CoSMed: A Confidentiality-Verified Social Media Platform


This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD Security has to give way to a dynamic integration of the triggers as part of the bounds. We also show that, from a theoretical viewpoint, the removal of triggers from the notion of BD Security does not restrict its expressiveness.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5


  1. 1.

    In principle, password storage could be moved to the wrapper completely, but for our prototype we chose to store all persistent data in the kernel.

  2. 2.

    As it will turn out, this property needs to be refined in order to hold. We will do this in Sect. 3.4.

  3. 3.

    Locales [37] are Isabelle/HOL-specific structuring mechanisms. They allow for the development of theorems parameterized by abstract data and assumptions and automate the process of instantiating the theorems: The user provides concrete instances for the data and discharges the assumptions; in exchange, they obtain an unconditional version of the theorems for the given instance.

  4. 4.

    Isar [55] is a scripting language for Isabelle that allows to express structured proofs in forward, pen-and-paper style, with stating intermediate facts for later use and the possibility to resort to fully automated proofs for simple enough facts. It was inspired by the language used in the Mizar proof assistant [47].

  5. 5.

    Sledgehammer differs from the internal automation in that it requires no instrumentation (of what facts to invoke in the proof, to add to the simplifier, etc.). Instead, Sledgehammer applies a relevance filter to identify facts that are likely to be useful for the stated goal; these facts are translated to first-order logic and handed over to the automatic provers; a possible positive answer from any of the provers (which also contains the much smaller set of actually used facts) is translated back into Isabelle/HOL’s logic, where the original goal is discharged [15, §7].


  1. 1.

    OWASP top ten project.

  2. 2.

    The CoSMed Homepage.

  3. 3.

    The CoSMeDis Homepage.

  4. 4.

    Jif: Java\(+\) information flow. (2014)

  5. 5.

    SPARK. (2014)

  6. 6.

    Caritas Anchor House. (2016)

  7. 7.

    The diaspora\(^*\) project. (2016)

  8. 8.

    Arapinis, M., Bursuc, S., Ryan, M.: Privacy supporting cloud computing: ConfiChair, a case study. In: POST, pp. 89–108 (2012)

  9. 9.

    Barthe, G., Grégoire, B., Béguelin, S.Z.: Formal certification of code-based cryptographic proofs. In: POPL, pp. 90–101 (2009)

  10. 10.

    Bauereiß, T., Gritti, A.P., Popescu, A., Raimondi, F.: CoSMed: a confidentiality-verified conference management system. In: ITP (2016)

  11. 11.

    Bauereiß, T., Pesenti Gritti, A., Popescu, A., Raimondi, F.: CoSMeDis: A distributed social media platform with formally verified confidentiality guarantees. In: IEEE Security and Privacy, pp. 729–748 (2017)

  12. 12.

    Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in WebKit’s JavaScript bytecode. In: POST, pp. 159–178 (2014)

  13. 13.

    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: LICS, pp. 331–340 (2005)

  14. 14.

    Blanchette, J.C., Böhme, S., Fleury, M., Smolka, S.J., Steckermeier, A.: Semi-intelligible Isar proofs from machine-generated proofs. J. Autom. Reason. 56(2), 155–200 (2016)

    MathSciNet  Article  MATH  Google Scholar 

  15. 15.

    Blanchette, J.C., Böhme, S., Popescu, A., Smallbone, N.: Encoding monomorphic and polymorphic types. Log. Methods Comput. Sci. 12(4) (2016).

  16. 16.

    Blanchette, J.C., Hölzl, J., Lochbihler, A., Panny, L., Popescu, A., Traytel, D.: Truly modular (co)datatypes for Isabelle/HOL. In: ITP, pp. 93–110 (2014)

  17. 17.

    Blanchette, J.C., Merz, S. (eds.): Interactive theorem proving. In: Proceedings on 7th International Conference of ITP 2016, Nancy, France, vol. 9807, 22–25 Aug 2016 (2016)

  18. 18.

    Broberg, N., van Delft, B., Sands, D.: Paragon—practical programming with information flow control. J. Comput. Secur. 25(4–5), 323–365 (2017)

    Article  MATH  Google Scholar 

  19. 19.

    Chlipala, A.: Ur/Web: a simple model for programming the web. In: POPL, pp. 153–165 (2015)

  20. 20.

    Chong, S., Meyden, R.V.D.: Using architecture to reason about information security. ACM Trans. Inf. Syst. Secur. 18(2), 8:1–8:30 (2015)

    Article  Google Scholar 

  21. 21.

    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: PLDI, pp. 50–62 (2009)

  22. 22.

    Dam, M., Guanciale, R., Khakpour, N., Nemati, H., Schwarz, O.: Formal verification of information flow security for a simple ARM-based separation kernel. In: CCS, pp. 223–234 (2013)

  23. 23.

    de Amorim, A.A., Collins, N., DeHon, A., Demange, D., Hriţcu, C., Pichardie, D., Pierce, B.C., Pollack, R., Tolmach, A.: A verified information-flow architecture. In: POPL, pp. 165–178 (2014)

  24. 24.

    de Nivelle, H. (ed.): Automated reasoning with analytic tableaux and related methods. In: Proceedings on 24th International Conference of TABLEAUX 2015, Wrocław, Poland, vol. 9323, 21–24 Sept 2015 (2015)

  25. 25.

    Esparza, J., Lammich, P., Neumann, R., Nipkow, T., Schimpf, A., Smaus, J.: A fully verified executable LTL model checker. In: CAV, pp. 463–478 (2013)

  26. 26.

    Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\({\hat{}}\)*. In: CAV, pp. 30–48

  27. 27.

    Fong, P.W.L., Anwar, M.M., Zhao, Z.: A privacy preservation model for Facebook-style social network systems. In: ESORICS, pp. 303–320 (2009)

  28. 28.

    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–87 (1984)

  29. 29.

    Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: CCS, pp. 748–759 (2012)

  30. 30.

    Guttman, J.D., Rowe, P.D.: A cut principle for information flow. In: CSF, pp. 107–121 (2015)

  31. 31.

    Haftmann, F.: Code generation from specifications in higher-order logic. Ph.D. thesis, Technische Universität München (2009)

  32. 32.

    Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. FLOPS 2010, 103–117 (2010)

    MATH  Google Scholar 

  33. 33.

    Haftmann, F., Wenzel, M.: Constructive type classes in Isabelle. In: TYPES, pp. 160–174 (2006)

  34. 34.

    Hardin, D.S., Smith, E.W., Young, W.D.: A robust machine code proof framework for highly secure applications. In: ACL2, pp. 11–20 (2006)

  35. 35.

    Hawblitzel, C., Howell, J., Lorch, J.R., Narayan, A., Parno, B., Zhang, D., Zill, B.: Ironclad apps: end-to-end security via automated full-system verification. In: OSDI ’14, pp. 165–181 (2014)

  36. 36.

    Jang, D., Tatlock, Z., Lerner, S.: Establishing browser security guarantees through formal shim verification. In: USENIX Security, pp. 113–128 (2012)

  37. 37.

    Kammüller, F., Wenzel, M., Paulson, L.C.: Locales—a sectioning concept for Isabelle. In: TPHOLs’99, pp. 149–166 (1999)

  38. 38.

    Kanav, S., Lammich, P., Popescu, A.: A conference management system with verified document confidentiality. In: CAV, pp. 167–183 (2014)

  39. 39.

    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an operating-system kernel. Commun. ACM 53(6), 107–115 (2010)

    Article  Google Scholar 

  40. 40.

    Kumar, R., Myreen, M.O., Norrish, M., Owens, S.: CakeML: a verified implementation of ML. In: POPL, pp. 179–192 (2014)

  41. 41.

    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)

    Article  Google Scholar 

  42. 42.

    Lochbihler, A.: Java and the Java memory model—a unified, machine-checked formalisation. In: ESOP, pp. 497–517 (2012)

  43. 43.

    Mantel, H.: Possibilistic definitions of security—an assembly kit. In: CSFW, pp. 185–199 (2000)

  44. 44.

    Mantel, H.: Information flow and noninterference. In: Encyclopedia of Cryptography and Security, 2nd edn., pp. 605–607 (2011)

  45. 45.

    Moore, J.S., Lynch, T.W., Kaufmann, M.: A mechanically checked proof of the amd5\({}_{\text{ k }}86{}^{\text{ tm }}\) floating point division program. IEEE Trans. Comput. 47(9), 913–926 (1998)

    MathSciNet  Article  Google Scholar 

  46. 46.

    Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: seL4: from general purpose to a proof of information flow enforcement. In: IEEE Security and Privacy, pp. 415–429 (2013)

  47. 47.

    Naumowicz, A., Korniłowicz, A.: A brief overview of Mizar. In: TPHOLs, pp. 67–72 (2009)

  48. 48.

    Nipkow, T.: Programming and proving in Isabelle/HOL. (2017)

  49. 49.

    Nipkow, T., Klein, G.: Concrete Semantics: With Isabelle/HOL. Springer, Berlin (2014)

    Google Scholar 

  50. 50.

    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Berlin (2002)

    Google Scholar 

  51. 51.

    Pardo, R., Schneider, G.: A formal privacy policy framework for social networks. In: SEFM, pp. 378–392 (2014)

  52. 52.

    Paulson, L.C., Blanchette, J.C.: Three years of experience with Sledgehammer, a practical link between automatic and interactive theorem provers. In: IWIL (2010)

  53. 53.

    Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)

    Article  Google Scholar 

  54. 54.

    Sutherland, D.: A model of information. In: 9th National Security Conference, pp. 175–183 (1986)

  55. 55.

    Wenzel, M.: Isar—a generic interpretative approach to readable formal proof documents. In: TPHOLs, pp. 167–184 (1999)

  56. 56.

    Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: POPL, pp. 85–96 (2012)

Download references


We are indebted to the reviewers of both the conference and the journal versions of this paper for useful comments and suggestions, which led to the significant improvement of the presentation. We gratefully acknowledge support from: Innovate UK through the Knowledge Transfer Partnership 010041 between Caritas Anchor House and Middlesex University: “The Global Noticeboard (GNB): a verified social media platform with a charitable, humanitarian purpose”; EPSRC through grants “VOWS” (EP/N019547/1) and “VRBMAS” (EP/K033921/1); DFG through grants “MORES” (Hu 737/5-2) and “SecDed” (Ni 491/13-3) in the priority program “RS\(^3\): Reliably Secure Software Systems” (SPP 1496).

Author information



Corresponding author

Correspondence to Andrei Popescu.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bauereiß, T., Pesenti Gritti, A., Popescu, A. et al. CoSMed: A Confidentiality-Verified Social Media Platform. J Autom Reasoning 61, 113–139 (2018).

Download citation


  • Information flow security
  • Secure social media platform
  • Formal verification
  • Interactive theorem proving
  • Isabelle/HOL