## Information flow analysis in logical form

### Cached

### Download Links

Venue: | George Mason University |

Citations: | 33 - 5 self |

### BibTeX

@TECHREPORT{Amtoft_informationflow,

author = {Torben Amtoft and Anindya Banerjee},

title = {Information flow analysis in logical form},

institution = {George Mason University},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We specify an information flow analysis for a simple imperative language, using a Hoare-like logic. The logic facilitates static checking of a larger class of programs than can be checked by extant type-based approaches in which a program is deemed insecure when it contains an insecure subprogram. The logic is based on an abstract interpretation of program traces that makes independence between program variables explicit. Unlike other, more precise, approaches based on a Hoare-like logic, our approach does not require a theorem prover to generate invariants. We demonstrate the modularity of our approach by showing that a frame rule holds in our logic. Moreover, given an insecure but terminating program, we show how strongest postconditions can be employed to statically generate failure explanations. 1

### Citations

767 |
Security policy and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...a L variable. A well-typed program “protects secrets”, i.e., no information flows from H to L during program execution. In the security literature, “protects secrets” is formalized as noninter=-=ference [13] and i-=-s described in terms of an “indistinguishability” relation on states. ⋆ Supported by NSF grants CCR-0296182 and CCR-0209205sTwo program states are indistinguishable for L if they agree on values... |

745 | Separation logic: A logic for shared mutable data structures
- Reynolds
- 2002
(Show Context)
Citation Context ...nce (with [z # w] playing the role of T # 0 ) sp(∅, x := y + z, {[y # w]} ∪ {[z # w]}) = {[y # w], [z # w], [x # w]} sp(∅, x := y + z, {[y # w]}) ∪ {[z # w]} = {[y # w], [z # w]}. In separatio=-=n logic [17, 25]-=-, the frame rule is motivated by the desire for local reasoning: if C1 and C2 modify disjoint regions of a heap, reasoning about C1 can be performed independently of the reasoning about C2. In our set... |

615 | Language-Based Information-Flow Security
- Sabelfeld, Myers
(Show Context)
Citation Context ...ning and Denning were the first to formulate an information flow analysis for confidentiality[11]. Subsequent advances have been comprehensively summarized in the recent survey by Sabelfeld and Myers =-=[27]-=-. An oft-used approach for specifying static analyses for information flow is security type systems [23, 29]. Security types are ordinary types of program variables and expressions annotated with secu... |

570 | Principles of Program Analysis
- Nielson, Nielson, et al.
- 1999
(Show Context)
Citation Context ...d Algol, requiring distinguishing between identifiers and locations. The analysis for Idealized Algol is split in two stages: the first stage does a controlflow analysis, specified using a flow logic =-=[20]-=-. The second stage specifies what is an acceptable information flow analysis with respect to the control-flow analysis. The precision of the control-flow analysis influences the precision of the infor... |

433 |
Secure computer systems: Mathematical foundations
- Bell, LaPadula
- 1973
(Show Context)
Citation Context ...entially says that low variables may not be written to under a high guard. Thus the lemma is the counterpart of the “no write down” rule that underlies information flow control; the term “*-property” =-=[7]-=- is also used. The value of low variables remains the same after execution of C. Lemma 1 (Write Confinement). Assume that G ⊢ {T # 0 } C {T # } and [y # w] ∈ T # and w ∈ G. Then y /∈ modified(C) and [... |

417 |
Certification of programs for secure information flow
- Denning, Denning
- 1977
(Show Context)
Citation Context ...crets at public output channels. An information flow analysis checks if a program satisfies the policy. Denning and Denning were the first to formulate an information flow analysis for confidentiality=-=[11]-=-. Subsequent advances have been comprehensively summarized in the recent survey by Sabelfeld and Myers [27]. An oft-used approach for specifying static analyses for information flow is security type s... |

377 |
Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Patrick
- 1977
(Show Context)
Citation Context ...tates of any two runs of the program will always have the same value, 0, for l and are thus indistinguishable for L. How can we admit such programs? Our inspiration comes from abstract interpretation =-=[8]-=-, which can be viewed as a method for statically computing approximations of program invariants [9]. A benefit of this view is that the static abstraction of a program invariant can be used to annotat... |

277 | Local reasoning about programs that alter data structures
- O’Hearn, Reynolds, et al.
- 2001
(Show Context)
Citation Context ...ate. 2sindependences for a program are only those [x # w] where x occurs in the program. Moreover, in a larger context, the frame rule allows the following inference } describing inde(in analogy with =-=[21]): s-=-tart with a specification {T # } C {T # 0 pendences before and after store modifications; then, {T # ∪ T # 1 } C {T # 0 ∪ T # 1 } holds provided C does not modify any variable y, where [y # w] app... |

