Secure information flow by self-composition

Information flow policies are confidentiality policies that control information leakage through program execution. A common way to enforce secure information flow is through information flow type systems. Although type systems are compositional and usually enjoy decidable type checking or inference, their extensibility is very poor: type systems need to be redefined and proved sound for each new variation of security policy and programming language for which secure information flow verification is desired. In contrast, program logics offer a general mechanism for enforcing a variety of safety policies, and for this reason are favoured in Proof Carrying Code, which is a promising security architecture for mobile code. However, the encoding of information flow policies in program logics is not straightforward because they refer to a relation between two program executions. The purpose of this paper is to investigate logical formulations of secure information flow based on the idea of self-composition, which reduces the problem of secure information flow of a program P to a safety property for a program derived from P by composing P with a renaming of itself. Self-composition enables the use of standard techniques for information flow policy verification, such as program logics and model checking, that are suitable in Proof Carrying Code infrastructures. We illustrate the applicability of self-composition in several settings, including different security policies such as non-interference and controlled forms of declassification, and programming languages including an imperative language with parallel composition, a non-deterministic language and, finally, a language with shared mutable data structures.

[1]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[2]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[3]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[4]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[5]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[6]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[8]  Heiko Mantel,et al.  Unwinding Possibilistic Security Properties , 2000, ESORICS.

[9]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[10]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[11]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[12]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[13]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[14]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[15]  George C. Necula,et al.  Compiling with proofs , 1998 .

[16]  Damiano Zanardini,et al.  Abstract non-interference in a fragment of Java bytecode , 2006, SAC.

[17]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[18]  BentonNick Simple relational correctness proofs for static analyses and program transformations , 2004 .

[19]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[20]  Renaud Marlet,et al.  Security Properties and Java Card Specificities To Be Studied in the SecSafe Project , 2001 .

[21]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[22]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[23]  Jim Davies,et al.  Millennial Perspectives in Computer Science , 2000 .

[24]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[25]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[28]  Jean-Louis Lanet,et al.  Enforcing High-Level Security Properties for Applets , 2004, CARDIS.

[29]  Reiner Hähnle,et al.  Integration of a security type system into a program logic , 2006, Theor. Comput. Sci..

[30]  CohenEllis Information transmission in computational systems , 1977 .

[31]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[32]  Erik P. de Vink,et al.  Verifying Probabilistic Programs Using a Hoare Like Logic , 2002, Int. J. Found. Comput. Sci..

[33]  Anindya Banerjee,et al.  Towards a logical account of declassification , 2007, PLAS '07.

[34]  Felix Schlenk,et al.  Proof of Theorem 3 , 2005 .

[35]  Reiner Hähnle,et al.  Integration of a Security Type System into a Program Logic , 2006, TGC.

[36]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[37]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[38]  Matthew B. Dwyer,et al.  Checking Strong Specifications Using an Extensible Software Model Checking Framework , 2004, TACAS.

[39]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[40]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[41]  Chris Hankin,et al.  Information flow for Algol-like languages , 2002, Comput. Lang. Syst. Struct..

[42]  HuntSebastian,et al.  On flow-sensitive security types , 2006 .

[43]  Stan Matwin,et al.  Privacy-Sensitive Information Flow with JML , 2005, CADE.

[44]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[45]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[46]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[47]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[48]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[49]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[50]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[51]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[52]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[53]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[54]  Roberto Gorrieri,et al.  Automatic Compositional Verification of Some Security Properties , 1996, TACAS.

[55]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[56]  Hirotoshi Yasuoka,et al.  Quantitative Information Flow - Verification Hardness and Possibilities , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[57]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[58]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[59]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[60]  Jean-Louis Lanet,et al.  Java Applet Correctness: A Developer-Oriented Approach , 2003, FME.

[61]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[62]  Claude Marché,et al.  The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML , 2004, J. Log. Algebraic Methods Program..

[63]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 2001 .

[64]  Andrea Bianco,et al.  Model Checking of Probabalistic and Nondeterministic Systems , 1995, FSTTCS.

[65]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[66]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[67]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[68]  John C. Reynolds,et al.  Intuitionistic reasoning about shared mutable data structure , 1999 .

[69]  Richard J. Lipton,et al.  Foundations of Secure Computation , 1978 .

[70]  Roberto Giacobazzi,et al.  Proving Abstract Non-interference , 2004, CSL.

[71]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[72]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[73]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[74]  Mads Dam,et al.  Decidability and proof systems for language-based noninterference relations , 2006, POPL '06.

[75]  R AndrewsGregory,et al.  An Axiomatic Approach to Information Flow in Programs , 1980 .

[76]  Andrew C. Myers,et al.  A Model for Delimited Information Release , 2003, ISSS.