Hostname: page-component-cd9895bd7-8ctnn Total loading time: 0 Render date: 2024-12-26T08:40:57.208Z Has data issue: false hasContentIssue false

Secure information flow by self-composition

Published online by Cambridge University Press:  27 October 2011

GILLES BARTHE
Affiliation:
IMDEA Software Institute, Madrid, Spain Email: gilles.barthe@imdea.org
PEDRO R. D'ARGENIO
Affiliation:
FaMAF, Universidad Nacional de Córdoba – CONICET, Córdoba, Argentina Email: dargenio@famaf.unc.edu.ar
TAMARA REZK
Affiliation:
INRIA Sophia-Antipolis, INDES Project, France Email: tamara.rezk@inria.fr

Abstract

Information flow policies are confidentiality policies that control information leakage through program execution. A common way to enforce secure information flow is through information flow type systems. Although type systems are compositional and usually enjoy decidable type checking or inference, their extensibility is very poor: type systems need to be redefined and proved sound for each new variation of security policy and programming language for which secure information flow verification is desired.

In contrast, program logics offer a general mechanism for enforcing a variety of safety policies, and for this reason are favoured in Proof Carrying Code, which is a promising security architecture for mobile code. However, the encoding of information flow policies in program logics is not straightforward because they refer to a relation between two program executions.

The purpose of this paper is to investigate logical formulations of secure information flow based on the idea of self-composition, which reduces the problem of secure information flow of a program P to a safety property for a program derived from P by composing P with a renaming of itself. Self-composition enables the use of standard techniques for information flow policy verification, such as program logics and model checking, that are suitable in Proof Carrying Code infrastructures.

We illustrate the applicability of self-composition in several settings, including different security policies such as non-interference and controlled forms of declassification, and programming languages including an imperative language with parallel composition, a non-deterministic language and, finally, a language with shared mutable data structures.

