A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow

In previous work, we have proposed a compositional framework for stating and automatically verifying complex conditional information flow policies using a relational Hoare logic. The framework allows developers and verifiers to work directly with the source code using source-level code contracts. In this work, we extend that approach so that the algorithm for verifying code compliance to an information flow contract emits formal certificates of correctness that are checked in the Coq proof assistant. This framework is implemented in the context of SPARK - a subset of Ada that has been used in a number of industrial contexts for implementing certified safety and security critical systems.

[1]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[2]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[3]  Torben Amtoft,et al.  Precise and Automated Contract-Based Reasoning for Verification and Certification of Information Flow Properties of Programs with Arrays , 2010, ESOP.

[4]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004 .

[5]  Tobias Nipkow,et al.  Asserting Bytecode Safety , 2005, ESOP.

[6]  Manuel V. Hermenegildo,et al.  Abstraction-Carrying Code , 2005, LPAR.

[7]  Yves Bertot,et al.  A Coq Formalization of a Type Checker for Object Initialization in the Java Virtual Machine , 2000 .

[8]  George C. Necula,et al.  Oracle-based checking of untrusted software , 2001, POPL '01.

[9]  Andrew W. Appel,et al.  Foundational proof checkers with small witnesses , 2003, PPDP '03.

[10]  Martin Hofmann,et al.  Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[11]  Stephen Gilmore,et al.  Mobile Resource Guarantees , 2007 .

[12]  Brian Campbell,et al.  An Executable Semantics for CompCert C , 2012, CPP.

[13]  Lennart Beringer,et al.  Relational Decomposition , 2011, ITP.

[14]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[15]  Stan Matwin,et al.  Privacy-Sensitive Information Flow with JML , 2005, CADE.

[16]  Donald Sanella What Does the Future Hold for Theoretical Computer Science , 1997 .

[17]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[18]  Andrew W. Appel,et al.  VeriSmall: Verified Smallfoot Shape Analysis , 2011, CPP.

[19]  Holger Hermanns,et al.  Logic for Programming, Artificial Intelligence, and Reasoning , 2010, Lecture Notes in Computer Science.

[20]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[21]  Benjamin Grégoire,et al.  A Modular Integration of SAT/SMT Solvers to Coq through Proof Witnesses , 2011, CPP.

[22]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[23]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[24]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[25]  Gilles Barthe,et al.  A Certified Lightweight Non-interference Java Bytecode Verifier , 2007, ESOP.

[26]  David Pichardie,et al.  Proof-carrying code from certified abstract interpretation and fixpoint compression , 2006, Theor. Comput. Sci..

[27]  Martin Hofmann,et al.  A Program Logic for Resource Verification , 2004, TPHOLs.

[28]  Benjamin Grégoire,et al.  The MOBIUS Proof Carrying Code Infrastructure , 2008, FMCO.

[29]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[30]  Graham Steel,et al.  Deduction with XOR Constraints in Security API Modelling , 2005, CADE.

[31]  Martin Hofmann,et al.  Automatic Certification of Heap Consumption , 2004, LPAR.

[32]  Frank Wolter,et al.  Monodic fragments of first-order temporal logics: 2000-2001 A.D , 2001, LPAR.

[33]  Randy Johnson,et al.  Engineering the Tokeneer Enclave Protection Software , 2006 .

[34]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[35]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[36]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[37]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[38]  Kaisa Sere,et al.  FM 2008: Formal Methods, 15th International Symposium on Formal Methods, Turku, Finland, May 26-30, 2008, Proceedings , 2008, FM.

[39]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[40]  Frank Stajano Security in Pervasive Computing , 2003, SPC.

[41]  Torben Amtoft,et al.  Specification and Checking of Software Contracts for Conditional Information Flow , 2008, World Congress on Formal Methods.

[42]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.