Hypercollecting semantics and its application to static analysis of information flow

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS '04) and the type system of Hunt and Sands (POPL '06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

[1]  Patrick Cousot,et al.  Static Analysis and Verification of Aerospace Software by Abstract Interpretation , 2010, Found. Trends Program. Lang..

[2]  Michael Hicks,et al.  Dynamic enforcement of knowledge-based security policies using probabilistic abstract interpretation , 2013, J. Comput. Secur..

[3]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Anindya Banerjee,et al.  Modelling declassification policies using abstract domain completeness , 2011, Math. Struct. Comput. Sci..

[5]  Isabella Mastroeni,et al.  Abstract interpretation-based approaches to Security - A Survey on Abstract Non-Interference and its Challenging Applications , 2013, Festschrift for Dave Schmidt.

[6]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[7]  G. Crooks On Measures of Entropy and Information , 2015 .

[8]  Radhia Cousot,et al.  Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and PER analysis of functional languages) , 1994, Proceedings of 1994 IEEE International Conference on Computer Languages (ICCL'94).

[9]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[10]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[11]  Julien Signoles,et al.  The Cardinal Abstraction for Quantitative Information Flow , 2016 .

[12]  David Sands,et al.  From Exponential to Polynomial-Time Security Typing via Principal Types , 2011, ESOP.

[13]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[14]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[15]  Bernd Finkbeiner,et al.  Relational abstract interpretation for the verification of 2-hypersafety properties , 2013, CCS.

[16]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Andrei Sabelfeld,et al.  Value-Sensitive Hybrid Information Flow Control for a JavaScript-Like Language , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[18]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[19]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[20]  Michael R. Clarkson,et al.  Quantifying information flow with beliefs , 2009, J. Comput. Secur..

[21]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[22]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Nataliia Bielova,et al.  Hybrid Monitoring of Attacker Knowledge , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[24]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[25]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[26]  Agostino Cortesi,et al.  Information Leakage Analysis by Abstract Interpretation , 2011, SOFSEM.

[27]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[28]  Pasquale Malacaria,et al.  Applied Quantitative Information Flow and Statistical Databases , 2009, Formal Aspects in Security and Trust.

[29]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[30]  Borzoo Bonakdarpour,et al.  Runtime Verification of k-Safety Hyperproperties in HyperLTL , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[31]  Helmut Seidl,et al.  An Analysis of Universal Information Flow Based on Self-Composition , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[32]  Hirotoshi Yasuoka,et al.  On bounding problems of quantitative information flow , 2010, J. Comput. Secur..

[33]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[34]  Gregor Snelting,et al.  On PDG-based noninterference and its modular proof , 2009, PLAS '09.

[35]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[36]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[37]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[38]  David A. Schmidt Inverse-limit and topological aspects of abstract interpretation , 2012, Theor. Comput. Sci..

[39]  Patrick Cousot,et al.  The calculational design of a generic abstract interpreter , 1999 .

[40]  Philippe Granger,et al.  Improving the Results of Static Analyses Programs by Local Decreasing Iteration , 1992, FSTTCS.

[41]  J. Rushby Security Requirements Specifications : How and What ? Extended , 2001 .

[42]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[43]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[44]  Maria Handjieva,et al.  Refining Static Analyses by Trace-Based Partitioning Using Control Flow , 1998, SAS.

[45]  Geoffrey Smith,et al.  Eliminating covert flows with minimum typings , 1997, Proceedings 10th Computer Security Foundations Workshop.

[46]  François Bourdoncle,et al.  Abstract interpretation by dynamic partitioning , 1992, Journal of Functional Programming.

[47]  Andrey Rybalchenko,et al.  Automation of Quantitative Information-Flow Analysis , 2013, SFM.

[48]  David Cachera,et al.  A Certified Denotational Abstract Interpreter , 2010, ITP.

[49]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[50]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[51]  Anindya Banerjee,et al.  Relational Logic with Framing and Hypotheses , 2016, FSTTCS.

[52]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[53]  Antoine Miné,et al.  Symbolic Methods to Enhance the Precision of Numerical Abstract Domains , 2006, VMCAI.

[54]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[55]  Catuscia Palamidessi,et al.  Quantitative Notions of Leakage for One-try Attacks , 2009, MFPS.

[56]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[57]  Mário S. Alvim,et al.  Measuring Information Leakage Using Generalized Gain Functions , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[58]  Mirko Zanotti Security Typings by Abstract Interpretation , 2002, SAS.

[59]  David Sands,et al.  Binding time analysis: a new PERspective , 1991, PEPM '91.

[60]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[61]  Geoffrey Smith,et al.  Verifying secrets and relative secrecy , 2000, POPL '00.

[62]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[63]  Agostino Cortesi,et al.  Widening and narrowing operators for abstract interpretation , 2011, Comput. Lang. Syst. Struct..

[64]  Sebastian Hunt PERs Generalise Projections for Strictness Analysis (Extended Abstract) , 1990, Functional Programming.

[65]  Vladimir Klebanov,et al.  Precise quantitative information flow analysis - a symbolic approach , 2014, Theor. Comput. Sci..

[66]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[67]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[68]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[69]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[70]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[71]  Andrei Sabelfeld,et al.  Value Sensitivity and Observable Abstract Values for Information Flow Control , 2015, LPAR.

[72]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[73]  Michael Hicks,et al.  Dynamic Enforcement of Knowledge-Based Security Policies , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[74]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[75]  Agostino Cortesi,et al.  A Survey on Product Operators in Abstract Interpretation , 2013, Festschrift for Dave Schmidt.

[76]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[77]  Nataliia Bielova,et al.  Hybrid Information Flow Monitoring against Web Tracking , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[78]  Patrick Cousot,et al.  Constructive design of a hierarchy of semantics of a transition system by abstract interpretation , 2002, MFPS.

[79]  Mounir Assaf,et al.  From qualitative to quantitative program analysis : permissive enforcement of secure information flow. (Approches qualitatives et quantitatives d'analyse de programmes : mise en oeuvre permissive de flux d'information sécurisés) , 2015 .

[80]  Benjamin C. Pierce,et al.  Explicit Secrecy: A Policy for Taint Tracking , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[81]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[82]  David A. Schmidt Abstract Interpretation from a Topological Perspective , 2009, SAS.

[83]  Geoffrey Smith,et al.  Quantifying Information Flow Using Min-Entropy , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[84]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[85]  A. Rényi On Measures of Entropy and Information , 1961 .

[86]  David A. Naumann,et al.  Calculational Design of Information Flow Monitors , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).