Precise and Automated Contract-Based Reasoning for Verification and Certification of Information Flow Properties of Programs with Arrays

Embedded information assurance applications that are critical to national and international infrastructures, must often adhere to certification regimes that require information flow properties to be specified and verified. SPARK, a subset of Ada for engineering safety critical systems, is being used to develop multiple certified information assurance systems. While SPARK provides information flow annotations and associated automated checking mechanisms, industrial experience has revealed that these annotations are not precise enough to specify many desired information flow policies. One key problem is that arrays are treated as indivisible entities – flows that involve only particular locations of an array have to be abstracted into flows on the whole array. This has substantial practical impact since SPARK does not allow dynamic allocation of memory, and hence makes heavy use of arrays to implement complex data structures. In this paper, we present a Hoare logic for information flow that enables precise compositional specification of information flow in programs with arrays, and automated deduction algorithms for checking and inferring contracts in an enhanced SPARK information flow contract language. We demonstrate the expressiveness of the enhanced contracts and effectiveness of the automated verification algorithm on realistic embedded applications.

[1]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[2]  Dieter Gollmann,et al.  Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings , 2006, ESORICS.

[3]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[4]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[5]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[6]  Richard J. Lipton,et al.  Foundations of Secure Computation , 1978 .

[7]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004 .

[8]  Geoffrey Smith,et al.  Lenient array operations for practical secure information flow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  J. Rushby,et al.  The MILS component integration approach to secure information sharing , 2008, 2008 IEEE/AIAA 27th Digital Avionics Systems Conference.

[11]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[12]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[13]  Torben Amtoft,et al.  Specification and Checking of Software Contracts for Conditional Information Flow , 2008, World Congress on Formal Methods.

[14]  Jim Alves-Foss,et al.  Using SPARK-Ada to Model and Verify a MILS Message Router , 2006 .

[15]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[16]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[17]  Frank Stajano Security in Pervasive Computing , 2003, SPC.

[18]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[19]  David Gries,et al.  The Science of Programming , 1981, Text and Monographs in Computer Science.

[20]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[21]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[22]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[23]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[24]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[25]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[26]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[27]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[28]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[29]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[30]  Randy Johnson,et al.  Engineering the Tokeneer Enclave Protection Software , 2006 .

[31]  Stephen Gilmore,et al.  Mobile Resource Guarantees for Smart Devices , 2004, CASSIS.

[32]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[33]  Kaisa Sere,et al.  FM 2008: Formal Methods, 15th International Symposium on Formal Methods, Turku, Finland, May 26-30, 2008, Proceedings , 2008, FM.

[34]  Donald Sanella What Does the Future Hold for Theoretical Computer Science , 1997 .

[35]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[36]  Narain H. Gehani,et al.  Ada, an advanced introduction , 1983 .

[37]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[38]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004, SIGAda '04.

[39]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[40]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[41]  Vincent Simonet Flow Caml in a Nutshell , 2003 .