论文信息 - Integration of a security type system into a program logic

Integration of a security type system into a program logic

Type systems and program logics are often thought to be at opposing ends of the spectrum of formal software analyses. In this paper we show that a flow-sensitive type system ensuring non-interference in a simple while-language can be expressed through specialised rules of a program logic. In our framework, the structure of non-interference proofs resembles the corresponding derivations in a state-of-the-art security type system, meaning that the algorithmic version of the type system can be used as a proof procedure for the logic. We argue that this is important for obtaining uniform proof certificates in a proof-carrying code framework. We discuss in which cases the interleaving of approximative and precise reasoning allows us to deal with delimited information release. Finally, we present ideas on how our results can be extended to encompass features of realistic programming languages such as Java.

[1] M. Fitting. First-order logic and automated theorem proving (2nd ed.) , 1996 .

[2] Geoffrey Smith,et al. A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[3] Wojciech Mostowski,et al. Formalisation and Verification of Java Card Security Properties in Dynamic Logic , 2005, FASE.

[5] Andrew W. Appel,et al. Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[6] Yde Venema,et al. Dynamic Logic by David Harel, Dexter Kozen and Jerzy Tiuryn. The MIT Press, Cambridge, Massachusetts. Hardback: ISBN 0–262–08289–6, $50, xv + 459 pages , 2002, Theory and Practice of Logic Programming.

[7] R.,et al. A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[8] Reiner Hähnle,et al. Regular Paper The KeY Tool ? Integrating Object Oriented Design and Formal Verification , 2022 .

[9] George C. Necula,et al. Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[10] Martin Hofmann,et al. Automatic Certification of Heap Consumption , 2004, LPAR.

[11] Gregory R. Andrews,et al. An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[12] Martin Hofmann,et al. Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[13] Jerzy Tiuryn,et al. Dynamic logic , 2001, SIGA.

[14] Andrew C. Myers,et al. JFlow: practical mostly-static information flow control , 1999, POPL '99.

[15] Bernhard Beckert,et al. Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[16] Heiko Mantel,et al. Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17] P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[18] Riccardo Pucella. Review of Dynamic Logic (Foundations of Computing): authors of book: D. Harel, D. Kozen and J. Tiuryn , 2001, SIGA.

[19] Riccardo Focardi,et al. Verifying persistent security properties , 2004, Comput. Lang. Syst. Struct..

[20] George C. Necula,et al. A sound framework for untrusted verification-condition generators , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[21] Judith Hylton. SAFE: , 1993 .

[22] Reiner Hähnle,et al. Integration of a Security Type System into a Program Logic , 2006, TGC.

[23] K. Rustan M. Leino,et al. A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[24] Torben Amtoft,et al. Information Flow Analysis in Logical Form , 2004, SAS.

[25] Peter Lee,et al. Temporal Logic for Proof-Carrying Code , 2002, CADE.

[26] Melvin Fitting,et al. First-Order Logic and Automated Theorem Proving , 1990, Graduate Texts in Computer Science.

[27] David Sands,et al. On flow-sensitive security types , 2006, POPL '06.

[28] Carla Piazza,et al. Compositional information flow security for concurrent programs , 2007, J. Comput. Secur..

[29] Jean-Louis Lanet,et al. Java Applet Correctness: A Developer-Oriented Approach , 2003, FME.

[30] Philipp Rümmer,et al. Sequential, Parallel, and Quantified Updates of First-Order Structures , 2006, LPAR.

[31] Bernhard Beckert,et al. The KeY tool , 2005, Software & Systems Modeling.

[32] Bernhard Beckert,et al. A Dynamic Logic for the Formal Verification of Java Card Programs , 2000, Java Card Workshop.

[33] Bernhard Beckert,et al. The KeY system 1.0 (Deduction Component) , 2007, CADE.

[34] Roberto Gorrieri,et al. Foundations of Security Analysis and Design - Tutorial Lectures , 2000 .

[35] Kurt Stenzel,et al. Electronic Ticketing -- a Case-Study , 2001 .

[36] Reiner Hähnle,et al. A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[37] Pedro R. D'Argenio,et al. Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[38] Andrew C. Myers,et al. Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..