Skip to main content
SpringerLink
Log in

Formalizing non-interference for a simple bytecode language in Coq

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Andronick J, Chetali B, Ly O (2003) Using Coq to verify Java Card Applet Isolation Properties. Theorem proving in higher order logics, TPHOLs’03. LNCS, vol 2758. Springer, Heidelberg

  2. Bicolano and MOBIUS base logic. http://mobius.inria.fr/twiki/bin/view/Bicolano, 2007

  3. Banerjee A, Naumann DA (2003) Stack-based access control for secure information flow. J Funct Program 15(2):131–177

    Article  MathSciNet  Google Scholar 

  4. Barthe G, Basu A, Rezk T (2004) Security types preserving compilation. Verification, model checking, and abstract interpretation, VMCAI’04. LNCS, vol 2934. Springer, Heidelberg

  5. Barthe G, Dufay G (2004) A Tool-assisted framework for certified bytecode verification. Fundamental approaches to software engineering, FASE 2004. LNCS, vol 2984. Springer, Heidelberg

  6. Barthe G, Kammüller F (2005) Certified bytecode verifier for non-interference. Technical Report, INRIA Sophia-Antipolis

  7. Bell DE, LaPadula LJ (1996) Secure Computer systems: a mathematical model. Technical Report MTR-2547(2), MITRE Corp. Bedford, 1973. Reprinted in J Comput Secur 4(2–3):239–263. IOS Press

  8. Bertot Y, Castéran P (2004) Interactive theorem proving and program development—Coq’art: the calculus of inductive constructions. Springer, Heidelberg

    MATH  Google Scholar 

  9. Chen Z (2000) Java card technology for smart cards: architecture and programmer’s guide. Addison Wesley, Reading

    Google Scholar 

  10. National Institute of Standards and Technology (2005) Common criteria for information technology security evaluation. US Department of Commerce, National Bureau of Standards and Technology. http://csrc.nist.gov/cc

  11. Chrzaszcz J (2003) Implementing modules in the Coq system. In: Theorem proving in higher order logics, TPHOLs 2003. LNCS, vol 2758. Springer, Heidelberg, pp 270–286

  12. Church A (1940) A formulation of the simple theory of types. J Symb Logic 5(2):56–68

    Article  MathSciNet  MATH  Google Scholar 

  13. Coquand T, Paulin-Mohring C (1990) Inductively defined types. In: Martin-Löf P, Mints G (eds) International conference in computer logic, Colog’88. LNCS, vol 417. Springer, Heidelberg

  14. Coq Development Team (2004) The Coq proof assistant user’s guide. Version 8.0

  15. Denning DE, Denning PJ (1977) Certification of programs for secure information flow. Commun ACM 20(7):504–513

    Article  MATH  Google Scholar 

  16. Dufay G (2003) Vérification Formelle de la Plate-Forme Java Card. Thèse de Doctorat. Université de Nice Sophia-Antipolis

  17. Fenton JS (1973) Information protection systems. PhD Thesis, University of Cambridge

  18. Goguen J, Meseguer J (1982) Security policies and security models. In: Proceedings of symposium on operating system principles, SOSP’82. IEEE Computer Society Press, New York, pp 11–22

  19. Härtel PH, Moreau L (2001) Formalising the Safety of Java, the Java Virtual Machine and Java Card. ACM Comput Surv (CSUR) 33(4):517–558

    Article  Google Scholar 

  20. Howard WA (1980) The formulae-as-types notion of construction. In: Seldin JP, Hindley JR (eds) To H.B. Curry: Essays on combinatory logic, lambda–calculus, and formalism. Academic, NY, pp 479–490

  21. Joshi R, Leino KRM (2000) A semantic approach to secure information flow. Sci Comput Programm 37:113–138

    Article  MathSciNet  MATH  Google Scholar 

  22. Kammüller F (1999) Modular reasoning in isabelle. PhD thesis, Computer Laboratory, University of Cambridge, Technical Report 470

