Abstract
In this paper, we describe the application of the interactive theorem prover Coq to the security analysis of bytecode as used in Java. We provide a generic specification and proof of non-interference for bytecode languages using the Coq module system. We illustrate the use of this formalization by applying it to a small subset of Java bytecode. The emphasis of the paper is on modularity of a language formalization and its analysis in a machine proof.
Similar content being viewed by others
References
Andronick J, Chetali B, Ly O (2003) Using Coq to verify Java Card Applet Isolation Properties. Theorem proving in higher order logics, TPHOLs’03. LNCS, vol 2758. Springer, Heidelberg
Bicolano and MOBIUS base logic. http://mobius.inria.fr/twiki/bin/view/Bicolano, 2007
Banerjee A, Naumann DA (2003) Stack-based access control for secure information flow. J Funct Program 15(2):131–177
Barthe G, Basu A, Rezk T (2004) Security types preserving compilation. Verification, model checking, and abstract interpretation, VMCAI’04. LNCS, vol 2934. Springer, Heidelberg
Barthe G, Dufay G (2004) A Tool-assisted framework for certified bytecode verification. Fundamental approaches to software engineering, FASE 2004. LNCS, vol 2984. Springer, Heidelberg
Barthe G, Kammüller F (2005) Certified bytecode verifier for non-interference. Technical Report, INRIA Sophia-Antipolis
Bell DE, LaPadula LJ (1996) Secure Computer systems: a mathematical model. Technical Report MTR-2547(2), MITRE Corp. Bedford, 1973. Reprinted in J Comput Secur 4(2–3):239–263. IOS Press
Bertot Y, Castéran P (2004) Interactive theorem proving and program development—Coq’art: the calculus of inductive constructions. Springer, Heidelberg
Chen Z (2000) Java card technology for smart cards: architecture and programmer’s guide. Addison Wesley, Reading
National Institute of Standards and Technology (2005) Common criteria for information technology security evaluation. US Department of Commerce, National Bureau of Standards and Technology. http://csrc.nist.gov/cc
Chrzaszcz J (2003) Implementing modules in the Coq system. In: Theorem proving in higher order logics, TPHOLs 2003. LNCS, vol 2758. Springer, Heidelberg, pp 270–286
Church A (1940) A formulation of the simple theory of types. J Symb Logic 5(2):56–68
Coquand T, Paulin-Mohring C (1990) Inductively defined types. In: Martin-Löf P, Mints G (eds) International conference in computer logic, Colog’88. LNCS, vol 417. Springer, Heidelberg
Coq Development Team (2004) The Coq proof assistant user’s guide. Version 8.0
Denning DE, Denning PJ (1977) Certification of programs for secure information flow. Commun ACM 20(7):504–513
Dufay G (2003) Vérification Formelle de la Plate-Forme Java Card. Thèse de Doctorat. Université de Nice Sophia-Antipolis
Fenton JS (1973) Information protection systems. PhD Thesis, University of Cambridge
Goguen J, Meseguer J (1982) Security policies and security models. In: Proceedings of symposium on operating system principles, SOSP’82. IEEE Computer Society Press, New York, pp 11–22
Härtel PH, Moreau L (2001) Formalising the Safety of Java, the Java Virtual Machine and Java Card. ACM Comput Surv (CSUR) 33(4):517–558
Howard WA (1980) The formulae-as-types notion of construction. In: Seldin JP, Hindley JR (eds) To H.B. Curry: Essays on combinatory logic, lambda–calculus, and formalism. Academic, NY, pp 479–490
Joshi R, Leino KRM (2000) A semantic approach to secure information flow. Sci Comput Programm 37:113–138
Kammüller F (1999) Modular reasoning in isabelle. PhD thesis, Computer Laboratory, University of Cambridge, Technical Report 470
Kammüller F. http://www.swt.cs.tu-berlin.de/~flokam/coq/index.html
Kammüller F, Paulson LC (1999) A formal proof of Sylow’s first theorem—an experiment in abstract algebra with isabelle HOL. J Autom Reason 23(3):235–264
Klein G, Nipkow T (2002) Verified bytecode verifiers. Theor Comput Sci 298(3):583–626
Leroy X (2003) Java bytecode verification: algorithms and formalizations. J Autom Reason Special Issue Bytecode Verif 30(3–4):235–269
MacQueen DB (1986) Using dependent types to express modular structures. In: Proceedings of 13th ACM symposium on principles of programming languages, POPL’96. Association for Computing Machinery
Mobius: Mobility, Ubiquity and Security (2007). http://mobius.inria.fr/twiki/bin/view/Mobius
Mosses PD (1999) Foundations of modular SOS. In: Mathematical Foundations of Computer Science, MFCS’99. LNCS, vol 1672. Springer, Heidelberg
Naumann DA (2005) Verifying a secure information flow analyzer. Theorem proving in higher order logics, TPHOLs’05, Oxford 2005. LNCS, vol 3603. Springer, Heidelberg
Necula GC, Lee P (1996) Safe Kernel extensions without run-time checking. In: Proceedings of 2nd USENIX symposium on operating systems design and implementation (OSDI). October 1996. Operating systems review, Special Issue, ACM, 1996 and USENIX Association, New York, pp 229–243
Nelson PA (1979) A Comparison of Pascal intermediate languages. ACM SIGPLAN Notices 14(8):208–213
Oheimb Dv (2001) Analyzing Java in Isabelle/HOL: formalization, type safety and hoare logic. PhD Thesis, Technische Universität München
Oheimb Dv (2004) Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: 9th European symposium on research in computer security, ESORICS’04. LNCS, vol 3193. Springer, Heidelberg
Oheimb Dv, Nipkow T (1999) Machine-checking the Java language specification: proving type-safety. In: Alves-Foss J (ed) Formal syntax and semantics of Java. LNCS, vol 1523. Springer, Heidelberg, pp 119–156
Pierce B (2002) Types and programming languages. Wiley, New York
Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical Report csl-92-2, SRI, Palo Alto
Sabelfeld A, Myers A (2003) Language-based information-flow security. Selected Areas Commun 21:5–19
Seldin JP, Hindley JR (eds) (1980) To H B Curry: essays on combinatory logic. Academic, New York
Stärk R, Schmid J, Börger E (2001) Java and the Java virtual machine: definition, verification, validation. Springer, Heidelberg
Strecker M (2003) Formal analysis of an information flow type system for MicroJava (extended version). Technical Report, Technische Universität München
Thompson S (1991) Type theory and functional programming. Addison-Wesley, Reading
Tuch H, Klein G, Norrish M (2007) Types, bytes, and separation logic. In: Principles of programming languages, POPL’07. ACM SIGPLAN 42(1), Association for Computing Machinery
Wirth N (1976) Algorithms + Datastructures = Programs. Prentice Hall, New Jersey
Author information
Authors and Affiliations
Corresponding author
Additional information
C. B. Jones
Rights and permissions
About this article
Cite this article
Kammüller, F. Formalizing non-interference for a simple bytecode language in Coq. Form Asp Comp 20, 259–275 (2008). https://doi.org/10.1007/s00165-007-0055-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-007-0055-2