A Uniform Information-Flow Security Benchmark Suite for Source Code and Bytecode

It has become common practice to formally verify the correctness of information-flow analyses wrt. noninterference-like properties. An orthogonal problem is to ensure the correctness of implementations of such analyses. In this article, we propose the benchmark suite IFSpec, which provides sample programs for checking that an information-flow analyzer correctly classifies them as secure or insecure. Our focus is on the Java and Android platforms, and IFSpec supports Java source code, Java bytecode, and Dalvik bytecode. IFSpec is structured into categories that address multiple types of information leakage. We employ IFSpec to validate and compare four information-flow analyzers: Cassandra, Joana, JoDroid, and KeY. IFSpec is based on RIFL, the RS\(^3\) Information-Flow Specification Language, and is open to extensions.

[1]  Heiko Mantel,et al.  RIFL 1.1: A Common Specification Language for Information-Flow Requirements , 2017 .

[2]  Hiroyuki Tomiyama,et al.  CHStone: A benchmark program suite for practical C-based high-level synthesis , 2008, 2008 IEEE International Symposium on Circuits and Systems.

[3]  Jonathan K. Millen Information Flow Analysis of Formal Specifications , 1981, 1981 IEEE Symposium on Security and Privacy.

[4]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[5]  Jürgen Graf,et al.  Using JOANA for Information Flow Control in Java Programs - A Practical Guide , 2013, Software Engineering.

[6]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[7]  John L. Henning SPEC CPU2000: Measuring CPU Performance in the New Millennium , 2000, Computer.

[8]  Thomas Stützle,et al.  SATLIB: An Online Resource for Research on SAT , 2000 .

[9]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[10]  David Déharbe,et al.  The 2014 SMT Competition , 2014, J. Satisf. Boolean Model. Comput..

[11]  Radek Pelánek,et al.  BEEM: Benchmarks for Explicit Model Checkers , 2007, SPIN.

[12]  Marijn J. H. Heule,et al.  SAT Competition 2016: Recent Developments , 2017, AAAI.

[13]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[14]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[15]  Heiko Mantel,et al.  Declassification with Explicit Reference Points , 2009, ESORICS.

[16]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[17]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[18]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.

[19]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[20]  Susan Elliott Sim,et al.  Using benchmarking to advance research: a challenge to software engineering , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[21]  Geoff Sutcliffe The TPTP Problem Library and Associated Infrastructure , 2017, Journal of Automated Reasoning.

[22]  Gregor Snelting,et al.  Low-deterministic security for low-nondeterministic programs , 2018, J. Comput. Secur..

[23]  Bernhard Beckert,et al.  The KeY Platform for Verification and Analysis of Java Programs , 2014, VSTTE.

[24]  Bernhard Beckert,et al.  Information Flow in Object-Oriented Software , 2013, LOPSTR.

[25]  Gregor Snelting,et al.  On Improvements of Low-Deterministic Security , 2016, POST.

[26]  Agostino Cortesi,et al.  SAILS: static analysis of information leakage with sample , 2012, SAC '12.

[27]  Koen Claessen,et al.  Using the TPTP Language for Writing Derivations and Finite Interpretations , 2006, IJCAR.

[28]  Martin D. Westhead,et al.  A benchmark suite for high performance Java , 2000, Concurr. Pract. Exp..

[29]  Heiko Mantel,et al.  Information Flow and Noninterference , 2011, Encyclopedia of Cryptography and Security.

[30]  Jürgen Graf,et al.  JoDroid: Adding Android Support to a Static Information Flow Control Tool , 2015, Software Engineering.

[31]  Daniel Wasserrab,et al.  Proving Information Flow Noninterference by Reusing a Machine-Checked Correctness Proof for Slicing , 2010, VERIFY@IJCAR.

[32]  Heiko Mantel,et al.  Who Can Declassify? , 2008, Formal Aspects in Security and Trust.

[33]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[34]  Steffen Lortz,et al.  Cassandra: Towards a Certifying App Store for Android , 2014, SPSM@CCS.

[35]  Geoff Sutcliffe The TPTP Problem Library and Associated Infrastructure , 2009, Journal of Automated Reasoning.

[36]  L.A. Smith,et al.  A Parallel Java Grande Benchmark Suite , 2001, ACM/IEEE SC 2001 Conference (SC'01).