A Framework for Non-Interference in Component-Based Systems

Modern IT systems are required to implement complex functionalities and support high scalability. At the same time, security properties like confidentiality and integrity become more and more important for these systems. An often used approach to realize such systems is component-based system engineering, where different parts of the software are distributed to several components, each realizing parts of the functionality as services and using other components for required functionalities. These components can then be distributed on different machines which allows high flexibility when deploying the overall system. Further, component-based systems engineering supports re-use of existing components in new contexts in possibly very different usage scenarios. A very popular approach for the specification and analysis of confidentiality and integrity properties for software is using the concept of noninterference, which describes a strict property of the allowed flow of information in a software system. With non-interference specifications, inputs and outputs of a system are labeled as secret (high) or public (low) information. The program is non-interferent, if the public outputs are not influenced by secret inputs. Typically, the separation of information into high or low is performed according to an analysis of potential attackers to the system. In this thesis, we present a novel and general framework for non-interference in component-based systems. By exploiting restrictions to the programming model of component-based systems the framework allows a very precise specification of intended information flows in a system. The partition of inputs and outputs into high and low values is based on equivalence relations and thus allows the classification of partial information and the existence of service calls to be secret or public. The resulting non-interference property is compositional, a central requirement in the case of component-based systems. Further, we present as part of the framework a notion of non-interference as a services-local information flow property and show that non-interferent

[1]  George T. Heineman,et al.  Component-Based Software Engineering: Putting the Pieces Together , 2001 .

[2]  Ellis Choen,et al.  Information transmission in computational systems , 1977, SOSP 1977.

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  Christoph Scheben,et al.  Verification of Information Flow Properties of Java Programs without Approximations , 2011, FoVeOOS.

[5]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[6]  Dominique Devriese,et al.  Stateful Declassification Policies for Event-Driven Programs , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[7]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[8]  Torben Amtoft,et al.  Specification and Checking of Software Contracts for Conditional Information Flow , 2008, World Congress on Formal Methods.

[9]  Christoph Scheben,et al.  Efficient Self-composition for Weakest Precondition Calculi , 2014, FM.

[10]  Olaf Owe,et al.  A sound and complete reasoning system for asynchronous communication with shared futures , 2014, J. Log. Algebraic Methods Program..

[11]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Max E. Kramer,et al.  Model-Driven Specification and Analysis of Confidentiality in Component-Based Systems , 2017 .

[14]  David Sands,et al.  Assumptions and Guarantees for Compositional Noninterference , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[15]  Toby C. Murray,et al.  Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[16]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17]  Bernhard Beckert,et al.  Dynamic Logic with Trace Semantics , 2013, CADE.

[18]  Jan Jürjens,et al.  Model-Based Security Engineering with UML , 2004, FOSAD.

[19]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[20]  Mihai Herda,et al.  CoCoME with Security , 2017 .

[21]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[22]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[23]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[24]  Jürgen Beyerer,et al.  PRIVACY PRESERVING SURVEILLANCE AND THE TRACKING- PARADOX , 2013 .

[25]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[26]  Christoph Scheben,et al.  Program-level Specification and Deductive Verification of Security Properties , 2014 .

[27]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[28]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[29]  Yuan Cheng,et al.  Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[30]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[31]  Kurt Stenzel,et al.  Evaluation of Jif and Joana as Information Flow Analyzers in a Model-Driven Approach , 2012, DPM/SETOP.

[32]  Tobias Nipkow,et al.  Concrete Semantics: With Isabelle/HOL , 2014 .

[33]  Andrei Popescu,et al.  CoSMed: A Confidentiality-Verified Social Media Platform , 2016, Journal of Automated Reasoning.

[34]  Kurt Stenzel,et al.  A Model-Driven Approach to Noninterference , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[35]  하수철,et al.  [서평]「Component Software」 - Beyond Object-Oriented Programming - , 2000 .

[36]  Luís Caires,et al.  Dependent Information Flow Types , 2015, POPL.

[37]  Christoph Scheben,et al.  Information Flow Analysis , 2016, Deductive Software Verification.

[38]  Bernhard Beckert,et al.  Dynamic Logic , 2007, The KeY Approach.

[39]  Wolfgang Ahrendt,et al.  A system for compositional verification of asynchronous objects , 2012, Sci. Comput. Program..

[40]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[41]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[42]  Daniel Grahl,et al.  Non-interference with What-Declassification in Component-Based Systems , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[43]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[44]  Jacques Klein,et al.  An extensive systematic review on the Model-Driven Development of secure systems , 2015, Inf. Softw. Technol..

[45]  Max E. Kramer,et al.  Modeling and Simulating Software Architectures: The Palladio Approach , 2016 .

[46]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[47]  Reiner Hähnle,et al.  ABS: A Core Language for Abstract Behavioral Specification , 2010, FMCO.

[48]  John C. Reynolds,et al.  Idealized ALGOL and its specification logic , 1997 .

[49]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[50]  Olaf Owe,et al.  Compositional reasoning about active objects with shared futures , 2014, Formal Aspects of Computing.

[51]  Heiko Mantel,et al.  RIFL 1.1: A Common Specification Language for Information-Flow Requirements , 2017 .

[52]  Roberto Gorrieri,et al.  A Classification of Security Properties , 1993 .

[53]  Torben Amtoft,et al.  Precise and Automated Contract-Based Reasoning for Verification and Certification of Information Flow Properties of Programs with Arrays , 2010, ESOP.

[54]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[55]  Anneke Kleppe,et al.  The object constraint language: precise modeling with UML , 1998 .

[56]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[57]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[58]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[59]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[60]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[61]  Margo McCall,et al.  IEEE Computer Society , 2019, Encyclopedia of Software Engineering.

[62]  Benjamin Weiß,et al.  Deductive verification of object-oriented software: dynamic frames, dynamic logic and predicate abstraction , 2011 .

[63]  Andrei Popescu,et al.  A Conference Management System with Verified Document Confidentiality , 2014, CAV.

[64]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[65]  Simon Greiner,et al.  Proving Correctness and Security of Two-Party Computation Implemented in Java in Presence of a Semi-honest Sender , 2014, CANS.

[66]  Andy Wigley,et al.  Microsoft .Net Compact Framework: Core Reference , 2003 .

[67]  Heiko Mantel,et al.  Static Confidentiality Enforcement for Distributed Programs , 2002 .

[68]  Andrei Sabelfeld,et al.  Securing Interactive Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[69]  Bertrand Meyer,et al.  The grand challenge of trusted components , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[70]  Max E. Kramer,et al.  Architecture-driven Reduction of Specification Overhead for Verifying Confidentiality in Component-based Software Systems , 2017, MODELS.

[71]  M. Breu,et al.  Model driven security for Web services (MDS4WS) , 2004, 8th International Multitopic Conference, 2004. Proceedings of INMIC 2004..

[72]  Bernhard Beckert,et al.  Modular Verification of Information Flow Security in Component-Based Systems , 2017, SEFM.

[73]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.