# A new algorithm for low-deterministic security

- 407 Downloads
- 7 Citations

## Abstract

We present a new algorithm for checking probabilistic noninterference in concurrent programs. The algorithm, named RLSOD, is based on the *Low-Security Observational Determinism* criterion. It utilizes program dependence graphs for concurrent programs and is flow-sensitive, context-sensitive, object-sensitive, and optionally time-sensitive. Due to a new definition of low-equivalency for infinite traces, the algorithm avoids restrictions or soundness leaks of previous approaches. A soundness proof is provided. Flow sensitivity turns out to be the key to precision and avoids prohibition of useful nondeterminism. The algorithm has been implemented for full Java byte code with unlimited threads. Precision and scalability have been experimentally validated.

## Keywords

Software security Noninterference Program dependence graph Information flow control## Notes

### Acknowledgments

We thank the reviewers for their very insightful observations and suggestions. Joachim Breitner, Jürgen Graf, Martin Hecker, and Martin Mohr provided valuable comments.

## References

- 1.Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: POPL ’99: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 147–160. ACM, New York (1999)Google Scholar
- 2.Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In Proceedings of ESORICS, volume 5283 of LNCS, pp. 333–348 (2008)Google Scholar
- 3.Binkley, D., Harman, M.: A survey of empirical results on program slicing. Adv. Comput.
**62**, 105–178 (2004)Google Scholar - 4.Binkley, D., Harman, M., Krinke, J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst.
**30**(1), 3 (2007)Google Scholar - 5.Bouajjani, A., Müller-Olm, M., Touili, T.: Regular symbolic analysis of dynamic networks of pushdown systems. In: Concurrency. Theory (CONCUR 2005), pp. 473–487. Springer, LNCS 3653 (2005)Google Scholar
- 6.Gawlitza, T.M., Lammich, P., Müller-Olm, M., Seidl, H., Wenner, A.: Join-lock-sensitive forward reachability analysis for concurrent programs with dynamic process creation. In: VMCAI, pp. 199–213 (2011)Google Scholar
- 7.Giffhorn, D.: Advanced chopping of sequential and concurrent programs. Softw. Qual. J.
**19**(2), 239–294 (2011)CrossRefGoogle Scholar - 8.Giffhorn, D.: Slicing of concurrent programs and its application to information flow control. PhD thesis, Karlsruher Institut für Technologie, Fakultät für Informatik, May 2012. http://pp.info.uni-karlsruhe.de/uploads/publikationen/giffhorn12thesis.pdf
- 9.Giffhorn, D., Hammer, C.: Precise slicing of concurrent programs—an evaluation of precise slicing algorithms for concurrent programs. J. Autom. Softw. Eng.
**16**(2), 197–234 (2009)CrossRefGoogle Scholar - 10.Giffhorn, D., Snelting, G.: Probabilistic noninterference based on program dependence graphs. Karlsruhe Reports in Informatics, 6, April 2012. http://pp.info.uni-karlsruhe.de/uploads/publikationen/giffhorn12kri.pdf
- 11.Graf, J.: Speeding up context-, object- and field-sensitive sdg generation. In Proceedings of 9th SCAM, pp. 105–114, September (2010)Google Scholar
- 12.Graf, J., Hecker, M., Mohr, M.: Using joana for information flow control in java programs—a practical guide. In Proceedings of 6th Working Conference on Programming Languages (ATPS’13), Lecture Notes in Informatics (LNI) 215. Springer, Berlin (2013)Google Scholar
- 13.Graf, J., Hecker, M., Mohr, M., Nordhoff, B.: Lock-sensitive interference analysis for java: Combining program dependence graphs with dynamic pushdown networks. In Proceedings of 1st International Workshop on Interference and Dependence, January (2013)Google Scholar
- 14.Hammer, C.: Information Flow Control for Java. PhD thesis, Universität Karlsruhe (TH) (2009)Google Scholar
- 15.Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) Proceedings of ESSoS’10, volume 5965 of LNCS, pp 44–60. Springer, Berlin (2010)Google Scholar
- 16.Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inform. Secur.
**8**(6), December (2009)Google Scholar - 17.Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: Proceedings of POPL ’88, pp. 146–157, ACM, New York (1988)Google Scholar
- 18.Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst.
**12**(1), 26–60 (1990)Google Scholar - 19.Huisman, M., Ngo, T.M.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. In: Proceedings of Formal Verification of Object-Oriented Systems (2011)Google Scholar
- 20.Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proceedings of 19th CSFW, p. 3. IEEE (2006)Google Scholar
- 21.Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL ’06, pp. 79–90. ACM (2006)Google Scholar
- 22.Krinke, J.: Context-sensitive slicing of concurrent programs. In: Proceedings ESEC/FSE-11, pp. 178–187, ACM, New York (2003)Google Scholar
