Advertisement

International Journal of Information Security

, Volume 8, Issue 6, pp 399–422 | Cite as

Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs

  • Christian Hammer
  • Gregor Snelting
Regular Contribution

Abstract

Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flow-insensitive, context-insensitive, or object-insensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on program dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multi-threaded programs, and explain precision gains due to flow-, context-, and object-sensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode.

Keywords

Software security Noninterference Program dependence graph Information flow control 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: POPL ’99: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 147–160. ACM, New York (1999). doi: 10.1145/292540.292555
  2. 2.
    Agat, J.: Transforming out timing leaks. In: POPL ’00: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 40–53. ACM, New York (2000). doi: 10.1145/325694.325702
  3. 3.
    Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 91–102. ACM, New York (2006). doi: 10.1145/1111037.1111046
  4. 4.
    Anderson, P., Reps, T., Teitelbaum, T.: Design and implementation of a fine-grained software inspection tool. IEEE Trans. Softw. Eng. 29(8) (2003). doi: 10.1109/TSE.2003.1223646
  5. 5.
    Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI ’05: Proceedings of the 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, pp. 103–112. ACM Press, New York (2005). doi: 10.1145/1040294.1040304
  6. 6.
    Bell D.E., LaPadula L.J.: Secure computer systems: a mathematical model, vol. II. J. Comput. Secur. 4(2/3), 229–263 (1996). Based on MITRE Technical Report 2547, vol. IIGoogle Scholar
  7. 7.
    Bergeretti J.F., Carré B.A.: Information-flow and data-flow analysis of while-programs. ACM Trans. Program. Lang. Syst. 7(1), 37–61 (1985). doi: 10.1145/2363.2366 zbMATHCrossRefGoogle Scholar
  8. 8.
    Biba, K.J.: Integrity considerations for secure computer systems. Tech. Rep. MTR-3153, The Mitre Corporation (1977). doi: 100.2/ADA039324
  9. 9.
    Bieber, P., Cazin, J., Marouani, A.E., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: The PACAP prototype: a tool for detecting Java Card illegal flow. In: Proceedings of 1st International Workshop, Java Card 2000. Lecture Notes in Computer Sciences, vol. 2041, pp. 25–37. Springer, Cannes (2000). doi: 10.1007/3-540-45165-X_3
  10. 10.
    Binkley D., Harman M., Krinke J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst. 30(1), 3 (2007). doi: 10.1145/1290520.1290523 CrossRefGoogle Scholar
  11. 11.
    Chambers, C., Pechtchanski, I., Sarkar, V., Serrano, M.J., Srinivasan, H.: Dependence analysis for Java. In: Proceedings of the 12th International Workshop on Languages and Compilers for Parallel Computing, pp. 35–52. Springer, Berlin (1999). doi: 10.1007/3-540-44905-1_3
  12. 12.
    Chess B., McGraw G.: Static analysis for security. IEEE Secur. Priv. 2(6), 76–79 (2004). doi: 10.1109/MSP.2004.111 CrossRefGoogle Scholar
  13. 13.
    Clark D., Hankin C., Hunt S.: Information flow for Algol-like languages. Comput. Lang. Syst. Struct. 28(1), 3–28 (2002). doi: 10.1016/S0096-0551(02)00006-1 zbMATHCrossRefGoogle Scholar
  14. 14.
    Cohen, E.S.: Foundations of Secure Computation, chap. Information Transmission in Sequential Programs, pp. 297–335. Academic Press, Orlando (1978). Paper presented at a 3 day workshop held at Georgia Inst. of Technology, Atlanta, Oct. 1977Google Scholar
  15. 15.
    Ferrante J., Ottenstein K.J., Warren J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987). doi: 10.1145/24039.24041 zbMATHCrossRefGoogle Scholar
  16. 16.
    Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA (tool demonstration). In: Proceedings of 8th IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268 (2008). doi: 10.1109/SCAM.2008.17
  17. 17.
    Giffhorn D., Hammer C.: Precise slicing of concurrent programs—an evaluation of precise slicing algorithms for concurrent programs. J. Autom. Softw. Eng. 16(2), 197–234 (2009). doi: 10.1007/s10515-009-0048-x CrossRefGoogle Scholar
  18. 18.
    Goguen, J.A., Meseguer, J.: Interference control and unwinding. In: Proceedings of Symposium on Security and Privacy, pp. 75–86. IEEE, New York (1984). doi: 10.1109/SP.1984.10019
