A new algorithm for low-deterministic security

  • Dennis Giffhorn
  • Gregor Snelting
Regular Contribution


We present a new algorithm for checking probabilistic noninterference in concurrent programs. The algorithm, named RLSOD, is based on the Low-Security Observational Determinism criterion. It utilizes program dependence graphs for concurrent programs and is flow-sensitive, context-sensitive, object-sensitive, and optionally time-sensitive. Due to a new definition of low-equivalency for infinite traces, the algorithm avoids restrictions or soundness leaks of previous approaches. A soundness proof is provided. Flow sensitivity turns out to be the key to precision and avoids prohibition of useful nondeterminism. The algorithm has been implemented for full Java byte code with unlimited threads. Precision and scalability have been experimentally validated.


Software security Noninterference  Program dependence graph Information flow control 



We thank the reviewers for their very insightful observations and suggestions. Joachim Breitner, Jürgen Graf, Martin Hecker, and Martin Mohr provided valuable comments.


  1. 1.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: POPL ’99: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 147–160. ACM, New York (1999)Google Scholar
  2. 2.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In Proceedings of ESORICS, volume 5283 of LNCS, pp. 333–348 (2008)Google Scholar
  3. 3.
    Binkley, D., Harman, M.: A survey of empirical results on program slicing. Adv. Comput. 62, 105–178 (2004)Google Scholar
  4. 4.
    Binkley, D., Harman, M., Krinke, J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst. 30(1), 3 (2007)Google Scholar
  5. 5.
    Bouajjani, A., Müller-Olm, M., Touili, T.: Regular symbolic analysis of dynamic networks of pushdown systems. In: Concurrency. Theory (CONCUR 2005), pp. 473–487. Springer, LNCS 3653 (2005)Google Scholar
  6. 6.
    Gawlitza, T.M., Lammich, P., Müller-Olm, M., Seidl, H., Wenner, A.: Join-lock-sensitive forward reachability analysis for concurrent programs with dynamic process creation. In: VMCAI, pp. 199–213 (2011)Google Scholar
  7. 7.
    Giffhorn, D.: Advanced chopping of sequential and concurrent programs. Softw. Qual. J. 19(2), 239–294 (2011)CrossRefGoogle Scholar
  8. 8.
    Giffhorn, D.: Slicing of concurrent programs and its application to information flow control. PhD thesis, Karlsruher Institut für Technologie, Fakultät für Informatik, May 2012.
  9. 9.
    Giffhorn, D., Hammer, C.: Precise slicing of concurrent programs—an evaluation of precise slicing algorithms for concurrent programs. J. Autom. Softw. Eng. 16(2), 197–234 (2009)CrossRefGoogle Scholar
  10. 10.
    Giffhorn, D., Snelting, G.: Probabilistic noninterference based on program dependence graphs. Karlsruhe Reports in Informatics, 6, April 2012.
  11. 11.
    Graf, J.: Speeding up context-, object- and field-sensitive sdg generation. In Proceedings of 9th SCAM, pp. 105–114, September (2010)Google Scholar
  12. 12.
    Graf, J., Hecker, M., Mohr, M.: Using joana for information flow control in java programs—a practical guide. In Proceedings of 6th Working Conference on Programming Languages (ATPS’13), Lecture Notes in Informatics (LNI) 215. Springer, Berlin (2013)Google Scholar
  13. 13.
    Graf, J., Hecker, M., Mohr, M., Nordhoff, B.: Lock-sensitive interference analysis for java: Combining program dependence graphs with dynamic pushdown networks. In Proceedings of 1st International Workshop on Interference and Dependence, January (2013)Google Scholar
  14. 14.
    Hammer, C.: Information Flow Control for Java. PhD thesis, Universität Karlsruhe (TH) (2009)Google Scholar
  15. 15.
    Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) Proceedings of ESSoS’10, volume 5965 of LNCS, pp 44–60. Springer, Berlin (2010)Google Scholar
  16. 16.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inform. Secur. 8(6), December (2009)Google Scholar
  17. 17.
    Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: Proceedings of POPL ’88, pp. 146–157, ACM, New York (1988)Google Scholar
  18. 18.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)Google Scholar
  19. 19.
    Huisman, M., Ngo, T.M.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. In: Proceedings of Formal Verification of Object-Oriented Systems (2011)Google Scholar
  20. 20.
    Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proceedings of 19th CSFW, p. 3. IEEE (2006)Google Scholar
  21. 21.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL ’06, pp. 79–90. ACM (2006)Google Scholar
  22. 22.
    Krinke, J.: Context-sensitive slicing of concurrent programs. In: Proceedings ESEC/FSE-11, pp. 178–187, ACM, New York (2003)Google Scholar
  23. 23.
    Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering, vol. 3: Recent Advances. World Scientific Publishing (2005)Google Scholar
