Skip to main content
SpringerLink
Log in

Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flow-insensitive, context-insensitive, or object-insensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on program dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multi-threaded programs, and explain precision gains due to flow-, context-, and object-sensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: POPL ’99: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 147–160. ACM, New York (1999). doi:10.1145/292540.292555

  2. Agat, J.: Transforming out timing leaks. In: POPL ’00: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 40–53. ACM, New York (2000). doi:10.1145/325694.325702

  3. Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 91–102. ACM, New York (2006). doi:10.1145/1111037.1111046

  4. Anderson, P., Reps, T., Teitelbaum, T.: Design and implementation of a fine-grained software inspection tool. IEEE Trans. Softw. Eng. 29(8) (2003). doi:10.1109/TSE.2003.1223646

  5. Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI ’05: Proceedings of the 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, pp. 103–112. ACM Press, New York (2005). doi:10.1145/1040294.1040304

  6. Bell D.E., LaPadula L.J.: Secure computer systems: a mathematical model, vol. II. J. Comput. Secur. 4(2/3), 229–263 (1996). Based on MITRE Technical Report 2547, vol. II

    Google Scholar 

  7. Bergeretti J.F., Carré B.A.: Information-flow and data-flow analysis of while-programs. ACM Trans. Program. Lang. Syst. 7(1), 37–61 (1985). doi:10.1145/2363.2366

    Article  MATH  Google Scholar 

  8. Biba, K.J.: Integrity considerations for secure computer systems. Tech. Rep. MTR-3153, The Mitre Corporation (1977). doi:100.2/ADA039324

  9. Bieber, P., Cazin, J., Marouani, A.E., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: The PACAP prototype: a tool for detecting Java Card illegal flow. In: Proceedings of 1st International Workshop, Java Card 2000. Lecture Notes in Computer Sciences, vol. 2041, pp. 25–37. Springer, Cannes (2000). doi:10.1007/3-540-45165-X_3

  10. Binkley D., Harman M., Krinke J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst. 30(1), 3 (2007). doi:10.1145/1290520.1290523

    Article  Google Scholar 

  11. Chambers, C., Pechtchanski, I., Sarkar, V., Serrano, M.J., Srinivasan, H.: Dependence analysis for Java. In: Proceedings of the 12th International Workshop on Languages and Compilers for Parallel Computing, pp. 35–52. Springer, Berlin (1999). doi:10.1007/3-540-44905-1_3

  12. Chess B., McGraw G.: Static analysis for security. IEEE Secur. Priv. 2(6), 76–79 (2004). doi:10.1109/MSP.2004.111

    Article  Google Scholar 

  13. Clark D., Hankin C., Hunt S.: Information flow for Algol-like languages. Comput. Lang. Syst. Struct. 28(1), 3–28 (2002). doi:10.1016/S0096-0551(02)00006-1

    Article  MATH  Google Scholar 

  14. Cohen, E.S.: Foundations of Secure Computation, chap. Information Transmission in Sequential Programs, pp. 297–335. Academic Press, Orlando (1978). Paper presented at a 3 day workshop held at Georgia Inst. of Technology, Atlanta, Oct. 1977

  15. Ferrante J., Ottenstein K.J., Warren J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987). doi:10.1145/24039.24041

    Article  MATH  Google Scholar 

  16. Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA (tool demonstration). In: Proceedings of 8th IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268 (2008). doi:10.1109/SCAM.2008.17

  17. Giffhorn D., Hammer C.: Precise slicing of concurrent programs—an evaluation of precise slicing algorithms for concurrent programs. J. Autom. Softw. Eng. 16(2), 197–234 (2009). doi:10.1007/s10515-009-0048-x

    Article  Google Scholar 

  18. Goguen, J.A., Meseguer, J.: Interference control and unwinding. In: Proceedings of Symposium on Security and Privacy, pp. 75–86. IEEE, New York (1984). doi:10.1109/SP.1984.10019