243 | The SLam calculus: programming with secrecy and integrity
- Heintze, Riecke
- 1998
(Show Context)
Citation Context ... output is independent of H inputs. It is this notion that is made explicit in the information flow analysis specified in this paper. A shortcoming of usual type-based approaches for information flow =-=[4, 14, 29, 24]-=- is that a type system can be too imprecise. Consider the sequential program l := h; l := 0, where l has type L and h has type H. This program is rejected by a security type system on account of the f... |

226 | Information flow inference for ML
- Pottier, Simonet
- 2002
(Show Context)
Citation Context ... output is independent of H inputs. It is this notion that is made explicit in the information flow analysis specified in this paper. A shortcoming of usual type-based approaches for information flow =-=[4, 14, 29, 24]-=- is that a type system can be too imprecise. Consider the sequential program l := h; l := 0, where l has type L and h has type H. This program is rejected by a security type system on account of the f... |

225 | A core calculus of dependency
- Abadi, Banerjee, et al.
- 1999
(Show Context)
Citation Context ... via a Hoare-like logic. The approach deems more programs secure than extant type-based approaches. Secondly, we describe the relationship between information flow and program dependence, explored in =-=[1, 16]-=-, in a more direct manner by computing independences between program variables. The independences themselves are static descriptions of the noninterference property. In Section 8, we show how our logi... |

167 | Separation and information hiding
- O’Hearn, Yang, et al.
- 2004
(Show Context)
Citation Context ...with methods, pointers, 14sobjects and dynamic memory allocation; an obvious goal here is interprocedural reasoning about variable independences perhaps using a higher-order version of the frame rule =-=[22]. H-=-ähnle’s Dagstuhl presentation inspired us to look at explaining insecurity by showing counterexamples. We plan to experiment with model checkers supporting linear arithmetic, for example BLAST [15]... |

165 |
as an assertion language for mutable data structures
- BI
- 2001
(Show Context)
Citation Context ...nce (with [z # w] playing the role of T # 0 ) sp(∅, x := y + z, {[y # w]} ∪ {[z # w]}) = {[y # w], [z # w], [x # w]} sp(∅, x := y + z, {[y # w]}) ∪ {[z # w]} = {[y # w], [z # w]}. In separatio=-=n logic [17, 25]-=-, the frame rule is motivated by the desire for local reasoning: if C1 and C2 modify disjoint regions of a heap, reasoning about C1 can be performed independently of the reasoning about C2. In our set... |

164 | Transforming out timing leaks
- Agat
- 2000
(Show Context)
Citation Context ...e with a property, they are able to handle more general information 5 For an analysis protecting against timing leaks and hence as a special case against attackers observing termination behavior, see =-=[2]-=-. 16sflow policies, including a form of declassification known as delimited information release [28]. They show how self-composition can be formulated in logics describing these languages, namely, Hoa... |

148 | Software verification with BLAST
- Henzinger, Jhala, et al.
- 2003
(Show Context)
Citation Context ...[22]. Hähnle’s Dagstuhl presentation inspired us to look at explaining insecurity by showing counterexamples. We plan to experiment with model checkers supporting linear arithmetic, for example BLA=-=ST [15], to-=- (i) establish independences that our logic cannot find (cf. the false positives from Sect. 9); (ii) provide “genuine” counterexamples that are counterexamples wrt. the original semantics. Acknowl... |

137 | A Type-Based Approach to Program Security
- Volpano, Smith
- 1997
(Show Context)
Citation Context ...quent advances have been comprehensively summarized in the recent survey by Sabelfeld and Myers [27]. An oft-used approach for specifying static analyses for information flow is security type systems =-=[23, 29]-=-. Security types are ordinary types of program variables and expressions annotated with security levels. Security typing rules prevent leaks of secret information to public channels. For example, the ... |

106 | Secure Information Flow and Pointer Confinement in a Java-like Language
- Banerjee, Naumann
- 2002
(Show Context)
Citation Context ... output is independent of H inputs. It is this notion that is made explicit in the information flow analysis specified in this paper. A shortcoming of usual type-based approaches for information flow =-=[4, 14, 29, 24]-=- is that a type system can be too imprecise. Consider the sequential program l := h; l := 0, where l has type L and h has type H. This program is rejected by a security type system on account of the f... |

96 | A per model of secure information flow in sequential programs - Sabelfeld, Sands - 1999 |

87 | Secure information flow by self-composition
- Barthe, D’Argenio, et al.
(Show Context)
Citation Context ...also helpful in that they can express declassification, as well as treat exceptions (which most approaches based on static analysis cannot easily be extended to deal with). Barthe, D’Argenio and Rez=-=k [5] use-=- the same idea of self-composition (i.e., composing a program with a copy of itself) as Darvas et alii and investigate “abstract” noninterference [12] for several languages. By parameterizing noni... |