  24. 24.
    Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of java-like programs. In Computer Security Foundations Symposium (CSF), 2012 IEEE 25th. IEEE Computer Society, June (2012)Google Scholar
  25. 25.
    Li, L., Verbrugge, C.: A practical MHP information analysis for concurrent Java programs. In: Proceedings LCPC’04, volume 3602 of LNCS, pp. 194–208. Springer, Berlin (2004)Google Scholar
  26. 26.
    Lochbihler, A.: Java and the Java memory model—a unified, machine-checked formalisation. In: Helmut, S., (ed.) Proceedings of ESOP ’12, volume 7211 of LNCS, pp. 497–517, March (2012)Google Scholar
  27. 27.
    Manson, J., Pugh, W., Adve, S.V..: The Java memory model. In: POPL, pp. 378–391 (2005)Google Scholar
  28. 28.
    Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: CSF, pp. 218–232 (2011)Google Scholar
  29. 29.
    Mantel, H., Sudbrock, H.: Flexible scheduler-independent security. In: Proceedings ESORICS, volume 6345 of LNCS, pp. 116–133 (2010)Google Scholar
  30. 30.
    Mantel, H., Sudbrock, H.: Types vs. pdgs in information flow analysis. In: LOPSTR, pp. 106–121 (2012)Google Scholar
  31. 31.
    Mantel, H., Sudbrock, H., Kraußer, T.: Combining different proof techniques for verifying information flow security. In: Proceedings of LOPSTR, volume 4407 of LNCS, pp. 94–110 (2006)Google Scholar
  32. 32.
    Muller, S., Chong, S.: Towards a practical secure concurrent language. In: OOPSLA, pp. 57–74 (2012)Google Scholar
  33. 33.
    Nanda, M.G., Ramesh, S.: Interprocedural slicing of multithreaded programs with applications to Java. ACM Trans. Program. Lang. Syst. 28(6), 1088–1144 (2006)CrossRefGoogle Scholar
  34. 34.
    Naumovich, G., Avrunin, G.S., Clarke, L.A.: An efficient algorithm for computing MHP information for concurrent Java programs. In: Proceedings ESEC/FSE-7, volume 1687 of LNCS, pp. 338–354, London, UK (1999)Google Scholar
  35. 35.
    Ngo, T.M., Stoelinga, M., Huisman, M.: Confidentiality for probabilistic multi-threaded programs and its verification. In: ESSoS, pp. 107–122 (2013)Google Scholar
  36. 36.
    Ranganath, V.P., Amtoft, T., Banerjee, A., Hatcliff, J., Dwyer, M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29(5), 27 (2007)CrossRefGoogle Scholar
  37. 37.
    Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: Proceedings of FSE ’94, pp. 11–20, ACM, New York (1994)Google Scholar
  38. 38.
    Reps, T., Yang, W.: The semantics of program slicing. Technical Report 777, Computer Sciences Department, University of Wisconsin-Madison (1988)Google Scholar
  39. 39.
    Roscoe, A.W., Woodcock, J., Wulf, L.: Non-interference through determinism. In: ESORICS, volume 875 of LNCS, pp. 33–53 (1994)Google Scholar
  40. 40.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Select. Areas Commun. 21(1), 5–19 (January 2003)Google Scholar
  41. 41.
    Sabelfeld, A.: Confidentiality for multithreaded programs via bisimulation. In: Proceeding 5th International Andrei Ershov Memorial Conference, volume 2890 of LNCS, Akademgorodok, Novosibirsk, Russia, July (2003)Google Scholar
  42. 42.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In Proceedings of CSFW ’00, p. 200, Washington, DC, USA. IEEE Computer Society (2000)Google Scholar
  43. 43.
    Smith, G.: Improved typings for probabilistic noninterference in a multi-threaded language. J. Comput. Secur. 14(6), 591–623 (2006)Google Scholar
  44. 44.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of POPL ’98, pp. 355–364. ACM, January (1998)Google Scholar
  45. 45.
    Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In SAS ’96: Proceedings of the Third International Symposium on Static Analysis, pp. 332–348. Springer, London (1996)Google Scholar
  46. 46.
    Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006) Google Scholar
  47. 47.
    Terauchi, T.: A type system for observational determinism. In: CSF, pp. 287–300 (2008)Google Scholar
  48. 48.
    Volpano, D.M., Smith, G.: Probabilistic noninterference in a concurrent language. J. Comput. Secur. 7(1) (1999)Google Scholar
  49. 49.
    Wasserrab, D.: From Formal Semantics to Verified Slicing—A Modular Framework with Applications in Language Based Security. PhD thesis, Karlsruher Institut für Technologie, Fakultät für Informatik, October (2010)Google Scholar
  50. 50.
    Wasserrab, D.: Information flow noninterference via slicing. Archive of Formal Proofs (2010)Google Scholar
  51. 51.
    Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: Proceedings PLAS ’09. ACM, June (2009)Google Scholar
  52. 52.
    Xin, B., Zhang, X.: Efficient online detection of dynamic control dependence. In: Proceedings of ISSTA, pp. 185–195. ACM (2007)Google Scholar
  53. 53.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSFW, pp. 29–43. IEEE (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations