Secure Information Flow by Model Checking Pushdown System

We propose an approach on model checking information flow for imperative language with procedures. We characterize our model with pushdown system, which has a stack of unbounded length that naturally models the execution of procedural programs. Because the type-based static analysis is sometimes too conservative and rejects safe program as ill-typed, we take a semantic-based approach by self-composing symbolic pushdown system and specifying noninterference with LTL formula. Then we verify this LTL-expressed property via model checker Moped. Except for overcoming the conservative characteristic of type-based approach, our motivation also includes the insufficient state of arts on precise information flow analysis under interprocedural setting. To remedy the inefficiency of model checking compared with type system, we propose both compact form and contracted form of self-composition. According to experimental results, they can greatly increase the efficiency of realistic verification. Our method provides flexibility on separating program abstraction from noninterference verification, thus could be expected to use on different programming languages.

[1]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[2]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[3]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[4]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[5]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[6]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[7]  Gregor Snelting,et al.  Combining Slicing and Constraint Solving for Validation of Measurement Software , 1996, SAS.

[8]  Antonella Santone,et al.  Abstract Interpretation and Model Checking for Checking Secure Information Flow in Concurrent Systems , 2003, Fundam. Informaticae.

[9]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[10]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[11]  A. Prasad Sistla,et al.  The complexity of propositional linear temporal logics , 1982, STOC '82.

[12]  Javier Esparza,et al.  Reachability Analysis of Multithreaded Software with Asynchronous Communication , 2005, FSTTCS.

[13]  Javier Esparza,et al.  jMoped: A Test Environment for Java Programs , 2007, CAV.

[14]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[15]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[16]  Stephan Merz,et al.  Model Checking , 2000 .

[17]  Tayssir Touili,et al.  A Generic Approach to the Static Analysis of Concurrent Programs with Procedures , 2003, Int. J. Found. Comput. Sci..

[18]  Javier Esparza,et al.  jMoped: A Java Bytecode Checker Based on Moped , 2005, TACAS.

[19]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[20]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[21]  Akinori Yonezawa,et al.  Combining type-based analysis and model checking for finding counterexamples against non-interference , 2006, PLAS '06.

[22]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[23]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[24]  Martin Hofmann,et al.  Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.