A logic for information flow in object-oriented programs

Abstract. Hunt and Sands (POPL'06) studied a flow sensitive type (FST) system for multi-level security, parametric in the choice of lattice of security levels. Choosing the powerset of program variables as the security lattice yields a system which was shown to be equivalent to Amtoft and Banerjee's Hoare-style independence logic (SAS'04). Moreover, using the powerset lattice, it was shown how to derive a principal type from which all other types (for all choices of lattice) can be simply derived. Both of these earlier works gave "algorithmic" formulations of the type system/program logic, but both algorithms are of exponential complexity due to the iterative typing of While loops. Later work by Hunt and Sands (ESOP'08) adapted the FST system to provide an erasure type system which determines whether some input is correctly erased at a designated time. This type system is inherently exponential, requiring a double typing of the erasure-labelled input command. In this paper we start by developing the FST work in two key ways: (1) We specialise the FST system to a form which only derives principal types; the resulting type system has a simple algorithmic reading, yielding principal security types in polynomial time. (2) We show how the FST system can be simply extended to check for various degrees of termination sensitivity (the original FST system is completely termination insensitive, while the erasure type system is fully termination sensitive). We go on to demonstrate the power of these techniques by combining them to develop a type system which is shown to correctly implement erasure typing in polynomial time. Principality is used in an essential way to reduce type derivation size from exponential to linear.

show abstract

“…[ABB06]). Do dynamic allocation, structured data and aliasing fundamentally change the algorithmic approach?…”

Section: Discussionmentioning

confidence: 99%

From Exponential to Polynomial-Time Security Typing via Principal Types

Hunt

Sands

2011

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Using program logics, non-interference can be directly formalized (e.g., [6,12,37]); or it can be translated into dependence properties, which in turn can be formalized in program logics logic (this has been investigated for a simple imperative language [2,1], for a simple object-oriented language [3], and for sequential Java [19]). Non-interference can also be translated into proof obligations that can -in principle -be handled by unmodified existing program verification tools using a technique called self-composition [12,11,6].…”

Section: Deductive Verification Of System Codementioning

confidence: 99%

Software Security in Virtualized Infrastructures — The Smart Meter Example

Beckert

Hofheinz²,

Müller-Quade³

et al. 2011

It - Information Technology

View full text Add to dashboard Cite

Future infrastructures for energy, traffic, and computing will be virtualized: they will consist of decentralized, self-organizing, dynamically adaptive, and open collections of physical resources such as virtual power plants or computing clouds. Challenges to software dependability, in particular software security will be enourmous.While the problems in this domain transcend any specific instantiation, we use the example of smart power meters to discuss advanced technologies for the protection of integrity and confidentiality of software and data in virtualized infrastructures. We show that approaches based on homomorphic encryption, deductive verification, information flow control, and runtime verification are promising candidates for providing solutions to a plethora of representative challenges in the domain of virtualized infrastructures.

show abstract

“…Also note that correctness is phrased directly wrt. the underlying semantics, unlike [3,2] which first establish the semantic soundness of a logic and next provide a sound implementation of that logic. Theorem 2 is proved [6] much as the corresponding result [5] (that handled a language with heap manipulation but without procedure calls and without automatic computation of loop invariants), by establishing some auxiliary properties (e.g., the R component) that have largely determined the design of Pre.…”

Section: A Precondition Generation Algorithmmentioning

confidence: 99%

“…To address that, and to analyze heapmanipulating languages, the logic of [2] employs three kinds of primitive assertions: agreement, programmer, and region (for a simple alias analysis). But, since those can be combined only through conjunction, programmer assertions are not smoothly integrated, and it is not possible to capture conditional information flows.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Specification and Checking of Software Contracts for Conditional Information Flow

Amtoft

Hatcliff

Rodríguez

et al. 2008

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Information assurance applications built according to the MILS (Multiple Independent Levels of Security) architecture often contain information flow policies that are conditional in the sense that data is allowed to flow between system components only when the system satisfies certain state predicates. However, existing specification and verification environments, such as SPARK Ada, used to develop MILS applications can only capture unconditional information flows. Motivated by the need to better formally specify and certify MILS applications in industrial contexts, we present an enhancement of the SPARK information flow annotation language that enables specification, inferring, and compositional checking of conditional information flow contracts. We report on the use of this framework for a collection of SPARK examples.

show abstract

A logic for information flow in object-oriented programs

Cited by 54 publications

References 26 publications

From Exponential to Polynomial-Time Security Typing via Principal Types

From Exponential to Polynomial-Time Security Typing via Principal Types

Software Security in Virtualized Infrastructures — The Smart Meter Example

Specification and Checking of Software Contracts for Conditional Information Flow

Contact Info

Product

Resources

About