A Hybrid Approach for Proving Noninterference of Java Programs

Küsters, Ralf; Truderung, Tomasz; Beckert, Bernhard; Bruns, Daniel; Kirsten, Michael; Mohr, Martin

doi:10.1109/csf.2015.28

Cited by 23 publications

(9 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, compared to the kernel, these layers require the establishment of much simpler, noninterference-like properties: That they transport the data back and forth between the end user and the verified kernel, without doing anything "interesting," like mixing identities. Such properties seem to be in the scope of static informationflow analyzers such as Joana [33]-so a hybrid verification scheme (as in, e.g., [39]) might be suitable here.…”

Section: Discussionmentioning

confidence: 99%

“…CoSMeDis belongs to a small, but expanding club of running systems proved to be secure using proof assistants, which includes an aircraft microprocessor [34] (in ACL2), a hardware architecture with information flow primitives [22] (in Coq), a separation kernel [21] (in HOL4), a noninterferent operating system kernel [51] (in Isabelle/HOL), a secure browser [36] (in Coq), and an e-voting system [39] (using the KeY theorem prover jointly with the Joana information flow analyzer).…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

BauereiB

Gritti²,

Popescu

et al. 2017

2017 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Abstract-We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system's kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis's sources of information: posts, friendship requests, and friendship status.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

BauereiB

Gritti²,

Popescu

et al. 2017

2017 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…Building on §5.1, we show how programs that fall outside the syntactic information-flow typing discipline can be proven secure using a combination of typechecking and semantic proofs of noninterference. This example is evocative (though at a smaller scale) of the work of Küsters et al (2015), who combine automated information-flow analysis in the Joana analyzer (Hammer and Snelting 2009) with semantic proofs in the KeY verifier for Java programs (Darvas et al 2005;Scheben and Schmitt 2011). In contrast, we sketch a combination of syntactic and semantic proofs of relational properties in a single framework.…”

Section: Combining Syntactic Ifc Analysis With Semantic Noninterferenmentioning

confidence: 99%

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Grimm¹,

Maillard²,

Fournet³

et al. 2018

Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs - CPP 2018

View full text Add to dashboard Cite

Relational properties describe multiple runs of one or more programs. They characterize many useful notions of security, program refinement, and equivalence for programs with diverse computational effects, and they have received much attention in the recent literature. Rather than developing separate tools for special classes of effects and relational properties, we advocate using a general purpose proof assistant as a unifying framework for the relational verification of effectful programs. The essence of our approach is to model effectful computations using monads and to prove relational properties on their monadic representations, making the most of existing support for reasoning about pure programs.We apply this method in F ⋆ and evaluate it by encoding a variety of relational program analyses, including information flow control, semantic declassification, program equivalence and refinement at higher order, correctness of program optimizations and game-based cryptographic security. By relying on SMT-based automation, unary weakest preconditions, user-defined effects, and monadic reification, we show that, compared to unary properties, verifying relational properties requires little additional effort from the F ⋆ programmer.

show abstract

“…In what follows, we describe some approaches that are similar to ours. The Hybrid Approach [17] also aims to combine automatic dependence-graph analysis and theorem proving. The user first attempts to show noninterference using JOANA.…”

Section: Related Workmentioning

confidence: 99%

Using Theorem Provers to Increase the Precision of Dependence Analysis for Information Flow Control

Beckert

Bischof

Herda

et al. 2018

Formal Methods and Software Engineering

Self Cite

View full text Add to dashboard Cite

Information flow control (IFC) is a category of techniques for enforcing information flow properties. In this paper we present the Combined Approach, a novel IFC technique that combines a scalable system-dependence-graph-based (SDG-based) approach with a precise logic-based approach based on a theorem prover. The Combined Approach has an increased precision compared with the SDG-based approach on its own, without sacrificing its scalability. For every potential illegal information flow reported by the SDG-based approach, the Combined Approach automatically generates proof obligations that, if valid, prove that there is no program path for which the reported information flow can happen. These proof obligations are then relayed to the logic-based approach. We also show how the SDG-based approach can provide additional information to the theorem prover that helps decrease the verification effort. Moreover, we present a prototypical implementation of the Combined Approach that uses the tools JOANA and KeY as the SDG-based and logic-based approach respectively.

show abstract

A Hybrid Approach for Proving Noninterference of Java Programs

Cited by 23 publications

References 46 publications

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Using Theorem Provers to Increase the Precision of Dependence Analysis for Information Flow Control

Contact Info

Product

Resources

About