- 23.Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering, vol. 3: Recent Advances. World Scientific Publishing (2005)Google Scholar
- 24.Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of java-like programs. In Computer Security Foundations Symposium (CSF), 2012 IEEE 25th. IEEE Computer Society, June (2012)Google Scholar
- 25.Li, L., Verbrugge, C.: A practical MHP information analysis for concurrent Java programs. In: Proceedings LCPC’04, volume 3602 of LNCS, pp. 194–208. Springer, Berlin (2004)Google Scholar
- 26.Lochbihler, A.: Java and the Java memory model—a unified, machine-checked formalisation. In: Helmut, S., (ed.) Proceedings of ESOP ’12, volume 7211 of LNCS, pp. 497–517, March (2012)Google Scholar
- 27.Manson, J., Pugh, W., Adve, S.V..: The Java memory model. In: POPL, pp. 378–391 (2005)Google Scholar
- 28.Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: CSF, pp. 218–232 (2011)Google Scholar
- 29.Mantel, H., Sudbrock, H.: Flexible scheduler-independent security. In: Proceedings ESORICS, volume 6345 of LNCS, pp. 116–133 (2010)Google Scholar
- 30.Mantel, H., Sudbrock, H.: Types vs. pdgs in information flow analysis. In: LOPSTR, pp. 106–121 (2012)Google Scholar
- 31.Mantel, H., Sudbrock, H., Kraußer, T.: Combining different proof techniques for verifying information flow security. In: Proceedings of LOPSTR, volume 4407 of LNCS, pp. 94–110 (2006)Google Scholar
- 32.Muller, S., Chong, S.: Towards a practical secure concurrent language. In: OOPSLA, pp. 57–74 (2012)Google Scholar
- 33.Nanda, M.G., Ramesh, S.: Interprocedural slicing of multithreaded programs with applications to Java. ACM Trans. Program. Lang. Syst.
**28**(6), 1088–1144 (2006)CrossRefGoogle Scholar - 34.Naumovich, G., Avrunin, G.S., Clarke, L.A.: An efficient algorithm for computing MHP information for concurrent Java programs. In: Proceedings ESEC/FSE-7, volume 1687 of LNCS, pp. 338–354, London, UK (1999)Google Scholar
- 35.Ngo, T.M., Stoelinga, M., Huisman, M.: Confidentiality for probabilistic multi-threaded programs and its verification. In: ESSoS, pp. 107–122 (2013)Google Scholar
- 36.Ranganath, V.P., Amtoft, T., Banerjee, A., Hatcliff, J., Dwyer, M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst.
**29**(5), 27 (2007)CrossRefGoogle Scholar - 37.Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: Proceedings of FSE ’94, pp. 11–20, ACM, New York (1994)Google Scholar
- 38.Reps, T., Yang, W.: The semantics of program slicing. Technical Report 777, Computer Sciences Department, University of Wisconsin-Madison (1988)Google Scholar
- 39.Roscoe, A.W., Woodcock, J., Wulf, L.: Non-interference through determinism. In: ESORICS, volume 875 of LNCS, pp. 33–53 (1994)Google Scholar
- 40.Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Select. Areas Commun.
**21**(1), 5–19 (January 2003)Google Scholar - 41.Sabelfeld, A.: Confidentiality for multithreaded programs via bisimulation. In: Proceeding 5th International Andrei Ershov Memorial Conference, volume 2890 of LNCS, Akademgorodok, Novosibirsk, Russia, July (2003)Google Scholar
- 42.Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In Proceedings of CSFW ’00, p. 200, Washington, DC, USA. IEEE Computer Society (2000)Google Scholar
- 43.Smith, G.: Improved typings for probabilistic noninterference in a multi-threaded language. J. Comput. Secur.
**14**(6), 591–623 (2006)Google Scholar - 44.Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of POPL ’98, pp. 355–364. ACM, January (1998)Google Scholar
- 45.Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In SAS ’96: Proceedings of the Third International Symposium on Static Analysis, pp. 332–348. Springer, London (1996)Google Scholar
- 46.Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol.
**15**(4), 410–457 (2006) Google Scholar - 47.Terauchi, T.: A type system for observational determinism. In: CSF, pp. 287–300 (2008)Google Scholar
- 48.Volpano, D.M., Smith, G.: Probabilistic noninterference in a concurrent language. J. Comput. Secur.
**7**(1) (1999)Google Scholar - 49.Wasserrab, D.: From Formal Semantics to Verified Slicing—A Modular Framework with Applications in Language Based Security. PhD thesis, Karlsruher Institut für Technologie, Fakultät für Informatik, October (2010)Google Scholar
- 50.Wasserrab, D.: Information flow noninterference via slicing. Archive of Formal Proofs (2010)Google Scholar
- 51.Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: Proceedings PLAS ’09. ACM, June (2009)Google Scholar
- 52.Xin, B., Zhang, X.: Efficient online detection of dynamic control dependence. In: Proceedings of ISSTA, pp. 185–195. ACM (2007)Google Scholar
- 53.Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSFW, pp. 29–43. IEEE (2003)Google Scholar