Testing noninterference, quickly

Abstract Information-flow control mechanisms are difficult both to design and to prove correct. To reduce the time wasted on doomed proof attempts due to broken definitions, we advocate modern random-testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of increasingly complex information-flow abstract machines, leading up to a sophisticated register machine with a novel and highly permissive flow-sensitive dynamic enforcement mechanism that is sound in the presence of first-class public labels. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important for efficient testing. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for more than 45 bugs. Moreover, we show how testing guides the discovery of the sophisticated invariants needed for the noninterference proof of our most complex machine.

[1]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[2]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[3]  Thomas C. Henderson,et al.  Arc and Path Consistency Revisited , 1986, Artif. Intell..

[4]  Rachid Echahed,et al.  A needed narrowing strategy , 2000, JACM.

[5]  K. Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP '00.

[6]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[7]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[8]  Peter Dybjer,et al.  Combining Testing and Proving in Dependent Type Theory , 2003, TPHOLs.

[9]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[10]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[11]  Tobias Nipkow,et al.  Random testing in Isabelle/HOL , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[12]  Bruno Marre,et al.  On-the-fly generation of k-path tests for C functions , 2004, Proceedings. 19th International Conference on Automated Software Engineering, 2004..

[13]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[14]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[15]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[16]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[17]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[18]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[19]  John Hughes,et al.  QuickCheck Testing for Fun and Profit , 2007, PADL.

[20]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[21]  Fredrik Lindblad Property Directed Generation of First-Order Test Data , 2007, Trends in Functional Programming.

[22]  Alex Groce,et al.  Randomized Differential Testing as a Prelude to Formal Verification , 2007, 29th International Conference on Software Engineering (ICSE'07).

[23]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[24]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Michael D. Ernst,et al.  Randoop: feedback-directed random testing for Java , 2007, OOPSLA '07.

[26]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[27]  Colin Runciman,et al.  Smallcheck and lazy smallcheck: automatic exhaustive testing for small values , 2008, Haskell '08.

[28]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[29]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[30]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[31]  Sebastian Fischer,et al.  EasyCheck - Test Data for Free , 2008, FLOPS.

[32]  Casey August Experience with Randomized Testing in Programming Language Metatheory , 2009 .

[33]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[34]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[35]  Casey Klein,et al.  Randomized Testing in PLT Redex , 2009 .

[36]  Carl Eastlund DoubleCheck your theorems , 2009, ACL2 '09.

[37]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[38]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[39]  Panagiotis Manolios,et al.  Integrating Testing and Interactive Theorem Proving , 2011, ACL2.

[40]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[41]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[42]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[43]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[44]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[45]  Deian Stefan,et al.  Hails: Protecting Data Privacy in Untrusted Web Applications , 2012, OSDI.

[46]  Dave Clarke,et al.  Noninterference via Symbolic Execution , 2012, FMOODS/FORTE.

[47]  Arnar Birgisson,et al.  Boosting the Permissiveness of Dynamic Information-Flow Tracking by Testing , 2012, ESORICS.

[48]  Lukas Bulwahn,et al.  Smart Testing of Functional Programs in Isabelle , 2012, LPAR.

[49]  Lukas Bulwahn,et al.  The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof , 2012, CPP.

[50]  Sam Tobin-Hochstadt,et al.  Run your research: on the effectiveness of lightweight mechanization , 2012, POPL '12.

[51]  Robert Bruce Findler,et al.  The Racket virtual machine and randomized testing , 2012, High. Order Symb. Comput..

[52]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[53]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[54]  Xuejun Yang,et al.  Test-case reduction for C compiler bugs , 2012, PLDI.

[55]  Mads Dam,et al.  ENCoVer: Symbolic Exploration for Information Flow Security , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[56]  Marinus J. Plasmeijer,et al.  Model-Based Shrinking for State-Based Testing , 2013, Trends in Functional Programming.

[57]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[58]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[59]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[60]  Deepak Garg,et al.  Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis , 2014, PLAS@ECOOP.

[61]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[62]  Deian Stefan,et al.  On Dynamic Flow-Sensitive Floating-Label Systems , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[63]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[64]  Benjamin C. Pierce,et al.  Foundational Property-Based Testing , 2015, ITP.

[65]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[66]  Johannes Kinder,et al.  Hypertesting : The Case for Automated Testing of Hyperproperties , 2015 .

[67]  Koen Claessen,et al.  Generating constrained random data with uniform distribution , 2014, Journal of Functional Programming.

[68]  Koen Claessen,et al.  Making Random Judgments: Automatically Generating Well-Typed Terms from the Definition of a Type-System , 2015, ESOP.

[69]  Alexander Pretschner,et al.  Idea: Unwinding Based Model-Checking and Testing for Non-Interference on EFSMs , 2015, ESSoS.

[70]  B. Pierce,et al.  Making Our Own Luck A Language for Random Generators ( Extended Abstract ) , 2015 .

[71]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[72]  Deian Stefan,et al.  Flexible dynamic information flow control in the presence of exceptions* , 2012, Journal of Functional Programming.