  23. Kammüller F. http://www.swt.cs.tu-berlin.de/~flokam/coq/index.html

  24. Kammüller F, Paulson LC (1999) A formal proof of Sylow’s first theorem—an experiment in abstract algebra with isabelle HOL. J Autom Reason 23(3):235–264

    Article  MATH  Google Scholar 

  25. Klein G, Nipkow T (2002) Verified bytecode verifiers. Theor Comput Sci 298(3):583–626

    Article  MathSciNet  Google Scholar 

  26. Leroy X (2003) Java bytecode verification: algorithms and formalizations. J Autom Reason Special Issue Bytecode Verif 30(3–4):235–269

    MathSciNet  MATH  Google Scholar 

  27. MacQueen DB (1986) Using dependent types to express modular structures. In: Proceedings of 13th ACM symposium on principles of programming languages, POPL’96. Association for Computing Machinery

  28. Mobius: Mobility, Ubiquity and Security (2007). http://mobius.inria.fr/twiki/bin/view/Mobius

  29. Mosses PD (1999) Foundations of modular SOS. In: Mathematical Foundations of Computer Science, MFCS’99. LNCS, vol 1672. Springer, Heidelberg

  30. Naumann DA (2005) Verifying a secure information flow analyzer. Theorem proving in higher order logics, TPHOLs’05, Oxford 2005. LNCS, vol 3603. Springer, Heidelberg

  31. Necula GC, Lee P (1996) Safe Kernel extensions without run-time checking. In: Proceedings of 2nd USENIX symposium on operating systems design and implementation (OSDI). October 1996. Operating systems review, Special Issue, ACM, 1996 and USENIX Association, New York, pp 229–243

  32. Nelson PA (1979) A Comparison of Pascal intermediate languages. ACM SIGPLAN Notices 14(8):208–213

    Article  Google Scholar 

  33. Oheimb Dv (2001) Analyzing Java in Isabelle/HOL: formalization, type safety and hoare logic. PhD Thesis, Technische Universität München

  34. Oheimb Dv (2004) Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: 9th European symposium on research in computer security, ESORICS’04. LNCS, vol 3193. Springer, Heidelberg

  35. Oheimb Dv, Nipkow T (1999) Machine-checking the Java language specification: proving type-safety. In: Alves-Foss J (ed) Formal syntax and semantics of Java. LNCS, vol 1523. Springer, Heidelberg, pp 119–156

  36. Pierce B (2002) Types and programming languages. Wiley, New York

    Google Scholar 

  37. Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical Report csl-92-2, SRI, Palo Alto

  38. Sabelfeld A, Myers A (2003) Language-based information-flow security. Selected Areas Commun 21:5–19

    Article  Google Scholar 

  39. Seldin JP, Hindley JR (eds) (1980) To H B Curry: essays on combinatory logic. Academic, New York

    MATH  Google Scholar 

  40. Stärk R, Schmid J, Börger E (2001) Java and the Java virtual machine: definition, verification, validation. Springer, Heidelberg

    MATH  Google Scholar 

  41. Strecker M (2003) Formal analysis of an information flow type system for MicroJava (extended version). Technical Report, Technische Universität München

  42. Thompson S (1991) Type theory and functional programming. Addison-Wesley, Reading

    MATH  Google Scholar 

  43. Tuch H, Klein G, Norrish M (2007) Types, bytes, and separation logic. In: Principles of programming languages, POPL’07. ACM SIGPLAN 42(1), Association for Computing Machinery

  44. Wirth N (1976) Algorithms + Datastructures = Programs. Prentice Hall, New Jersey

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Berlin, Institut für Softwaretechnik und Theoretische Informatik, TU Berlin, FR 5-6, Franklinstr. 28/29, 10587, Berlin, Germany

    Florian Kammüller

Authors
  1. Florian Kammüller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Florian Kammüller.

Additional information

C. B. Jones

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kammüller, F. Formalizing non-interference for a simple bytecode language in Coq. Form Asp Comp 20, 259–275 (2008). https://doi.org/10.1007/s00165-007-0055-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-007-0055-2

keywords

Search

Navigation