Using Theorem Provers to Increase the Precision of Dependence Analysis for Information Flow Control

  • Bernhard Beckert
  • Simon Bischof
  • Mihai HerdaEmail author
  • Michael Kirsten
  • Marko Kleine Büning
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11232)


Information flow control (IFC) is a category of techniques for enforcing information flow properties. In this paper we present the Combined Approach, a novel IFC technique that combines a scalable system-dependence-graph-based (SDG-based) approach with a precise logic-based approach based on a theorem prover. The Combined Approach has an increased precision compared with the SDG-based approach on its own, without sacrificing its scalability. For every potential illegal information flow reported by the SDG-based approach, the Combined Approach automatically generates proof obligations that, if valid, prove that there is no program path for which the reported information flow can happen. These proof obligations are then relayed to the logic-based approach.

We also show how the SDG-based approach can provide additional information to the theorem prover that helps decrease the verification effort. Moreover, we present a prototypical implementation of the Combined Approach that uses the tools JOANA and KeY as the SDG-based and logic-based approach respectively.


Information flow control Noninterference System dependence graph Deductive verification 



We are grateful to the student Holger Klein for implementing the prototype. This work was supported by the German Research Foundation (DFG) under the project DeduSec (BE 2334/6-3) in the priority program “Reliably Secure Software Systems” (\(\text {RS}^3\), SPP 1496).


  1. 1.
    Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification - The KeY Book: From Theory to Practice. LNCS, vol. 10001. Springer, Heidelberg (2016). Scholar
  2. 2.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: 17th IEEE Computer Security Foundations Workshop, CSFW-17 2004, pp. 100–114. IEEE Computer Society (2004)Google Scholar
  3. 3.
    Beckert, B., Bruns, D., Klebanov, V., Scheben, C., Schmitt, P.H., Ulbrich, M.: Information flow in object-oriented software. In: Gupta, G., Peña, R. (eds.) LOPSTR 2013. LNCS, vol. 8901, pp. 19–37. Springer, Cham (2014). Scholar
  4. 4.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005). Scholar
  5. 5.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefGoogle Scholar
  7. 7.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)CrossRefGoogle Scholar
  8. 8.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Symposium on Security and Privacy (SP), pp. 11–20 (1982)Google Scholar
  9. 9.
    Graf, J., Hecker, M., Mohr, M.: Using JOANA for information flow control in Java programs - a practical guide. In: Wagner, S., Lichter, H. (eds.) Conference on Programming Languages (ATP). LNI, vol. 215, pp. 123–138. Springer, Heidelberg (2013)Google Scholar
  10. 10.
    Graf, J., Hecker, M., Mohr, M.: Using JOANA for information flow control in Java programs-a practical guide. In: Wagner, S., Lichter, H. (eds.) Software Engineering, Fachtagung des GI-Fachbereichs Softwaretechnik. LNI, vol. 215, pp. 123–138. GI (2013)Google Scholar
  11. 11.
    Hammer, C.: Information flow control for java - a comprehensive approach based on path conditions in dependence graphs. Ph.D. thesis, Universität Karlsruhe (TH), Fak. f. Informatik, July 2009.
  12. 12.
    Hammer, C., Krinke, J., Snelting, G.: Information flow control for Java based on path conditions in dependence graphs. In: Symposium on Secure Software Engineering, pp. 87–96 (2006)Google Scholar
  13. 13.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8(6), 399–422 (2009)CrossRefGoogle Scholar
  14. 14.
    Herda, M., Tyszberowicz, S., Beckert, B.: Using dependence graphs to assist verification and testing of information-flow properties. In: Dubois, C., Wolff, B. (eds.) TAP 2018. LNCS, vol. 10889, pp. 83–102. Springer, Cham (2018). Scholar
  15. 15.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. Trans. Program. Lang. Syst. 12(1), 26–60 (1990)CrossRefGoogle Scholar
  16. 16.
    Kapur, D.: Automatically generating loop invariants using quantifier elimination. In: Baader, F., Baumgartner, P., Nieuwenhuis, R., Voronkov, A. (eds.) Deduction and Applications, 23-28 October 2005. Dagstuhl Seminar Proceedings, vol. 05431. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany (2005)Google Scholar
  17. 17.
    Küsters, R., Truderung, T., Beckert, B., Bruns, D., Kirsten, M., Mohr, M.: A hybrid approach for proving noninterference of Java programs. In: Fournet, C., Hicks, M.W., Viganò, L. (eds.) 28th Computer Security Foundations Symposium (CSF), pp. 305–319. IEEE Computer Society (2015)Google Scholar
  18. 18.
    Leavens, G.T., Kiniry, J.R., Poll, E.: A JML tutorial: modular specification and verification of functional behavior for Java. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 37–37. Springer, Heidelberg (2007). Scholar
  19. 19.
    Lortz, S., Mantel, H., Starostin, A., Bähr, T., Schneider, D., Weber, A.: Cassandra: towards a certifying app store for Android. In: ACM Workshop on Security and Privacy in Smartphones & Mobile Devices (SPSM), pp. 93–104. ACM (2014)Google Scholar
  20. 20.
    Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013). Scholar
  21. 21.
    Rodríguez-Carbonell, E., Kapur, D.: Generating all polynomial invariants in simple loops. J. Symbolic Comput. 42(4), 443–476 (2007)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. A. Commun. 21(1), 5–19 (2006)CrossRefGoogle Scholar
  23. 23.
    Scheben, C., Schmitt, P.H.: Verification of information flow properties of Java programs without approximations. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 232–249. Springer, Heidelberg (2012). Scholar
  24. 24.
    Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: Cousot, R., Schmidt, D.A. (eds.) SAS 1996. LNCS, vol. 1145, pp. 332–348. Springer, Heidelberg (1996). Scholar
  25. 25.
    Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006)CrossRefGoogle Scholar
  26. 26.
    Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2/3), 167–188 (1996)CrossRefGoogle Scholar
  27. 27.
    Wasserrab, D., Lohner, D.: Proving information flow noninterference by reusing a machine-checked correctness proof for slicing. In: Aderhold, M., Autexier, S., Mantel, H. (eds.) Verification Workshop (VERIFY). EPiC Series in Computing, vol. 3, pp. 141–155 (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Bernhard Beckert
    • 1
  • Simon Bischof
    • 1
  • Mihai Herda
    • 1
    Email author
  • Michael Kirsten
    • 1
  • Marko Kleine Büning
    • 1
  1. 1.Karlsruhe Institute of Technology (KIT)KarlsruheGermany

Personalised recommendations