## Secure information flow and program logics (2007)

Venue: | In IEEE Computer Security Foundations Symposium |

Citations: | 12 - 6 self |

### BibTeX

@INPROCEEDINGS{Beringer07secureinformation,

author = {Lennart Beringer and Martin Hofmann},

title = {Secure information flow and program logics},

booktitle = {In IEEE Computer Security Foundations Symposium},

year = {2007},

pages = {233--248},

publisher = {IEEE Press}

}

### OpenURL

### Abstract

We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in binary (e.g. relational) program logics. Treating base-line non-interference, multi-level security and flow sensitivity for a while language, we show how typing derivations may be used to automatically generate proofs in the program logic that certify the absence of illicit flows. In addition, we present proof rules for baseline non-interference for object-manipulating instructions, As a consequence, standard verification technology may be used for verifying that a concrete program satisfies the noninterference property. Our development is based on a formalisation of the encodings in Isabelle/HOL. 1

### Citations

1093 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...tems. Thus, the analysis task (type inference) is separated from the verification task (proof checking), which makes our approach suitable for deployment in certified code infrastructures such as PCC =-=[30]-=-. The observation that allows us to encode noninterference in a program logic is the same as the idea behind self composition, namely the fact that two executions of C do not interfere. Roughly speaki... |

723 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...s class assert that the system does not leak properties of data classified as secret to external parties. Recent research has aimed to complement formulations of security phrased in terms of automata =-=[16]-=- by verification technology for programming languages [33]. In this paper, we consider a notion of security known as termination-insensitive non-interference. For a simple imperative language of comma... |

638 |
Systematic Software Development Using VDM
- Jones
- 1990
(Show Context)
Citation Context ... Section 2. Limiting our attention to termination-insensitive non-interference, the program logic is equipped with a partial-correctness interpretation. Similar to specifications in the VDM formalism =-=[21]-=-, assertions are binary predicates over states. In Section 3 we consider non-interference in the style of Volpano et al. [37], restricted to the binary lattice low ⊏ high. We introduce a derived proof... |

576 | Language-based informationflow security
- Sabelfeld, Myers
(Show Context)
Citation Context ... data classified as secret to external parties. Recent research has aimed to complement formulations of security phrased in terms of automata [16] by verification technology for programming languages =-=[33]-=-. In this paper, we consider a notion of security known as termination-insensitive non-interference. For a simple imperative language of commands and while-loops [38], this notion may be phrased as fo... |

417 | A sound type system for secure flow analysis
- Volpano, Smith, et al.
- 1996
(Show Context)
Citation Context ... σ C −→ τ and σ ′ C −→ τ ′ then τ ∼ τ ′ . Several approaches have been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems =-=[37, 32, 29]-=- or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a re... |

234 |
The formal semantics of programming languages: an introduction
- Winskel
- 1993
(Show Context)
Citation Context ...hnology for programming languages [33]. In this paper, we consider a notion of security known as termination-insensitive non-interference. For a simple imperative language of commands and while-loops =-=[38]-=-, this notion may be phrased as follows, where σ C −→ τ denotes the (big-step) operational semantics over states σ, τ ∈ Σ and the set X of program variables is disjointly partitioned into high securit... |

217 | Information flow inference for ML
- Pottier, Simonet
(Show Context)
Citation Context ... σ C −→ τ and σ ′ C −→ τ ′ then τ ∼ τ ′ . Several approaches have been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems =-=[37, 32, 29]-=- or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a re... |

153 | A general theory of composition for trace sets closed under selective interleaving functions
- McLean
- 1994
(Show Context)
Citation Context ...th the effectiveness of type systems. Finally, we would like to point out that our findings do not contradict McLean’s result regarding the inexpressibility of non-interference as a 1-safety property =-=[26]-=-. In fact, our language based approach is conceptually different from the Alpern-Schneider framework considered by McLean: programs in our language represent concrete deterministic systems, and do not... |

141 | Robust declassification
- Zdancewic, Myers
- 2001
(Show Context)
Citation Context ... σ C −→ τ and σ ′ C −→ τ ′ then τ ∼ τ ′ . Several approaches have been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems =-=[37, 32, 29]-=- or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a re... |

108 | Dimensions and principles of declassification
- Sabelfeld, Sands
- 2005
(Show Context)
Citation Context ...ty notions that distinguish extensionally identical programs. This requirement strictly subsumes the semantic consistency condition in Sabelfeld and Sands’ “classification of declassification” survey =-=[35]-=-. Their condition merely requires invariance under transformations on declassification-free programs. In particular, our approach does not support the interpretation of the type systems by Li and Zdan... |

81 | Simple relational correctness proofs for static analyses and program transformations
- BENTON
(Show Context)
Citation Context ...ic analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics =-=[9, 18]-=-. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two executions of C for ∼-related initial states. Instead, one verifies the equivalence between two suitably mod... |

