Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs

Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flow-insensitive, context-insensitive, or object-insensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on program dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multi-threaded programs, and explain precision gains due to flow-, context-, and object-sensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Richard J. Lipton,et al.  Foundations of Secure Computation , 1978 .

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[5]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[6]  Bernard Carré,et al.  Information-flow and data-flow analysis of while-programs , 1985, TOPL.

[7]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[8]  Wuu Yang,et al.  The Semantics of Program Slicing , 1988 .

[9]  Thomas W. Reps,et al.  On the adequacy of program dependence graphs for representing programs , 1988, POPL '88.

[10]  T. Reps,et al.  The Multi-Procedure Equivalence Theorem , 1989 .

[11]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[12]  Lori A. Clarke,et al.  A Formal Model of Program Dependences and Its Implications for Software Testing, Debugging, and Maintenance , 1990, IEEE Trans. Software Eng..

[13]  Thomas W. Reps,et al.  Speeding up slicing , 1994, SIGSOFT '94.

[14]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[15]  Gregor Snelting,et al.  Combining Slicing and Constraint Solving for Validation of Measurement Software , 1996, SAS.

[16]  David Elliott Bell,et al.  Secure Computer Systems: A Mathematical Model, Volume II , 1996, J. Comput. Secur..

[17]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[18]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[19]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[20]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[21]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[22]  Vivek Sarkar,et al.  Dependence Analysis for Java , 1999, LCPC.

[23]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[24]  Jean-Louis Lanet,et al.  The PACAP Prototype: A Tool for Detecting Java Card Illegal Flow , 2000, Java Card Workshop.

[25]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[26]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[27]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[28]  Barbara G. Ryder,et al.  Points-to analysis for Java using annotated constraints , 2001, OOPSLA '01.

[29]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[30]  Katsuro Inoue,et al.  An information-leak analysis system based on program slicing , 2002, Inf. Softw. Technol..

[31]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs , 2002, ICSE '02.

[32]  Chris Hankin,et al.  Information flow for Algol-like languages , 2002, Comput. Lang. Syst. Struct..

[33]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[34]  Martin Strecker,et al.  Formal analysis of an information flow type system for microjava (extended version) , 2003 .

[35]  Jens Krinke,et al.  Context-sensitive slicing of concurrent programs , 2003, ESEC/FSE-11.

[36]  Ondrej Lhoták,et al.  Scaling java points-to using sparc , 2003 .

[37]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[38]  Paul Anderson,et al.  Design and Implementation of a Fine-Grained Software Inspection Tool , 2003, IEEE Trans. Software Eng..

[39]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[40]  Jeffrey D. Ullman,et al.  Monotone data flow analysis frameworks , 1977, Acta Informatica.

[41]  Andreas Zeller,et al.  Proceedings of the 5th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering , 2004 .

[42]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[43]  Gregor Snelting,et al.  An improved slicer for Java , 2004, PASTE.

[44]  David Sands,et al.  Controlled Declassification Based on Intransitive Noninterference , 2004, APLAS.

[45]  Fausto Spoto,et al.  Information Flow Analysis for Java Bytecode , 2005, VMCAI.

[46]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[47]  Gilles Barthe,et al.  Non-interference for a JVM-like language , 2005, TLDI '05.

[48]  John Hatcliff,et al.  Kaveri: Delivering the Indus Java Program Slicer to Eclipse , 2005, FASE.

[49]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[50]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[51]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[52]  Tobias Nipkow,et al.  A machine-checked model for a Java-like language, virtual machine, and compiler , 2006, TOPL.

[53]  Gregor Snelting,et al.  Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[54]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[55]  Mangala Gowri Nanda,et al.  Interprocedural slicing of multithreaded programs with applications to Java , 2006, TOPL.

[56]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[57]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[58]  Jens Krinke,et al.  Intransitive Noninterference in Dependence Graphs , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[59]  Jens Krinke,et al.  Dynamic path conditions in dependence graphs , 2006, PEPM '06.

[60]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[61]  Eran Yahav,et al.  A survey of static analysis methods for identifying security vulnerabilities in software systems , 2007, IBM Syst. J..

[62]  Matthew B. Dwyer,et al.  A new foundation for control dependence and slicing for modern program structures , 2005, TOPL.

[63]  Mark Harman,et al.  Empirical study of optimization techniques for massive slicing , 2007, ACM Trans. Program. Lang. Syst..

[64]  Heiko Mantel,et al.  Controlling the What and Where of Declassification in Language-Based Security , 2007, ESOP.

[65]  Maria Grazia Buscemi,et al.  Programming Languages and Systems, 16th European Symposium on Programming, ESOP 2007, Held as Part of the Joint European Conferences on Theory and Practics of Software, ETAPS 2007, Braga, Portugal, March 24 - April 1, 2007, Proceedings , 2007, European Symposium on Programming.

[66]  Gregor Snelting,et al.  Static path conditions for Java , 2008, PLAS '08.

[67]  Daniel Wasserrab Towards Certified Slicing , 2008, Arch. Formal Proofs.

[68]  Dennis Giffhorn,et al.  Precise Analysis of Java Programs Using JOANA , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[69]  Úlfar Erlingsson,et al.  Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security , 2008, PLDI 2008.

[70]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[71]  Dennis Giffhorn,et al.  Precise Slicing of Concurrent Programs ? An Evaluation of static slicing algorithms for concurrent programs , 2009 .

[72]  Gregor Snelting,et al.  On PDG-based noninterference and its modular proof , 2009, PLAS '09.

[73]  Ben Hardekopf,et al.  Semi-sparse flow-sensitive pointer analysis , 2009, POPL '09.

[74]  Dennis Giffhorn,et al.  Precise slicing of concurrent programs , 2009, Automated Software Engineering.