85 | A theorem proving approach to analysis of secure information ow
- Darvas, Hähnle, et al.
- 2005
(Show Context)
Citation Context ... done via a fixpoint computation with weakest preconditions. However, their work is not concerned with computing dependences, nor do they consider generating counterexamples. Darvas, Hähnle and Sands =-=[12]-=- use dynamic logic to express secure information flow in JavaCard. They discuss several ways that noninterference can be expressed in a program logic, one of which is as follows: consider a program wi... |

77 | A semantic approach to secure information flow
- Leino, Joshi
- 1998
(Show Context)
Citation Context ...operties. To prove semantic correctness for the revised logic we would need to also revise our semantics, since currently it does not facilitate reasoning about infinite computations. Joshi and Leino =-=[18]-=- provide an elegant semantic characterization of noninterference that allows handling both termination-sensitive and terminationinsensitive noninterference. Their notion of security for a command C is... |

76 |
Abstract non-interference: Parameterizing noninterference by abstract interpretation
- Giacobazzi, Mastroeni
- 2004
(Show Context)
Citation Context ...inite sets of variable independences. These variable independences can be statically computed using strongest postconditions, and can be statically checked against the logic. Giacobazzi and Mastroeni =-=[12]-=- consider attackers as abstract interpretations and generalize the notion of noninterference by parameterizing it wrt. what an attacker can analyze about the input/output information flow. For instanc... |

71 |
An axiomatic approach to information flow in programs
- Andrews
(Show Context)
Citation Context ...ite state spaces to check satisfaction of their generalized definition of noninterference. The first work that used a Hoare-style semantics to reason about information flow was by Andrews and Reitman =-=[3]-=-. Their assertions keep track of the security level of variables, and are able to deal even with parallel programs. However, no formal correctness result is stated. Conclusion. This paper was inspired... |

70 |
Information Transmission in Sequential Programs
- Cohen
- 1978
(Show Context)
Citation Context ...alues of H variables but not on values of L variables; the two final states must agree on the current values of L variables. One reading of the noninterference property is as a form of (in)dependence =-=[7]-=-: L output is independent of H inputs. It is this notion that is made explicit in the information flow analysis specified in this paper. A shortcoming of usual type-based approaches for information fl... |

68 | A model for delimited information release
- Sabelfeld, Myers
- 2004
(Show Context)
Citation Context ...nguages. By parameterizing noninterference with a property, they are able to handle more general information flow policies, including a form of declassification known as delimited information release =-=[26]-=-. They show how self-composition can be formulated in logics describing these languages, namely, Hoare logic, separation logic, linear temporal logic, etc. They also discuss how to use their results f... |

49 | Trust in the λ-calculus
- Ørbæk, Palsberg
- 1997
(Show Context)
Citation Context ...quent advances have been comprehensively summarized in the recent survey by Sabelfeld and Myers [27]. An oft-used approach for specifying static analyses for information flow is security type systems =-=[23, 29]-=-. Security types are ordinary types of program variables and expressions annotated with security levels. Security typing rules prevent leaks of secret information to public channels. For example, the ... |

34 | Binding time analysis: A new PERspective
- Hunt, Sands
- 1991
(Show Context)
Citation Context ... via a Hoare-like logic. The approach deems more programs secure than extant type-based approaches. Secondly, we describe the relationship between information flow and program dependence, explored in =-=[1, 16]-=-, in a more direct manner by computing independences between program variables. The independences themselves are static descriptions of the noninterference property. In Section 8, we show how our logi... |

29 |
Information flow for algol-like languages
- Clark, Hankin, et al.
(Show Context)
Citation Context ...above example, the program would be abstracted to while h do h := h − 1 which our logic already deems secure. Related work. Perhaps the most closely related work is the one of Clark, Hankin, and Hun=-=t [6]-=-, who consider a language similar to ours and then extend it to Idealized Algol, requiring distinguishing between identifiers and locations. The analysis for Idealized Algol is split in two stages: th... |

19 |
Cousot and Radhia Cousot. Automatic synthesis of optimal invariant assertions mathematical foundation
- Patrick
- 1977
(Show Context)
Citation Context ...nguishable for L. How can we admit such programs? Our inspiration comes from abstract interpretation [8], which can be viewed as a method for statically computing approximations of program invariants =-=[9]-=-. A benefit of this view is that the static abstraction of a program invariant can be used to annotate a program with preand postconditions and the annotated program can be checked against a Hoarelike... |

3 |
Specifications for multi-level security and a hook-up
- McCullough
- 1987
(Show Context)
Citation Context ... # 2 ∪T # 0 ∪ T # 0 } C {T # 2 ∪ T # 0 }. ) ⊇ sp(G, C, T # 1 } C {sp(G, C, T # 1 } and that )∪T # 0 ⊇ ∪ T # 0 )}, A traditional view of modularity in the security literature is the “ho=-=ok-up property” [19]-=-: if two programs are secure then their composition is secure as well. Our logic satisfies the hook-up property for sequential composition; in our context, a secure program is one which has [l # h] as... |