Testing noninterference, quickly

Information-flow control mechanisms are difficult to design and labor intensive to prove correct. To reduce the time wasted on proof attempts doomed to fail due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of a simple information-flow abstract machine. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for all these bugs.

[1]  Lukas Bulwahn,et al.  The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof , 2012, CPP.

[2]  Tobias Nipkow,et al.  Random testing in Isabelle/HOL , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[3]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[4]  StefanDeian,et al.  Flexible dynamic information flow control in Haskell , 2011 .

[5]  Sam Tobin-Hochstadt,et al.  Run your research: on the effectiveness of lightweight mechanization , 2012, POPL '12.

[6]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[7]  John Hughes,et al.  QuickCheck Testing for Fun and Profit , 2007, PADL.

[8]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[9]  Carl Eastlund DoubleCheck your theorems , 2009, ACL2 '09.

[10]  Alexander Pretschner,et al.  Idea: Unwinding Based Model-Checking and Testing for Non-Interference on EFSMs , 2015, ESSoS.

[11]  Jonathan M. Smith,et al.  Preliminary design of the SAFE platform , 2011, PLOS '11.

[12]  Thomas C. Henderson,et al.  Arc and Path Consistency Revisited , 1986, Artif. Intell..

[13]  Bruno Marre,et al.  On-the-fly generation of k-path tests for C functions , 2004 .

[14]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[15]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[17]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[18]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[19]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[20]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[21]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[22]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[23]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[24]  Peter Dybjer,et al.  Combining Testing and Proving in Dependent Type Theory , 2003, TPHOLs.

[25]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[26]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[27]  Lukas Bulwahn,et al.  Smart Testing of Functional Programs in Isabelle , 2012, LPAR.

[28]  Marinus J. Plasmeijer,et al.  Model-Based Shrinking for State-Based Testing , 2013, Trends in Functional Programming.

[29]  Benjamin C. Pierce,et al.  Foundational Property-Based Testing , 2015, ITP.

[30]  Dave Clarke,et al.  Noninterference via Symbolic Execution , 2012, FMOODS/FORTE.

[31]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[32]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[33]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[34]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[35]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[36]  Koen Claessen,et al.  Making Random Judgments: Automatically Generating Well-Typed Terms from the Definition of a Type-System , 2015, ESOP.

[37]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[38]  Robert Bruce Findler,et al.  The Racket virtual machine and randomized testing , 2012, High. Order Symb. Comput..

[39]  Meng Wang,et al.  Feat: functional enumeration of algebraic types , 2013, Haskell 2013.

[40]  Bruno Marre,et al.  On-the-fly generation of k-path tests for C functions , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[41]  Rachid Echahed,et al.  A needed narrowing strategy , 2000, JACM.

[42]  Michael D. Ernst,et al.  Randoop: feedback-directed random testing for Java , 2007, OOPSLA '07.

[43]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[44]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[45]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[46]  Benjamin C. Pierce,et al.  Micro-Policies A Framework for Verified, Hardware-Assisted Security Monitors , 2014 .

[47]  Casey August Experience with Randomized Testing in Programming Language Metatheory , 2009 .

[48]  Koen Claessen,et al.  Generating constrained random data with uniform distribution , 2014, Journal of Functional Programming.

[49]  Xuejun Yang,et al.  Test-case reduction for C compiler bugs , 2012, PLDI.

[50]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[51]  Alex Groce,et al.  Randomized Differential Testing as a Prelude to Formal Verification , 2007, 29th International Conference on Software Engineering (ICSE'07).

[52]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[53]  Fredrik Lindblad Property Directed Generation of First-Order Test Data , 2007, Trends in Functional Programming.

[54]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[55]  B. Pierce,et al.  Making Our Own Luck A Language for Random Generators ( Extended Abstract ) , 2015 .

[56]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[57]  Sebastian Fischer,et al.  EasyCheck - Test Data for Free , 2008, FLOPS.

[58]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[59]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[60]  Johannes Kinder,et al.  Hypertesting : The Case for Automated Testing of Hyperproperties , 2015 .

[61]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[62]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[63]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[64]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[65]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[66]  Casey Klein,et al.  Randomized Testing in PLT Redex , 2009 .

[67]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[68]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[69]  Mads Dam,et al.  ENCoVer: Symbolic Exploration for Information Flow Security , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[70]  Panagiotis Manolios,et al.  Integrating Testing and Interactive Theorem Proving , 2011, ACL2.

[71]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[72]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[73]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[74]  Colin Runciman,et al.  Smallcheck and lazy smallcheck: automatic exhaustive testing for small values , 2008, Haskell '08.