  19. Hammer, C.: Information flow control for Java. Ph.D. thesis, Universität Karlsruhe (TH) (2009, Forthcoming)

  20. Hammer, C., Krinke, J., Nodes, F.: Intransitive noninterference in dependence graphs. In: Proceedings of Second International Symposium on Leveraging Application of Formal Methods, Verification and Validation (ISoLA 2006), pp. 119–128. IEEE Computer Society, Washington, DC (2006). doi:10.1109/ISoLA.2006.39

  21. Hammer, C., Krinke, J., Snelting, G.: Information flow control for Java based on path conditions in dependence graphs. In: Proceedings of IEEE International Symposium on Secure Software Engineering (ISSSE’06), pp. 87–96 (2006)

  22. Hammer, C., Schaade, R., Snelting, G.: Static path conditions for Java. In: PLAS ’08: Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 57–66. ACM, New York (2008). doi:10.1145/1375696.1375704

  23. Hammer, C., Snelting, G.: An improved slicer for Java. In: PASTE ’04: Proceedings of the 5th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, pp. 17–22. ACM Press, New York (2004). doi:10.1145/996821.996830

  24. Hardekopf, B., Lin, C.: Semi-sparse flow sensitive pointer analysis. In: POPL ’09: Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 226–238. ACM, New York (2009). doi:10.1145/1480881.1480911

  25. Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: POPL ’88: Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 146–157. ACM, New York (1988). doi:10.1145/73560.73573

  26. Horwitz S., Reps T., Binkley D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990). doi:10.1145/77606.77608

    Article  Google Scholar 

  27. Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 79–90. ACM Press, New York (2006). doi:10.1145/1111037.1111045

  28. Jayaraman, G., Ranganath, V.P., Hatcliff, J.: Kaveri: Delivering the Indus Java program slicer to Eclipse. In: Proceedings of Fundamental Approaches to Software Engineering (FASE’05). Lecture Notes in Computer Sciences, vol. 3442, pp. 269–272. Springer, Berlin (2005). doi:10.1007/b107062

  29. Kam J.B., Ullman J.D.: Monotone data flow analysis frameworks. Acta Inform. 7(3), 305–317 (1977). doi:10.1007/BF00290339

    Article  MATH  MathSciNet  Google Scholar 

  30. Klein G., Nipkow T.: A machine-checked model for a Java-like language, virtual machine, and compiler. ACM Trans. Program. Lang. Syst. 28(4), 619–695 (2006). doi:10.1145/1146809.1146811

    Article  Google Scholar 

  31. Krinke, J.: Context-sensitive slicing of concurrent programs. In: ESEC/FSE-11: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 178–187. ACM, New York (2003). doi:10.1145/940071.940096

  32. Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering, vol. 3: Recent Advances. World Scientific, Singapore (2005)

  33. Lhoták, O., Hendren, L.: Scaling Java points-to using Spark. In: Proceedings of 12th International Conference on Compiler Construction. Lecture Notes in Computer Sciences, vol. 2622, pp. 153–169 (2003). doi:10.1007/3-540-36579-6_12

  34. Livshits, B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the Usenix Security Symposium, pp. 271–286. Baltimore, Maryland (2005). http://portal.acm.org/citation.cfm?id=1251416

  35. Mantel, H., Reinhard, A.: Controlling the what and where of declassification in language-based security. In: ESOP ’07: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Sciences, vol. 4421, pp. 141–156. Springer, Berlin (2007). doi:10.1007/978-3-540-71316-6

  36. Mantel, H., Sands, D.: Controlled declassification based on intransitive noninterference. In: Proceedings of the 2nd Asian Symposium on Programming Languages and Systems, APLAS 2004. Lecture Notes in Computer Sciences, vol. 3302, pp. 129–145. Springer, Taipei (2004). doi:10.1007/b102225

  37. Myers, A.C., Chong, S., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java information flow. http://www.cs.cornell.edu/jif/

  38. Myers A.C., Liskov B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000). doi:10.1145/363516.363526

    Article  Google Scholar 

  39. Nanda M.G., Ramesh S.: Interprocedural slicing of multithreaded programs with applications to Java. ACM Trans. Program. Lang. Syst. 28(6), 1088–1144 (2006). doi:10.1145/1186632.1186636