  19. 19.
    Hammer, C.: Information flow control for Java. Ph.D. thesis, Universität Karlsruhe (TH) (2009, Forthcoming)Google Scholar
  20. 20.
    Hammer, C., Krinke, J., Nodes, F.: Intransitive noninterference in dependence graphs. In: Proceedings of Second International Symposium on Leveraging Application of Formal Methods, Verification and Validation (ISoLA 2006), pp. 119–128. IEEE Computer Society, Washington, DC (2006). doi: 10.1109/ISoLA.2006.39
  21. 21.
    Hammer, C., Krinke, J., Snelting, G.: Information flow control for Java based on path conditions in dependence graphs. In: Proceedings of IEEE International Symposium on Secure Software Engineering (ISSSE’06), pp. 87–96 (2006)Google Scholar
  22. 22.
    Hammer, C., Schaade, R., Snelting, G.: Static path conditions for Java. In: PLAS ’08: Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 57–66. ACM, New York (2008). doi: 10.1145/1375696.1375704
  23. 23.
    Hammer, C., Snelting, G.: An improved slicer for Java. In: PASTE ’04: Proceedings of the 5th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, pp. 17–22. ACM Press, New York (2004). doi: 10.1145/996821.996830
  24. 24.
    Hardekopf, B., Lin, C.: Semi-sparse flow sensitive pointer analysis. In: POPL ’09: Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 226–238. ACM, New York (2009). doi: 10.1145/1480881.1480911
  25. 25.
    Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: POPL ’88: Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 146–157. ACM, New York (1988). doi: 10.1145/73560.73573
  26. 26.
    Horwitz S., Reps T., Binkley D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990). doi: 10.1145/77606.77608 CrossRefGoogle Scholar
  27. 27.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 79–90. ACM Press, New York (2006). doi: 10.1145/1111037.1111045
  28. 28.
    Jayaraman, G., Ranganath, V.P., Hatcliff, J.: Kaveri: Delivering the Indus Java program slicer to Eclipse. In: Proceedings of Fundamental Approaches to Software Engineering (FASE’05). Lecture Notes in Computer Sciences, vol. 3442, pp. 269–272. Springer, Berlin (2005). doi: 10.1007/b107062
  29. 29.
    Kam J.B., Ullman J.D.: Monotone data flow analysis frameworks. Acta Inform. 7(3), 305–317 (1977). doi: 10.1007/BF00290339 zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Klein G., Nipkow T.: A machine-checked model for a Java-like language, virtual machine, and compiler. ACM Trans. Program. Lang. Syst. 28(4), 619–695 (2006). doi: 10.1145/1146809.1146811 CrossRefGoogle Scholar
  31. 31.
    Krinke, J.: Context-sensitive slicing of concurrent programs. In: ESEC/FSE-11: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 178–187. ACM, New York (2003). doi: 10.1145/940071.940096
  32. 32.
    Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering, vol. 3: Recent Advances. World Scientific, Singapore (2005)Google Scholar
  33. 33.
    Lhoták, O., Hendren, L.: Scaling Java points-to using Spark. In: Proceedings of 12th International Conference on Compiler Construction. Lecture Notes in Computer Sciences, vol. 2622, pp. 153–169 (2003). doi: 10.1007/3-540-36579-6_12
  34. 34.
    Livshits, B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the Usenix Security Symposium, pp. 271–286. Baltimore, Maryland (2005). http://portal.acm.org/citation.cfm?id=1251416
  35. 35.
    Mantel, H., Reinhard, A.: Controlling the what and where of declassification in language-based security. In: ESOP ’07: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Sciences, vol. 4421, pp. 141–156. Springer, Berlin (2007). doi: 10.1007/978-3-540-71316-6
  36. 36.
    Mantel, H., Sands, D.: Controlled declassification based on intransitive noninterference. In: Proceedings of the 2nd Asian Symposium on Programming Languages and Systems, APLAS 2004. Lecture Notes in Computer Sciences, vol. 3302, pp. 129–145. Springer, Taipei (2004). doi: 10.1007/b102225
  37. 37.
    Myers, A.C., Chong, S., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java information flow. http://www.cs.cornell.edu/jif/
  38. 38.
    Myers A.C., Liskov B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000). doi: 10.1145/363516.363526 CrossRefGoogle Scholar
  39. 39.
