per Model of Secure Information Flow in Sequential Programs
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program verification
    2. Program semantics

Index terms have been assigned to the content through auto-classification.

Recommendations

Probabilistic Noninterference for Multi-Threaded Programs
CSFW '00: Proceedings of the 13th IEEE workshop on Computer Security Foundations

We present a probability-sensitive confidentiality specification -- a form of probabilistic noninterference -- for a small multi-threaded programming language with dynamic thread creation. Probabilistic covert channels arise from a scheduler, which is ...
Read More
Preservation of probabilistic information flow under refinement

Information flow properties, which describe confidentiality requirements, are not generally preserved under behavior refinement. This article describes a formal framework for refinement relations between nondeterministic probabilistic processes that ...
Read More
A Per Model of Secure Information Flow in Sequential Programs
ESOP '99: Proceedings of the 8th European Symposium on Programming Languages and Systems

This paper proposes an extensional semantics-based formal specification of secure information-flow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and ...
Read More

Comments

Information & Contributors

Information

Published In

cover image Higher-Order and Symbolic Computation

Higher-Order and Symbolic Computation Volume 14, Issue 1

March 2001

85 pages

ISSN:1388-3690

Issue’s Table of Contents

Copyright © Copyright © 2001 Kluwer Academic Publishers.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 March 2001

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

80
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Li JWang EZhang Y(2024)Compiling Probabilistic Programs for Variable Elimination with Information FlowProceedings of the ACM on Programming Languages10.1145/36564488:PLDI(1755-1780)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656448
Hunt SSands DStucki S(2023)Reconciling Shannon and Scott with a Lattice of Computable InformationProceedings of the ACM on Programming Languages10.1145/35717407:POPL(1987-2016)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571740
Bocci AGuanciale RForti SFerrari GBrogi A(2022)Secure Partitioning of Composite Cloud ApplicationsService-Oriented and Cloud Computing10.1007/978-3-031-04718-3_3(47-64)Online publication date: 22-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-031-04718-3_3
Hirsch ACecchetti E(2021)Giving semantics to program-counter labels via secure effectsProceedings of the ACM on Programming Languages10.1145/34343165:POPL(1-29)Online publication date: 4-Jan-2021
https://dl.acm.org/doi/10.1145/3434316
Gregersen SBay JTimany ABirkedal L(2021)Mechanized logical relations for termination-insensitive noninterferenceProceedings of the ACM on Programming Languages10.1145/34342915:POPL(1-29)Online publication date: 4-Jan-2021
https://dl.acm.org/doi/10.1145/3434291
Baumeister JCoenen NBonakdarpour BFinkbeiner BSánchez C(2021)A Temporal Logic for Asynchronous HyperpropertiesComputer Aided Verification10.1007/978-3-030-81685-8_33(694-717)Online publication date: 20-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-81685-8_33
Spoto FBurato EErnst MFerrara PLovato AMacedonio DSpiridon C(2019)Static Identification of Injection Attacks in JavaACM Transactions on Programming Languages and Systems10.1145/333237141:3(1-58)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3332371
Kavvos G(2019)Modalities, cohesion, and information flowProceedings of the ACM on Programming Languages10.1145/32903333:POPL(1-29)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290333
Alpernas KFlanagan CFouladi SRyzhyk LSagiv MSchmitz TWinstein K(2018)Secure serverless computing using dynamic information flow controlProceedings of the ACM on Programming Languages10.1145/32764882:OOPSLA(1-26)Online publication date: 24-Oct-2018
https://dl.acm.org/doi/10.1145/3276488
Bastys IBalliu MSabelfeld ALie DMannan MBackes MWang X(2018)If This Then What?Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243841(1102-1119)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243841
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents