Information Flow Security Certification for SPARK Programs

SPARK 2014 (SPARK hereafter) is a programming language designed for building highly-reliable applications where safety and security are key requirements. SPARK platform performs a rigorous data/information flow analysis to ensure the safety and reliability of a program. However, the flow analysis is oriented towards establishing functional correctness and does not analyze for flow security of the program. Thus, there is a need to augment the analysis that would enable us to certify SPARK programs for security. In this paper, we propose an analysis to find information flow leaks in a SPARK program using a Dynamic Labelling (DL) approach for multi-level security (MLS) programs and describe an effective algorithm for detecting information leaks in SPARK programs, including classes of termination/progress-sensitive computations. Further, we illustrate the application of our approach for overcoming information leaks through unsanitized sensitive data. We also show how SPARK can be extended for realizing MLS systems that invariably need declassification through the illustration of an application of the method for security analysis of Needham-Schroeder public-key protocol.

[1]  Deepak Garg,et al.  Progress-Sensitive Security for SPARK , 2016, ESSoS.

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[4]  Scott Moore,et al.  Precise enforcement of progress-sensitive security , 2012, CCS '12.

[5]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[6]  Roderick Chapman,et al.  Sanitizing Sensitive Data: How to Get It Right (or at Least Less Wrong...) , 2017, Ada-Europe.

[7]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[8]  R. K. Shyamasundar,et al.  A Complete Generative Label Model for Lattice-Based Access Control Models , 2017, SEFM.

[9]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[10]  R. K. Shyamasundar,et al.  POSTER: Dynamic Labelling for Analyzing Security Protocols , 2015, CCS.

[11]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[12]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[13]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[14]  Gérard Boudol,et al.  On Typing Information Flow , 2005, ICTAC.

[15]  R. K. Shyamasundar,et al.  Compile-Time Security Certification of Imperative Programming Languages , 2018, E-Business and Telecommunications.

[16]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[17]  R. K. Shyamasundar,et al.  Static Security Certification of Programs via Dynamic Labelling. , 2018 .

[18]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..