An Information Flow Tool for Gypsy

The Gypsy language is seeing increasing use as a tool for designing, specifying, and sometimes implementing computer systems intended for certification at the A1 level by the Department of Defense Computer Security Center. One of the criteria for A1 certification is a formal proof that the information flows within the design conform to a policy defined by formal security model. Despite the fact that it is possible to state such models in Gypsy and to prove some properties of programs with respect to a model, a flow analysis tool within the Gypsy environment would appear to be useful. The Gypsy Verification Environment, GVE, contains the basis for such tool in the form of a flow analyzer used to detect unused variables during optimization. In the discussion below, we will describe a simple information flow analyzer based upon this analysis.

[1]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[2]  Gregory R. Andrews,et al.  Certifying information flow properties of programs: an axiomatic approach , 1979, POPL '79.

[3]  John Mchugh,et al.  Towards the Generation of Efficient Code from Verified Programs , 1983 .

[4]  John McHugh,et al.  An Experience Using Two Covert Channel Analysis Techniques on a Real System Design , 1986, IEEE Transactions on Software Engineering.

[5]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[6]  Richard J. Feiertag A Technique for Proving Specifications are Multilevel Secure , 1980 .

[7]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[8]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[9]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[10]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[11]  Lawrence Robinson,et al.  Proving multilevel security of a system design , 1977, SOSP '77.

[12]  N. S. Barnett,et al.  Private communication , 1969 .

[13]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[14]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[15]  John McHugh,et al.  An Information Flow Tool for Gypsy , 1985, IEEE Symposium on Security and Privacy.

[16]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[17]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.