Dependent Type Theory for Verification of Information Flow and Access Control Policies

Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

[1]  Viktor Vafeiadis,et al.  Structuring the verification of heap-manipulating programs , 2010, POPL '10.

[2]  Andrew D. Gordon,et al.  Roles, Stacks, Histories: A Triple for Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[3]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[4]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[6]  Hongseok Yang,et al.  Two for the Price of One: Lifting Separation Logic Assertions , 2012, Log. Methods Comput. Sci..

[7]  Mark Lillibridge,et al.  A type-theoretic approach to higher-order modules with sharing , 1994, POPL '94.

[8]  Lars Birkedal,et al.  Hoare type theory, polymorphism and separation1 , 2008, Journal of Functional Programming.

[9]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[10]  Avik Chaudhuri,et al.  PCAL: Language Support for Proof-Carrying Authorization Systems , 2009, ESORICS.

[11]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[12]  Jean-Philippe Bernardy,et al.  A Computational Interpretation of Parametricity , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[13]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[14]  Koen Claessen,et al.  A library for light-weight information-flow security in haskell , 2008, Haskell '08.

[15]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[16]  Robert Harper,et al.  Distributed programming with distributed authorization , 2010, TLDI '10.

[17]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[18]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[19]  Andrew C. Myers,et al.  A Semantic Framework for Declassification and Endorsement , 2010, ESOP.

[20]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[21]  Hongseok Yang,et al.  Relational Parametricity and Separation Logic , 2007, FoSSaCS.

[22]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[23]  Juan Chen,et al.  Verifying stateful programs with substructural state and hoare types , 2011, PLPV '11.

[24]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[25]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[26]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[27]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[28]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[29]  U. Norell,et al.  Towards a practical programming language based on dependent type theory , 2007 .

[30]  Martín Abadi,et al.  A Logic for Parametric Polymorphism , 1993, TLCA.

[31]  Patrik Jansson,et al.  Proofs for free - Parametricity for dependent types , 2012, J. Funct. Program..

[32]  Lennart Beringer,et al.  Relational bytecode correlations , 2010, J. Log. Algebraic Methods Program..

[33]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[34]  Xavier Leroy,et al.  Manifest types, modules, and separate compilation , 1994, POPL '94.

[35]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[36]  Ronald Fagin,et al.  Reasoning about knowledge , 1995 .

[37]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[38]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[39]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[40]  Steve Zdancewic,et al.  AURA: a programming language for authorization and audit , 2008, ICFP 2008.

[41]  Serge Autexier,et al.  The CoRe Calculus , 2005, CADE.

[42]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[43]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[44]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[45]  Per Martin-Löf,et al.  Intuitionistic type theory , 1984, Studies in proof theory.

[46]  David Gries,et al.  Data Refinement and the Transform , 1996, NATO ASI PDC.

[47]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[48]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[49]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[50]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[51]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[52]  John C. Reynolds,et al.  The craft of programming , 1981, Prentice Hall International series in computer science.

[53]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[54]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[55]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[56]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[57]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[58]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[59]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[60]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[61]  Vincent Simonet Fine-grained information flow analysis for a /spl lambda/-calculus with sum types , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[62]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[63]  Daniel R. Licata,et al.  Security-typed programming within dependently typed programming , 2010, ICFP '10.

[64]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[65]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[66]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[67]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[68]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[69]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[70]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.