80 | Secure information flow by self-composition
- Barthe, D’Argenio, et al.
- 2004
(Show Context)
Citation Context ...e systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition =-=[23, 1, 7, 36]-=- is a recent approach that avoids the consideration of two executions of C for ∼-related initial states. Instead, one verifies the equivalence between two suitably modified versions f1(C) and f2(C) of... |

79 | A theorem proving approach to analysis of secure information flow
- Darvas, Hähnle, et al.
- 2003
(Show Context)
Citation Context ...e systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition =-=[23, 1, 7, 36]-=- is a recent approach that avoids the consideration of two executions of C for ∼-related initial states. Instead, one verifies the equivalence between two suitably modified versions f1(C) and f2(C) of... |

77 | Downgrading policies and relaxed noninterference
- Li, Zdancewic
- 2005
(Show Context)
Citation Context ...nvariance under transformations on declassification-free programs. In particular, our approach does not support the interpretation of the type systems by Li and Zdancewic for relaxed non-interference =-=[25]-=- and Sabelfeld and Myers for delimited information release [34]. On the other hand, Banerjee and Naumann [6] demonstrate how a variety of extensional declassification policies can be directly represen... |

76 | On flow-sensitive security types
- Hunt, Sands
- 2006
(Show Context)
Citation Context ...e typing rules. We then consider two extensions. In Section 4, we generalise our approach to multi-level security and flow sensitivity by giving an interpretation of the type system of Hunt and Sands =-=[19]-=-. In Section 5, we return to binary, flow-insensitive non-interference, but extend the language by object-manipulating instructions. Finally, we outline future and related work and discuss shortcoming... |

75 |
Abstract non-interference: parameterizing noninterference by abstract interpretation
- Giacobazzi, Mastroeni
- 2004
(Show Context)
Citation Context ... Several approaches have been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations =-=[15, 20]-=-, flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the conside... |

74 | A semantic approach to secure information flow
- Joshi, Leino
(Show Context)
Citation Context ...e systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition =-=[23, 1, 7, 36]-=- is a recent approach that avoids the consideration of two executions of C for ∼-related initial states. Instead, one verifies the equivalence between two suitably modified versions f1(C) and f2(C) of... |

66 | A model for delimited information release
- Sabelfeld, Myers
- 2004
(Show Context)
Citation Context ...ms. In particular, our approach does not support the interpretation of the type systems by Li and Zdancewic for relaxed non-interference [25] and Sabelfeld and Myers for delimited information release =-=[34]-=-. On the other hand, Banerjee and Naumann [6] demonstrate how a variety of extensional declassification policies can be directly represented as pre- and post-conditions in a Hoare logic with a relatio... |

57 | A logic for information flow in object-oriented programs
- Amtoft, Bandhakavi, et al.
- 2006
(Show Context)
Citation Context ...rence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics =-=[3, 2, 6]-=-, and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two executions of C for ∼-related initial states.... |

55 | Secure information flow as a safety problem
- Terauchi, Aiken
- 2005
(Show Context)
Citation Context |

32 | Information flow analysis in logical form
- Amtoft, Banerjee
- 2004
(Show Context)
Citation Context ...rence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics =-=[3, 2, 6]-=-, and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two executions of C for ∼-related initial states.... |

31 |
T.: Non-interference for a JVM-like language
- Barthe, Rezk
- 2005
(Show Context)
Citation Context ...ment ∅ ⊲ C : A is equivalent to |= C : A, i.e., its semantic validity. A rule for context elimination is again easily seen to be derivable. Indistinguishability and security Following Barthe and Rezk =-=[8]-=-, the indistinguishability of states is defined parametrically in a partial bijection between location sets and is built up from similar relations on heaps and stores. We formalise partial bijections ... |

31 | Hoare Logic and VDM: Machine-Checked Soundness and Completeness Proofs
- Kleymann
- 1999
(Show Context)
Citation Context ...llows one to derive the validity of a judgement in the empty proof context, provided that all assumptions in G can be validated by a corresponding proof for the method body. Using standard techniques =-=[24, 31]-=-, it is easy to show soundness and relative completeness of the proof system, i.e. the following property. Theorem 1. (Soundness and completeness of program logic) The derivability of the judgement ∅ ... |

30 | Information Flow Analysis for Java Bytecode
- Genaim, Spoto
- 2005
(Show Context)
Citation Context ...ically targets low-level code, we intend to transfer our findings to program logics for (virtual) machine code. Previous work concerned with information flow security for low-level languages includes =-=[27, 8, 14]-=-. We also intend to generalise our approach to languages with more general method invocation mechanisms. It is evident that the suitability of our approach for further notions of information flow secu... |

29 |
Information flow for Algol-like languages
- Clark, Hankin, et al.
- 2002
(Show Context)
Citation Context ...ve been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics =-=[13]-=-, specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two exec... |

