Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures

We consider verification of information flow and erasure properties in programs with heterogeneous heap-based data structures, in the presence of procedures with local state. A heterogeneous data structure, such as a hash table implementing a medical record database, may store both secret and public data simultaneously. In contrast, extant work primarily focuses on homogeneous data structures which store data of a uniform security level. Heterogeneity, however, does not come for free. For example, standard implementations of hash tables do not support heterogeneity, and may leak sensitive information easily owing to hash collisions. In this paper we identify unique representation as a sufficient condition for a heterogeneous data structure to be leak-free, while simultaneously supporting abstraction and modularity in verification. As a case study, we implement and verify a novel uniquely-represented variant of heterogeneous hash tables. Furthermore, we demonstrate modular reasoning by showing how specifications of the hash table methods can be used in a client application; we thereby obtain abstract and concise formal proofs of erasure. We formalize our work in Relational Hoare Type Theory (RHTT), an expressive, higher-order imperative language and program logic embedded in the Coq proof assistant.

[1]  Deepak Garg,et al.  Dependent Type Theory for Verification of Information Flow and Access Control Policies , 2013, TOPL.

[2]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[3]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[4]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[5]  D. Golovin,et al.  Linear Equations Modulo 2 and the L1 Diameter of Convex Bodies , 2007, FOCS 2007.

[6]  Guy E. Blelloch,et al.  Uniquely represented data structures with applications to privacy , 2008 .

[7]  Edwin S. Hong,et al.  Characterizing History Independent Data Structures , 2002, Algorithmica.

[8]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[9]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[10]  Robert E. Tarjan,et al.  Unique binary search tree representations and equality-testing of sets and sequences , 1990, STOC '90.

[11]  Donald E. Knuth,et al.  Ordered Hash Tables , 1974, Comput. J..

[12]  David A. Wagner,et al.  Tamper-evident, history-independent, subliminal-free data structures on PROM storage -or- how to store ballots on a voting machine , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[14]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[15]  Andrew C. Myers,et al.  Language-based information erasure , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[16]  Andrew D. Gordon,et al.  Roles, Stacks, Histories: A Triple for Hoare , 2010, Reflections on the Work of C. A. R. Hoare.

[17]  Andrew McCreight,et al.  A certified framework for compiling and executing garbage-collected languages , 2010, ICFP '10.

[18]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[19]  David Sands,et al.  Just Forget It - The Semantics and Enforcement of Information Erasure , 2008, ESOP.

[20]  Daniele Micciancio,et al.  Oblivious data structures: applications to cryptography , 1997, STOC '97.

[21]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[22]  Guy E. Blelloch,et al.  Strongly History-Independent Hashing with Applications , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[23]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[24]  Patrik Jansson,et al.  Proofs for free - Parametricity for dependent types , 2012, J. Funct. Program..

[25]  Moni Naor,et al.  Anti-persistence: history independent data structures , 2001, STOC '01.

[26]  Andrew C. Myers,et al.  End-to-End Enforcement of Erasure and Declassification , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[27]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[28]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[29]  Jean-Philippe Bernardy,et al.  A Computational Interpretation of Parametricity , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[30]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[31]  Paul G. Spirakis,et al.  Space Efficient Hash Tables with Worst Case Constant Access Time , 2003, Theory of Computing Systems.

[32]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.