    Article  Google Scholar 

  40. Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL—A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Sciences, vol. 2283. Springer, Berlin (2002). http://www4.informatik.tu-muenchen.de/~nipkow/LNCS2283/

  41. Pistoia, M., Banerjee, A., Naumann, D.A.: Beyond stack inspection: a unified access-control and information-flow security model. In: SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 149–163. IEEE Computer Society, Washington, DC (2007). doi:10.1109/SP.2007.10

  42. Pistoia M., Chandra S., Fink S.J., Yahav E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007). doi:10.1147/sj.462.0265

    Article  Google Scholar 

  43. Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Proceedings of the 9th European Conference on Object-Oriented Programming. Lecture Notes in Computer Sciences, vol. 3586, pp. 362–386. Springer, Berlin (2005). doi:10.1007/11531142_16

  44. Ranganath V.P., Amtoft T., Banerjee A., Hatcliff J., Dwyer M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29(5), 27 (2007). doi:10.1145/1275497.1275502

    Article  Google Scholar 

  45. Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: SIGSOFT ’94: Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering, pp. 11–20. ACM, New York (1994). doi:10.1145/193173.195287

  46. Reps, T., Yang, W.: The semantics of program slicing. Tech. Rep. 777, Computer Sciences Department, University of Wisconsin-Madison (1988). http://www.cs.wisc.edu/techreports/viewreport.php?report=777

  47. Robschink, T., Snelting, G.: Efficient path conditions in dependence graphs. In: ICSE ’02: Proceedings of the 24th International Conference on Software Engineering, pp. 478–488. ACM Press, New York (2002). doi:10.1145/581339.581398

  48. Rountev, A., Milanova, A., Ryder, B.G.: Points-to analysis for Java using annotated constraints. In: OOPSLA ’01: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pp. 43–55. ACM, New York (2001). doi:10.1145/504282.504286

  49. Sabelfeld A., Myers A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003). doi:10.1109/JSAC.2002.806121

    Article  Google Scholar 

  50. Sabelfeld A., Sands D.: A PER model of secure information flow in sequential programs. Higher Order Symbol. Comput. 14(1), 59–91 (2001). doi:10.1023/A:1011553200337

    Article  MATH  Google Scholar 

  51. Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pp. 255–269. IEEE Computer Society, Washington, DC (2005). doi:10.1109/CSFW.2005.15

  52. Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. In: Proceedings of Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 25–34 (2008). doi:10.1109/SCAM.2008.22

  53. Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: POPL ’98: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 355–364. ACM, New York (1998). doi:10.1145/268946.268975

  54. Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: SAS ’96: Proceedings of the Third International Symposium on Static Analysis, pp. 332–348. Springer, London (1996). doi:10.1007/3-540-61739-6_51

  55. Snelting G., Robschink T., Krinke J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006). doi:10.1145/1178625.1178628

    Article  Google Scholar 

  56. Volpano, D.M., Smith, G.: A type-based approach to program security. In: TAPSOFT ’97: Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development. Lecture Notes in Computer Sciences, vol. 1214, pp. 607–621. Springer, London (1997). doi:10.1007/BFb0030629

  57. Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS ’09: Proceedings of the 4th Workshop on Programming Languages and Analysis for Security. ACM, New York (2009). doi:10.1145/1554339.1554345

  58. Yokomori R., Ohata F., Takata Y., Seki H., Inoue K.: An information-leak analysis system based on program slicing. Inform. Softw. Technol. 44(15), 903–910 (2002). doi:10.1016/S0950-5849(02)00127-1

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Universität Karlsruhe (TH), Karlsruhe, Germany

    Christian Hammer & Gregor Snelting

Authors
  1. Christian Hammer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gregor Snelting
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Hammer.

Additional information

This research was supported by Deutsche Forschungsgemeinschaft (DFG grant Sn11/9-2). Preliminary versions of parts of this article appeared in [20,21].

Rights and permissions

Reprints and permissions

About this article

Cite this article

Hammer, C., Snelting, G. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8, 399–422 (2009). https://doi.org/10.1007/s10207-009-0086-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-009-0086-1

Keywords

Search

Navigation