FM 2009: Formal Methods

Volume 5850 of the series Lecture Notes in Computer Science pp 773-789

Verifying Information Flow Control over Unbounded Processes

  • William R. HarrisAffiliated withUniversity of Wisconsin
  • , Nicholas A. KiddAffiliated withUniversity of Wisconsin
  • , Sagar ChakiAffiliated withSoft. Eng. Inst., Carnegie Mellon University
  • , Somesh JhaAffiliated withUniversity of Wisconsin
  • , Thomas RepsAffiliated withUniversity of WisconsinGrammaTech Inc.

* Final gross prices may vary according to local VAT.

Get Access


Decentralized Information Flow Control (DIFC) systems enable programmers to express a desired DIFC policy, and to have the policy enforced via a reference monitor that restricts interactions between system objects, such as processes and files. Past research on DIFC systems focused on the reference-monitor implementation, and assumed that the desired DIFC policy is correctly specified. The focus of this paper is an automatic technique to verify that an application, plus its calls to DIFC primitives, does indeed correctly implement a desired policy. We present an abstraction that allows a model checker to reason soundly about DIFC programs that manipulate potentially unbounded sets of processes, principals, and communication channels. We implemented our approach and evaluated it on a set of real-world programs.