27 | Automatic Certification of Heap Consumption
- Beringer, Hofmann, et al.
- 2005
(Show Context)
Citation Context ... derivations of security assertions as shown in Figure 4. In particular, the rules constructively exhibit assertions φ for the commands typeable in a low context. Similar to the derived assertions in =-=[12]-=- and [10], the formulae φ (and thus the assertions Sec(φ)) are syntax-dependent, i.e. the assertions in the conclusions are composed from the assertions in the assumptions using different combinators ... |

26 | Hoare logics for recursive procedures and unbounded nondeterminism
- Nipkow
- 2002
(Show Context)
Citation Context ...llows one to derive the validity of a judgement in the empty proof context, provided that all assumptions in G can be validated by a corresponding proof for the method body. Using standard techniques =-=[24, 31]-=-, it is easy to show soundness and relative completeness of the proof system, i.e. the following property. Theorem 1. (Soundness and completeness of program logic) The derivability of the judgement ∅ ... |

10 | A typed assembly language for non-interference
- Medel, Compagnoni, et al.
- 2005
(Show Context)
Citation Context ...ically targets low-level code, we intend to transfer our findings to program logics for (virtual) machine code. Previous work concerned with information flow security for low-level languages includes =-=[27, 8, 14]-=-. We also intend to generalise our approach to languages with more general method invocation mechanisms. It is evident that the suitability of our approach for further notions of information flow secu... |

9 |
Optimisation validation
- Aspinall, Beringer, et al.
- 2006
(Show Context)
Citation Context ...de strong invariants (assertions that are satisfied by all intermediate states, be the computation terminating or not) [17, 10] or are based on operational semantics that expose intensional behaviour =-=[5]-=-. In all of these cases, the main challenge will consist of finding factorisations of the appropriate security notions that admit the encoding of type systems. Compared to soundness statements that re... |

9 | Verification of safety properties in the presence of transactions
- Hähnle, Mostowski
- 2005
(Show Context)
Citation Context ...notions of secure information flow may be encodeable in program logics that include strong invariants (assertions that are satisfied by all intermediate states, be the computation terminating or not) =-=[17, 10]-=- or are based on operational semantics that expose intensional behaviour [5]. In all of these cases, the main challenge will consist of finding factorisations of the appropriate security notions that ... |

8 | Integration of a security type system into a program logic
- Hähnle, Pan, et al.
- 2007
(Show Context)
Citation Context ...ic analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics =-=[9, 18]-=-. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two executions of C for ∼-related initial states. Instead, one verifies the equivalence between two suitably mod... |

8 |
Statically checking confidentiality via dynamic labels
- Jacobs, Pieters, et al.
- 2005
(Show Context)
Citation Context ... Several approaches have been developed for verifying adherence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations =-=[15, 20]-=-, flow logics [13], specialpurpose program logics [3, 2, 6], and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the conside... |

7 |
A Program Logic for Resources
- Aspinall, Beringer, et al.
- 2005
(Show Context)
Citation Context ...iction of Amtoft et al.’s system to IMP (reported in [3]) is equivalent to the derivability of a certain judgement in the type system of [19] for the lattice given by subsets of program variables.In =-=[4]-=-, it is shown how a logic that guarantees termination can be built “on top of” a partial-correctness logic, by including hypotheses from the latter logic in appropriate rules. Future work will seek to... |

6 |
A bytecode logic for JML and types
- Beringer, Hofmann
- 2006
(Show Context)
Citation Context ...ons of security assertions as shown in Figure 4. In particular, the rules constructively exhibit assertions φ for the commands typeable in a low context. Similar to the derived assertions in [12] and =-=[10]-=-, the formulae φ (and thus the assertions Sec(φ)) are syntax-dependent, i.e. the assertions in the conclusions are composed from the assertions in the assumptions using different combinators for the v... |

1 |
A logical account of secure declassification
- Banerjee, Naumann
- 2006
(Show Context)
Citation Context ...rence to non-interference policies, including (conservative) static analyses phrased as type systems [37, 32, 29] or abstract interpretations [15, 20], flow logics [13], specialpurpose program logics =-=[3, 2, 6]-=-, and encodings in relational or dynamic program logics [9, 18]. Self-composition [23, 1, 7, 36] is a recent approach that avoids the consideration of two executions of C for ∼-related initial states.... |

1 | Secure information flow and program logics – Isabelle sources
- Beringer, Hofmann
- 2007
(Show Context)
Citation Context ...esented in the technical Sections 2 to 5 is based on a formalisation of the entire development in the theorem prover Isabelle/HOL. As the source files of this development are available electronically =-=[11]-=-, we omit most proofs from our presentation. 2 Syntax and semantics of IMP Syntax The syntax of IMP is defined over a set X of variables (ranged over by x), a set V of values (ranged over by v), arith... |