Journal of Automated Reasoning

, Volume 61, Issue 1–4, pp 113–139 | Cite as

CoSMed: A Confidentiality-Verified Social Media Platform

  • Thomas Bauereiß
  • Armando Pesenti Gritti
  • Andrei PopescuEmail author
  • Franco Raimondi


This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD Security has to give way to a dynamic integration of the triggers as part of the bounds. We also show that, from a theoretical viewpoint, the removal of triggers from the notion of BD Security does not restrict its expressiveness.


Information flow security Secure social media platform Formal verification Interactive theorem proving Isabelle/HOL 



We are indebted to the reviewers of both the conference and the journal versions of this paper for useful comments and suggestions, which led to the significant improvement of the presentation. We gratefully acknowledge support from: Innovate UK through the Knowledge Transfer Partnership 010041 between Caritas Anchor House and Middlesex University: “The Global Noticeboard (GNB): a verified social media platform with a charitable, humanitarian purpose”; EPSRC through grants “VOWS” (EP/N019547/1) and “VRBMAS” (EP/K033921/1); DFG through grants “MORES” (Hu 737/5-2) and “SecDed” (Ni 491/13-3) in the priority program “RS\(^3\): Reliably Secure Software Systems” (SPP 1496).


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Jif: Java\(+\) information flow. (2014)
  5. 5.
  6. 6.
    Caritas Anchor House. (2016)
  7. 7.
    The diaspora\(^*\) project. (2016)
  8. 8.
    Arapinis, M., Bursuc, S., Ryan, M.: Privacy supporting cloud computing: ConfiChair, a case study. In: POST, pp. 89–108 (2012)Google Scholar
  9. 9.
    Barthe, G., Grégoire, B., Béguelin, S.Z.: Formal certification of code-based cryptographic proofs. In: POPL, pp. 90–101 (2009)Google Scholar
  10. 10.
    Bauereiß, T., Gritti, A.P., Popescu, A., Raimondi, F.: CoSMed: a confidentiality-verified conference management system. In: ITP (2016)Google Scholar
  11. 11.
    Bauereiß, T., Pesenti Gritti, A., Popescu, A., Raimondi, F.: CoSMeDis: A distributed social media platform with formally verified confidentiality guarantees. In: IEEE Security and Privacy, pp. 729–748 (2017)Google Scholar
  12. 12.
    Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: POST, pp. 159–178 (2014)Google Scholar
  13. 13.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: LICS, pp. 331–340 (2005)Google Scholar
  14. 14.
    Blanchette, J.C., Böhme, S., Fleury, M., Smolka, S.J., Steckermeier, A.: Semi-intelligible Isar proofs from machine-generated proofs. J. Autom. Reason. 56(2), 155–200 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Blanchette, J.C., Böhme, S., Popescu, A., Smallbone, N.: Encoding monomorphic and polymorphic types. Log. Methods Comput. Sci. 12(4) (2016).
  16. 16.
    Blanchette, J.C., Hölzl, J., Lochbihler, A., Panny, L., Popescu, A., Traytel, D.: Truly modular (co)datatypes for Isabelle/HOL. In: ITP, pp. 93–110 (2014)Google Scholar
  17. 17.
    Blanchette, J.C., Merz, S. (eds.): Interactive theorem proving. In: Proceedings on 7th International Conference of ITP 2016, Nancy, France, vol. 9807, 22–25 Aug 2016 (2016)Google Scholar
  18. 18.
    Broberg, N., van Delft, B., Sands, D.: Paragon—practical programming with information flow control. J. Comput. Secur. 25(4–5), 323–365 (2017)CrossRefzbMATHGoogle Scholar
  19. 19.
    Chlipala, A.: Ur/Web: a simple model for programming the web. In: POPL, pp. 153–165 (2015)Google Scholar
  20. 20.
    Chong, S., Meyden, R.V.D.: Using architecture to reason about information security. ACM Trans. Inf. Syst. Secur. 18(2), 8:1–8:30 (2015)CrossRefGoogle Scholar
  21. 21.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: PLDI, pp. 50–62 (2009)Google Scholar
  22. 22.
    Dam, M., Guanciale, R., Khakpour, N., Nemati, H., Schwarz, O.: Formal verification of information flow security for a simple ARM-based separation kernel. In: CCS, pp. 223–234 (2013)Google Scholar
  23. 23.
    de Amorim, A.A., Collins, N., DeHon, A., Demange, D., Hriţcu, C., Pichardie, D., Pierce, B.C., Pollack, R., Tolmach, A.: A verified information-flow architecture. In: POPL, pp. 165–178 (2014)Google Scholar
  24. 24.
    de Nivelle, H. (ed.): Automated reasoning with analytic tableaux and related methods. In: Proceedings on 24th International Conference of TABLEAUX 2015, Wrocław, Poland, vol. 9323, 21–24 Sept 2015 (2015)Google Scholar
  25. 25.
    Esparza, J., Lammich, P., Neumann, R., Nipkow, T., Schimpf, A., Smaus, J.: A fully verified executable LTL model checker. In: CAV, pp. 463–478 (2013)Google Scholar
  26. 26.
    Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\({\hat{}}\)*. In: CAV, pp. 30–48Google Scholar
  27. 27.
    Fong, P.W.L., Anwar, M.M., Zhao, Z.: A privacy preservation model for Facebook-style social network systems. In: ESORICS, pp. 303–320 (2009)Google Scholar
  28. 28.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–87 (1984)Google Scholar
  29. 29.
    Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: CCS, pp. 748–759 (2012)Google Scholar
  30. 30.
    Guttman, J.D., Rowe, P.D.: A cut principle for information flow. In: CSF, pp. 107–121 (2015)Google Scholar
  31. 31.
    Haftmann, F.: Code generation from specifications in higher-order logic. Ph.D. thesis, Technische Universität München (2009)Google Scholar
  32. 32.
    Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. FLOPS 2010, 103–117 (2010)zbMATHGoogle Scholar
  33. 33.
    Haftmann, F., Wenzel, M.: Constructive type classes in Isabelle. In: TYPES, pp. 160–174 (2006)Google Scholar
  34. 34.
    Hardin, D.S., Smith, E.W., Young, W.D.: A robust machine code proof framework for highly secure applications. In: ACL2, pp. 11–20 (2006)Google Scholar
  35. 35.
    Hawblitzel, C., Howell, J., Lorch, J.R., Narayan, A., Parno, B., Zhang, D., Zill, B.: Ironclad apps: end-to-end security via automated full-system verification. In: OSDI ’14, pp. 165–181 (2014)Google Scholar
  36. 36.
    Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: USENIX Security, pp. 113–128 (2012)Google Scholar
  37. 37.
    Kammüller, F., Wenzel, M., Paulson, L.C.: Locales—a sectioning concept for Isabelle. In: TPHOLs’99, pp. 149–166 (1999)Google Scholar
  38. 38.
    Kanav, S., Lammich, P., Popescu, A.: A conference management system with verified document confidentiality. In: CAV, pp. 167–183 (2014)Google Scholar
  39. 39.
    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an operating-system kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  40. 40.
    Kumar, R., Myreen, M.O., Norrish, M., Owens, S.: CakeML: a verified implementation of ML. In: POPL, pp. 179–192 (2014)Google Scholar
  41. 41.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)CrossRefGoogle Scholar
  42. 42.
    Lochbihler, A.: Java and the Java memory model—a unified, machine-checked formalisation. In: ESOP, pp. 497–517 (2012)Google Scholar
  43. 43.
    Mantel, H.: Possibilistic definitions of security—an assembly kit. In: CSFW, pp. 185–199 (2000)Google Scholar
  44. 44.
    Mantel, H.: Information flow and noninterference. In: Encyclopedia of Cryptography and Security, 2nd edn., pp. 605–607 (2011)Google Scholar
  45. 45.
    Moore, J.S., Lynch, T.W., Kaufmann, M.: A mechanically checked proof of the amd5\({}_{\text{ k }}86{}^{\text{ tm }}\) floating point division program. IEEE Trans. Comput. 47(9), 913–926 (1998)MathSciNetCrossRefGoogle Scholar
  46. 46.
    Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: seL4: from general purpose to a proof of information flow enforcement. In: IEEE Security and Privacy, pp. 415–429 (2013)Google Scholar
  47. 47.
    Naumowicz, A., Korniłowicz, A.: A brief overview of Mizar. In: TPHOLs, pp. 67–72 (2009)Google Scholar
  48. 48.
    Nipkow, T.: Programming and proving in Isabelle/HOL. (2017)
  49. 49.
    Nipkow, T., Klein, G.: Concrete Semantics: With Isabelle/HOL. Springer, Berlin (2014)CrossRefzbMATHGoogle Scholar
  50. 50.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Berlin (2002)zbMATHGoogle Scholar
  51. 51.
    Pardo, R., Schneider, G.: A formal privacy policy framework for social networks. In: SEFM, pp. 378–392 (2014)Google Scholar
  52. 52.
    Paulson, L.C., Blanchette, J.C.: Three years of experience with Sledgehammer, a practical link between automatic and interactive theorem provers. In: IWIL (2010)Google Scholar
  53. 53.
    Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)CrossRefGoogle Scholar
  54. 54.
    Sutherland, D.: A model of information. In: 9th National Security Conference, pp. 175–183 (1986)Google Scholar
  55. 55.
    Wenzel, M.: Isar—a generic interpretative approach to readable formal proof documents. In: TPHOLs, pp. 167–184 (1999)Google Scholar
  56. 56.
    Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: POPL, pp. 85–96 (2012)Google Scholar

Copyright information

© Springer Science+Business Media B.V., part of Springer Nature 2017

Authors and Affiliations

  1. 1.German Research Center for Artificial Intelligence (DFKI)BremenGermany
  2. 2.Department of Computer ScienceMiddlesex UniversityLondonUK
  3. 3.Global NoticeBoardLondonUK
  4. 4.Institute of Mathematics Simion Stoilow of the Romanian AcademyBucharestRomania

Personalised recommendations