    Nanda M.G., Ramesh S.: Interprocedural slicing of multithreaded programs with applications to Java. ACM Trans. Program. Lang. Syst. 28(6), 1088–1144 (2006). doi: 10.1145/1186632.1186636 CrossRefGoogle Scholar
  40. 40.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL—A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Sciences, vol. 2283. Springer, Berlin (2002). http://www4.informatik.tu-muenchen.de/~nipkow/LNCS2283/
  41. 41.
    Pistoia, M., Banerjee, A., Naumann, D.A.: Beyond stack inspection: a unified access-control and information-flow security model. In: SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 149–163. IEEE Computer Society, Washington, DC (2007). doi: 10.1109/SP.2007.10
  42. 42.
    Pistoia M., Chandra S., Fink S.J., Yahav E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007). doi: 10.1147/sj.462.0265 CrossRefGoogle Scholar
  43. 43.
    Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Proceedings of the 9th European Conference on Object-Oriented Programming. Lecture Notes in Computer Sciences, vol. 3586, pp. 362–386. Springer, Berlin (2005). doi: 10.1007/11531142_16
  44. 44.
    Ranganath V.P., Amtoft T., Banerjee A., Hatcliff J., Dwyer M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29(5), 27 (2007). doi: 10.1145/1275497.1275502 CrossRefGoogle Scholar
  45. 45.
    Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: SIGSOFT ’94: Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering, pp. 11–20. ACM, New York (1994). doi: 10.1145/193173.195287
  46. 46.
    Reps, T., Yang, W.: The semantics of program slicing. Tech. Rep. 777, Computer Sciences Department, University of Wisconsin-Madison (1988). http://www.cs.wisc.edu/techreports/viewreport.php?report=777
  47. 47.
    Robschink, T., Snelting, G.: Efficient path conditions in dependence graphs. In: ICSE ’02: Proceedings of the 24th International Conference on Software Engineering, pp. 478–488. ACM Press, New York (2002). doi: 10.1145/581339.581398
  48. 48.
    Rountev, A., Milanova, A., Ryder, B.G.: Points-to analysis for Java using annotated constraints. In: OOPSLA ’01: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pp. 43–55. ACM, New York (2001). doi: 10.1145/504282.504286
  49. 49.
    Sabelfeld A., Myers A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003). doi: 10.1109/JSAC.2002.806121 CrossRefGoogle Scholar
  50. 50.
    Sabelfeld A., Sands D.: A PER model of secure information flow in sequential programs. Higher Order Symbol. Comput. 14(1), 59–91 (2001). doi: 10.1023/A:1011553200337 zbMATHCrossRefGoogle Scholar
  51. 51.
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pp. 255–269. IEEE Computer Society, Washington, DC (2005). doi: 10.1109/CSFW.2005.15
  52. 52.
    Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. In: Proceedings of Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 25–34 (2008). doi: 10.1109/SCAM.2008.22
  53. 53.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: POPL ’98: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 355–364. ACM, New York (1998). doi: 10.1145/268946.268975
  54. 54.
    Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: SAS ’96: Proceedings of the Third International Symposium on Static Analysis, pp. 332–348. Springer, London (1996). doi: 10.1007/3-540-61739-6_51
  55. 55.
    Snelting G., Robschink T., Krinke J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006). doi: 10.1145/1178625.1178628 CrossRefGoogle Scholar
  56. 56.
    Volpano, D.M., Smith, G.: A type-based approach to program security. In: TAPSOFT ’97: Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development. Lecture Notes in Computer Sciences, vol. 1214, pp. 607–621. Springer, London (1997). doi: 10.1007/BFb0030629
  57. 57.
    Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS ’09: Proceedings of the 4th Workshop on Programming Languages and Analysis for Security. ACM, New York (2009). doi: 10.1145/1554339.1554345
  58. 58.
    Yokomori R., Ohata F., Takata Y., Seki H., Inoue K.: An information-leak analysis system based on program slicing. Inform. Softw. Technol. 44(15), 903–910 (2002). doi: 10.1016/S0950-5849(02)00127-1 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  1. 1.Universität Karlsruhe (TH)KarlsruheGermany

Personalised recommendations