Privacy-Sensitive Information Flow with JML

Dufay, Guillaume; Felty, Amy P.; Matwin, Stan

doi:10.1007/11532231_9

Cited by 22 publications

(24 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We illustrate the application of relational verification by product construction for the verification of an example drawn from [12]. Figure 5 shows the construction of the program product (the original program can be obtained by slicing out the statements containing primed variables).…”

Section: Logical Verification Of Non-interferencementioning

confidence: 99%

Relational Verification Using Product Programs

Barthe

Crespo

Kunz

2011

Lecture Notes in Computer Science

168

240

View full text Add to dashboard Cite

Abstract. Relational program logics are formalisms for specifying and verifying properties about two programs or two runs of the same program. These properties range from correctness of compiler optimizations or equivalence between two implementations of an abstract data type, to properties like non-interference or determinism. Yet the current technology for relational verification remains underdeveloped. We provide a general notion of product program that supports a direct reduction of relational verification to standard verification. We illustrate the benefits of our method with selected examples, including non-interference, standard loop optimizations, and a state-of-the-art optimization for incremental computation. All examples have been verified using the Why tool.

show abstract

Section: Logical Verification Of Non-interferencementioning

confidence: 99%

Relational Verification Using Product Programs

Barthe

Crespo

Kunz

2011

Lecture Notes in Computer Science

168

240

View full text Add to dashboard Cite

show abstract

“…Dufay et al [16] use self-composition to check noninterference for data mining algorithms implemented in Java, using the Krakatoa tool, based on the Coq theorem prover and using JML [11]. The tool reads Java input files and produces specifications for Coq and a representation of the semantics of the Java program into the input language of Why 5 , an annotated, ML-like core language with references.…”

Section: Discussionmentioning

confidence: 99%

Verification condition generation for conditional information flow

Amtoft

Banerjee

2007

Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering

View full text Add to dashboard Cite

We formulate an intraprocedural information flow analysis algorithm for sequential, heap manipulating programs. We prove correctness of the algorithm, and argue that it can be used to verify some naturally occurring examples in which information flow is conditional on some Hoare-like state predicates being satisfied. Because the correctness of information flow analysis is typically formulated in terms of noninterference of pairs of computations, the algorithm takes as input a program together with two-state assertions as postcondition, and generates two-state preconditions together with verification conditions. To process heap manipulations and while loops, the algorithm must additionally be supplied "object flow invariants" as well as "loop flow invariants" which are themselves two-state, and possibly conditional.

show abstract

“…declassification), our conditional information flow analysis aims to improve the precision and trustworthiness of static analysis results for the baseline policy, in the setting of an existing domain-specific tool flow methodology. Dufay, Felty, and Matwin [28] and Terauchi and Aiken [29] provide tool support for the verification of noninterference based on self-composition. In [28], the Krakatoa/Why verification framework is extended by variable-agreement assertions and corresponding loop annotations, and emits verification conditions in Coq that are typically interactively discharged by the user.…”

Section: Related Workmentioning

confidence: 99%

“…Dufay, Felty, and Matwin [28] and Terauchi and Aiken [29] provide tool support for the verification of noninterference based on self-composition. In [28], the Krakatoa/Why verification framework is extended by variable-agreement assertions and corresponding loop annotations, and emits verification conditions in Coq that are typically interactively discharged by the user. In [29], information inherent in type systems for noninterference is exploited to limit the application of the program-duplication to smaller subphrases, obtaining self-composed programs that are better amenable to fully automated state-space-exploring techniques.…”

Section: Related Workmentioning

confidence: 99%

A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow

Amtoft

Dodds

Zhang

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.In previous work, we have proposed a compositional framework for stating and automatically verifying complex conditional information flow policies using a relational Hoare logic. The framework allows developers and verifiers to work directly with the source code using source-level code contracts. In this work, we extend that approach so that the algorithm for verifying code compliance to an information flow contract emits formal certificates of correctness that are checked in the Coq proof assistant. This framework is implemented in the context of SPARK -a subset of Ada that has been used in a number of industrial contexts for implementing certified safety and security critical systems.

show abstract

Privacy-Sensitive Information Flow with JML

Cited by 22 publications

References 16 publications

Relational Verification Using Product Programs

Relational Verification Using Product Programs

Verification condition generation for conditional information flow

A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow

Contact Info

Product

Resources

About