ENCoVer: Symbolic Exploration for Information Flow Security

We address the problem of program verification for information flow policies by means of symbolic execution and model checking. Noninterference-like security policies are formalized using epistemic logic. We show how the policies can be accurately verified using a combination of concolic testing and SMT solving. As we demonstrate, many scenarios considered tricky in the literature can be solved precisely using the proposed approach. This is confirmed by experiments performed with ENCOVER, a tool based on Java Path Finder and Z3, which we have developed for epistemic noninterference concolic verification.

[1]  Alessio Lomuscio,et al.  MCMAS: A Model Checker for the Verification of Multi-Agent Systems , 2009, CAV.

[2]  Ron van der Meyden,et al.  MCK: Model Checking the Logic of Knowledge , 2004, CAV.

[3]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[4]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[5]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[6]  Jérémy Dubreil Opacity and Abstraction , 2009 .

[7]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[8]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[9]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[10]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[11]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[12]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[13]  Pavol Cerný,et al.  Automated Analysis of Java Methods for Confidentiality , 2009, CAV.

[14]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[15]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[16]  Ronald Fagin,et al.  Reasoning about knowledge , 1995 .

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[19]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[20]  Maciej Koutny,et al.  Opacity generalised to transition systems , 2005, International Journal of Information Security.

[21]  Corina S. Pasareanu,et al.  Symbolic PathFinder: symbolic execution of Java bytecode , 2010, ASE.

[22]  Tevfik Bultan,et al.  BDD vs. Constraint-Based Model Checking: An Experimental Evaluation for Asynchronous Concurrent Systems , 2000, TACAS.

[23]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[24]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[25]  Jérémy Dubreil,et al.  Opacity and Abstractions , 2009 .

[26]  Gregor Snelting,et al.  On PDG-based noninterference and its modular proof , 2009, PLAS '09.

[27]  Swarat Chaudhuri,et al.  Model Checking on Trees with Path Equivalences , 2007, TACAS.

[28]  Ron van der Meyden,et al.  Algorithmic Verification of Noninterference Properties , 2007, VODCA@FOSAD.

[29]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[30]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[31]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[32]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[33]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[34]  Corina S. Pasareanu,et al.  Symbolic execution with mixed concrete-symbolic solving , 2011, ISSTA '11.

[35]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[36]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[37]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[38]  Joseph Y. Halpern,et al.  Secrecy in Multiagent Systems , 2008, TSEC.

[39]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.