Type
Paper
Copyright
Copyright © Cambridge University Press 2011

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Alur, R., Cerný, P. and Zdancewic, S. (2006) Preserving secrecy under refinement. In: 33rd International Colloquium on Automata, Languages and Programming (ICALP). Springer-Verlag Lecture Notes in Computer Science 4052 107118.Google Scholar
Amtoft, T., Bandhakavi, S. and Banerjee, A. (2006) A logic for information flow in object-oriented programs. In: Proceedings of POPL'06, ACM Press 91102.Google Scholar
Amtoft, T. and Banerjee, A. (2007) Verification condition generation for conditional information flow. In: 5th ACM Workshop on Formal Methods in Security Engineering (FMSE'07), George Mason University, ACM Press 211. (The full paper appears as Technical report 2007-2, Department of Computing and Information Sciences, Kansas State University, August 2007.)Google Scholar
Andrews, G. R. and Reitman, R. P. (1980) An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2 (1)5676.CrossRefGoogle Scholar
Backes, M., Köpf, B. and Rybalchenko, A. (2009) Automatic Discovery and Quantification of Information Leaks. In: Proceedings 30th IEEE Symposium on Security and Privacy (S&P '09), IEEE Computer Society Press 141153.Google Scholar
Banerjee, A., Naumann, D. and Rosenberg, S. (2007) Towards a logical account of declassification. In Proceedings of PLAS'07, ACM Press 6165.Google Scholar
Barthe, G., D'Argenio, P. and Rezk, T. (2004) Secure Information Flow by Self-Composition. In: Foccardi, R. (ed.) Proceedings of CSFW'04, IEEE Computer Society Press 100114.Google Scholar
Benton, N. (2004) Simple relational correctness proofs for static analyses and program transformations. In: Proceedings of POPL'04, ACM Press. 1425.Google Scholar
Clarke, E., Emerson, E. and Sistla, A. (1986) Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems 8 (2)244263.CrossRefGoogle Scholar
Clarkson, M. R. and Schneider, F. B. (2008) Hyperproperties. In: Computer Security Foundations Symposium, IEEE Computer Society Press 5165.Google Scholar
Cohen, E. S. (1977) Information transmission in computational systems. ACM SIGOPS Operating Systems Review 11 (5)133139.Google Scholar
Cohen, E. S. (1978) Information transmission in sequential programs. In: DeMillo, R. A., Dobkin, D. P., Jones, A. K. and Lipton, R. J. (eds.) Foundations of Secure Computation, Academic Press 297335.Google Scholar
Cook, S. (1978) Soundness and completeness of an axiom system for program verification. SIAM Journal on Computing 7 (1)7090.CrossRefGoogle Scholar
Dam, M. (2006) Decidability and proof systems for language-based noninterference relations. In: Proceedings of POPL'06, ACM Press 6778.Google Scholar
Darvas, A., Hähnle, R. and Sands, D. (2005) A theorem proving approach to analysis of secure information flow. In:Hutter, D. and Ullmann, M. (eds.) Security in Pervasive Computing. Springer-Verlag Lecture Notes in Computer Science 3450 193209. (Preliminary version in the informal proceedings of WITS'03.)Google Scholar
Denning, D. E. and Denning, P. J. (1977) Certification of programs for secure information flow. Communications of the ACM 20 (7)504513.CrossRefGoogle Scholar
Dijkstra, E. (1997) A Discipline of Programming, Prentice Hall.Google Scholar
Dufay, G., Felty, A. P. and Matwin, S. (2005) Privacy-sensitive information flow with JML. In: Nieuwenhuis, R. (ed.) Proceedings of CADE'05. Springer-Verlag Lecture Notes in Computer Science 3632 116130.CrossRefGoogle Scholar
Giacobazzi, R. and Mastroeni, I. (2004a) Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proceedings of the 31th ACM Symposium on Principles of Programming Languages, ACM Press 186197.Google Scholar
Giacobazzi, R. and Mastroeni, I. (2004b) Proving abstract non-interference. In: Annual Conference of the European Association for Computer Science Logic (CSL'04). Springer-Verlag Lecture Notes in Computer Science 3210 280294.Google Scholar
Goguen, J. and Meseguer, J. (1982) Security policies and security models. In: Proceedings of SOSP'82, IEEE Computer Society Press 1122.Google Scholar
Hähnle, R., Pan, J., Rümmer, P. and Walter, D. (2007) Integration of a security type system into a program logic. In: Proceedings 2nd Symposium on Trustworthy Global Computing. Springer-Verlag Lecture Notes in Computer Science 4661 116131.CrossRefGoogle Scholar
Hoare, C. (1969) An axiomatic basis for computer programming. Communications of the ACM 12 (10)576580, 583.CrossRefGoogle Scholar
