Specification and Checking of Software Contracts for Conditional Information Flow

Abstract: Abstract. Information assurance applications built according to the MILS (Multiple Independent Levels of Security) architecture often contain information flow policies that are conditional in the sense that data is allowed to flow between system components only when the system satisfies certain state predicates. However, existing specification and verification environments, such as SPARK Ada, used to develop MILS applications can only capture unconditional information flows. Motivated by the need to better for… Show more

“…Many of the minimization steps can be implemented using simple syntactic checks, and we are in the process of implementing and proving correct a minimizer in Coq that will allow us to dramatically reduce the number of SMT solver calls. Experimental results from our earlier work [1] in which we used only syntactic scans to minimize showed that inference for almost all the procedures could be completed in less than a second. Our approach is compositional which greatly aids scalability when considering the overall time requirements for a complete application.…”

“…In [1] that approach was applied to the (heap-free) SPARK setting and worked out extensively, with an algorithm for computing loop invariants and with reports from an implementation; then arrays were handled in subsequent work [2].…”

“…In our previous work [2,1] we extended SPARK's procedure annotations to conditional information flow and fine-grained treatment of structured data, necessary for the automatic analysis and verification of many programs, and we developed a compositional framework for stating and automatically verifying complex array-oriented and conditional information flow policies using a relational Hoare logic. Although our Secure Information Flow Logic (SIFL) is language-neutral, we have chosen to cast our work as an enhancement to the SPARK information flow framework.…”

“…Once verified, this Gallina implementation cannot fail to produce valid evidence. Figure 2 illustrates the conceptual information flows in a fragment of a simplistic MLS (Multiple Levels of Security) component, described in our earlier work [1]. Rockwell Collins engineers constructed this example to illustrate, to NSA and industry representatives, the specification and verification challenges facing the developers of MLS software.…”

“…To capture conditional information flow as well as other forms of information that cannot be specified in SPARK, we have been building [1,2] on a reasoning framework based on conditional agreement assertions, also called 2-assertions, originally introduced by Amtoft and Banerjee [5]. These SIFL assertions are of the form φ ⇒ E , where φ is a boolean expression and E is any kind of expression (to be defined in the next section), which is satisfied by a pair of stores if either at least one of them does not satisfy φ, or they agree on the value of E:…”

A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow

“…Many of the minimization steps can be implemented using simple syntactic checks, and we are in the process of implementing and proving correct a minimizer in Coq that will allow us to dramatically reduce the number of SMT solver calls. Experimental results from our earlier work [1] in which we used only syntactic scans to minimize showed that inference for almost all the procedures could be completed in less than a second. Our approach is compositional which greatly aids scalability when considering the overall time requirements for a complete application.…”

“…In [1] that approach was applied to the (heap-free) SPARK setting and worked out extensively, with an algorithm for computing loop invariants and with reports from an implementation; then arrays were handled in subsequent work [2].…”

“…In our previous work [2,1] we extended SPARK's procedure annotations to conditional information flow and fine-grained treatment of structured data, necessary for the automatic analysis and verification of many programs, and we developed a compositional framework for stating and automatically verifying complex array-oriented and conditional information flow policies using a relational Hoare logic. Although our Secure Information Flow Logic (SIFL) is language-neutral, we have chosen to cast our work as an enhancement to the SPARK information flow framework.…”

“…Once verified, this Gallina implementation cannot fail to produce valid evidence. Figure 2 illustrates the conceptual information flows in a fragment of a simplistic MLS (Multiple Levels of Security) component, described in our earlier work [1]. Rockwell Collins engineers constructed this example to illustrate, to NSA and industry representatives, the specification and verification challenges facing the developers of MLS software.…”

“…To capture conditional information flow as well as other forms of information that cannot be specified in SPARK, we have been building [1,2] on a reasoning framework based on conditional agreement assertions, also called 2-assertions, originally introduced by Amtoft and Banerjee [5]. These SIFL assertions are of the form φ ⇒ E , where φ is a boolean expression and E is any kind of expression (to be defined in the next section), which is satisfied by a pair of stores if either at least one of them does not satisfy φ, or they agree on the value of E:…”

A Certificate Infrastructure for Machine-Checked Proofs of Conditional Information Flow

Slang: The Sireum Programming Language

Combining MILS with Contract-Based Design for Safety and Security Requirements