Information Flow in Object-Oriented Software

Beckert, Bernhard; Bruns, Daniel; Klebanov, Vladimir; Scheben, Christoph; Schmitt, Peter H.; Ulbrich, Mattias

doi:10.1007/978-3-319-14125-1_2

Cited by 20 publications

(14 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The entire specification and verification process took between two and three person weeks. We note that KeY is able to prove noninterference properties itself [21], [38], by using the technique of self composition [15]. (Though, again, we emphasize that proving (7) does not involve proving noninterference properties.)…”

Section: F Proving the Conservatism Property With Keymentioning

confidence: 94%

See 1 more Smart Citation

A Hybrid Approach for Proving Noninterference of Java Programs

Küsters

Truderung

Beckert

et al. 2015

2015 IEEE 28th Computer Security Foundations Symposium

Self Cite

View full text Add to dashboard Cite

Several tools and approaches for proving noninterference properties for Java and other languages exist. Some of them have a high degree of automation or are even fully automatic, but overapproximate the actual information flow, and hence, may produce false positives. Other tools, such as those based on theorem proving, are precise, but may need interaction, and hence, analysis is time-consuming.In this paper, we propose a hybrid approach that aims at obtaining the best of both approaches: We want to use fully automatic analysis as much as possible and only at places in a program where, due to overapproximation, the automatic approaches fail, we resort to more precise, but interactive analysis, where the latter involves the verification only of specific functional properties in certain parts of the program, rather than checking more intricate noninterference properties for the whole program.To illustrate the hybrid approach, in a case study we use this approach-along with the fully automatic tool Joana for checking noninterference properties for Java programs and the theorem prover KeY for the verification of Java programs-as well as the CVJ framework proposed by Küsters, Truderung, and Graf to establish cryptographic privacy properties for a non-trivial Java program, namely an e-voting system. The CVJ framework allows one to establish cryptographic indistinguishability properties for Java programs by checking (standard) noninterference properties for such programs.

show abstract

Section: F Proving the Conservatism Property With Keymentioning

confidence: 94%

“…1 This is sufficient for applications concerned with cryptographic security properties (see Theorem 3). More general definitions of non-interference can for example be found in [38].…”

Section: Preliminariesmentioning

confidence: 99%

A Hybrid Approach for Proving Noninterference of Java Programs

Küsters

Truderung

Beckert

et al. 2015

2015 IEEE 28th Computer Security Foundations Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…In particular, we build upon work presented in [16,12], where symbolic execution is used as a means to generate test cases for functional properties. Logic-based approaches such as [7,23] are fully precise and at the same time can flexibly express various information flow properties beyond the policies presented in this paper. The verification process is not fully automatic, however, and non-trivial interactions with the theorem prover are required.…”

Section: Related Workmentioning

confidence: 99%

Exploit Generation for Information Flow Leaks in Object-Oriented Programs

Huy

Bubel

Hähnle

2015

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

Abstract. We present a method to generate automatically exploits for information flow leaks in object-oriented programs. Our approach combines self-composition and symbolic execution to compose an insecurity formula for a given information flow policy and a specification of the security level of the program locations. The insecurity formula gives then rise to a model which is used to generate input data for the exploit. A prototype tool called KEG implementing the described approach for Java programs has been developed, which generates exploits as executable JUnit tests.

show abstract

“…3 Overflow checking can be disabled to treat integers as mathematical integers. 4 As usual, modulo bugs in the implementation. Users launch AutoProof on the current project, or on specific classes or members thereof.…”

Section: User Interface (Ui)mentioning

confidence: 99%

“…A command whose execution may modify objects in set declares its frame specification using a clause modify (set). Since Eiffel doesn't natively support modify clauses, AutoProof introduces a dummy feature named modify, which can be used in a routine's precondition to specify the frame, as it is done in various places in 4 The observer pattern in AutoProof using semantic collaborations. See [42] for a detailed explanation to specify that pushing an element onto the stack modifies the model attribute sequence of the Current instance (denotes by this in other languages); this stipulates that it may modify Current.list, but it should not modify any model attribute other than Current.sequence.…”

Section: Framingmentioning

confidence: 99%

AutoProof: auto-active functional verification of object-oriented programs

Furia

Nordio

Polikarpova³

et al. 2016

Int J Softw Tools Technol Transfer

View full text Add to dashboard Cite

Auto-active verifiers provide a level of automation intermediate between fully automatic and interactive: users supply code with annotations as input while benefiting from a high level of automation in the back-end. This paper presents AutoProof, a state-of-the-art auto-active verifier for object-oriented sequential programs with complex functional specifications. AutoProof fully supports advanced objectoriented features and a powerful methodology for framing and class invariants, which make it applicable in practice to idiomatic object-oriented patterns. The paper focuses on describing AutoProof's interface, design, and implementation features, and demonstrates AutoProof's performance on a rich collection of benchmark problems. The results attest AutoProof's competitiveness among tools in its league on cutting-edge functional verification of object-oriented programs.

show abstract

Information Flow in Object-Oriented Software

Cited by 20 publications

References 22 publications

A Hybrid Approach for Proving Noninterference of Java Programs

A Hybrid Approach for Proving Noninterference of Java Programs

Exploit Generation for Information Flow Leaks in Object-Oriented Programs

AutoProof: auto-active functional verification of object-oriented programs

Contact Info

Product

Resources

About