Huisman, M., Worah, P. and Sunesen, K. (2006) A temporal logic characterisation of observational determinism. In: Proceedings of CSFW'06, IEEE Computer Society Press 315.Google Scholar
Hunt, S. and Sands, D. (2006) On flow-sensitive security types. ACM SIG-PLAN Notices–Proceedings of POPL 2006 41 (1)7990.Google Scholar
Ishtiaq, S. and O'Hearn, P. (2001) Bi as an assertion language for mutable data structures. In: Proceedings of the 28th ACM Symposium on Principles of Programming Languages, ACM Press 1426.Google Scholar
Jacobs, B. and Warnier, M. (2003) Formal proofs of confidentiality in java programs (manuscript).Google Scholar
Joshi, R. and Leino, K. (2000) A semantic approach to secure information flow. Science of Computer Programming 37 (1–3)113138.CrossRefGoogle Scholar
Leavens, G., Baker, A. and Ruby, C. (1998) Preliminary Design of JML: a Behavioral Interface Specification Language for Java. Technical Report 98-06, Iowa State University, Department of Computer Science.Google Scholar
Manna, Z. and Pnueli, A. (1992) The Temporal Logic of Reactive and Concurrent Systems: Specification, Springer-Verlag.CrossRefGoogle Scholar
Marché, C., Paulin-Mohring, C. and Urbain, X. (2004) The Krakatoa tool for certification of Java/JavaCard programs annotated with JML annotations. Journal of Logic and Algebraic Programming 58 89106.CrossRefGoogle Scholar
Mclean, J. (1994) A general theory of composition for trace sets closed under selective interleaving functions. In: In Proceedings IEEE Symposium on Security and Privacy, IEEE Computer Society Press 7993.Google Scholar
Naumann, D. (2006) From coupling relations to mated invariants for checking information flow (extended abstract). In: Gollmann, D. and Sabelfeld, A. (eds.) Proceedings of ESORICS'06. Springer-Verlag Lecture Notes in Computer Science 4189 279296.CrossRefGoogle Scholar
Necula, G. (1997) Proof-carrying code. In: Proceedings of the 25th ACM Symposium on Principles of Programming Languages, ACM Press 106119.Google Scholar
Necula, G. (1998) Compiling with Proofs, Ph.D. thesis, Carnegie Mellon University. (Available as Technical Report CMU-CS-98-154.)Google Scholar
Pottier, F. (2002) A simple view of type-secure information flow in the pi-calculus. In: CSFW, IEEE Computer Society Press 320330.Google Scholar
Reynolds, J. (2000) Intuitionistic reasoning about shared mutable data structure. In: Davies, J., Roscoe, B. and Woodcock, J. (eds.) Millennial Perspectives in Computer Science, Palgrave 303321.Google Scholar
Reynolds, J. C. (2002) Separation logic: A logic for shared mutable data structures. In: 17th IEEE Symposium on Logic in Computer Science (LICS 2002), IEEE Computer Society Press 5574.Google Scholar
Sabelfeld, A. and Myers, A. (2003) Language-based information-flow security. IEEE Journal on Selected Areas in Communication 21 519.CrossRefGoogle Scholar
Sabelfeld, A. and Myers, A. C. (2004) A model for delimited information release. In: Futatsugi, K., Mizoguchi, F. and Yonezaki, N. (eds.) Software Security – Theories and Systems: Proceedings International Symposium on Software Security (ISSS'03). Springer-Verlag Lecture Notes in Computer Science 3233 174191.Google Scholar
Sabelfeld, A. and Sands, D. (2005) Dimensions and principles of declassification. In: CSFW, 255–269.Google Scholar
Smith, G. and Volpano, D. (1998) Secure Information Flow in a Multi-threaded Imperative Language. In: Proceedings of the 25th ACM Symposium on Principles of Programming Languages, ACM Press 355364.Google Scholar
Terauchi, T. and Aiken, A. (2005) Secure information flow as a safety problem. In: Hankin, C. and Siveroni, I. (eds.) Static Analysis Symposium. Springer-Verlag Lecture Notes in Computer Science 3672 352367.CrossRefGoogle Scholar
Volpano, D., Smith, G. and Irvine, C. (1996) A sound type system for secure flow analysis. Journal of Computer Security 4 (3)167187.CrossRefGoogle Scholar
Yang, H. (2007) Relational separation logic. Theoretical Computer Science 375 (1–3)308334.Google Scholar
Yasuoka, H. and Terauchi, T. (2010) Quantitative information flow – verification hardness and possibilities. In: Proceedings CSF'10, IEEE Computer Society Press.Google Scholar
Zanardini, D. (2006) Abstract Non-Interference in a fragment of Java bytecode. In: Proceedings of the ACM Symposium on Applied Computing (SAC), ACM Press 18221826.Google Scholar
Zdancewic, S. and Myers, A. (2003) Observational determinism for concurrent program security. In: Proceedings of CSFW'03, IEEE Computer Society Press 2943.Google Scholar