Towards Confidentiality-by-Construction

  • Ina SchaeferEmail author
  • Tobias Runge
  • Alexander Knüppel
  • Loek Cleophas
  • Derrick Kourie
  • Bruce W. Watson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11244)


Guaranteeing that information processed in computing systems remains confidential is vital for many software applications. To this end, language-based security mechanisms enforce fine-grained access control policies for program variables to prevent secret information from leaking through unauthorized access. However, approaches for language-based security by information flow control mostly work post-hoc, classifying programs into whether they comply with information flow policies or not after the program has been constructed. Means for constructing programs that satisfy given information flow control policies are still missing. Following the correctness-by-construction approach, we propose a development method for specifying information flow policies first and constructing programs satisfying these policies subsequently. We replace functional pre- and postcondition specifications with confidentiality properties and define rules to derive new confidentiality specifications for each refining program construct. We discuss possible extensions including initial ideas for tool support. Applying correctness-by-construction techniques to confidentiality properties constitutes a first step towards security-by-construction.



The authors would like to thank the anonymous reviewers for valuable comments and suggestions for improvements and future work.


  1. 1.
    Abrial, J.: Modeling in Event-B - System and Software Engineering. Cambridge University Press, New York (2010)CrossRefGoogle Scholar
  2. 2.
    Ahrendt, W., Beckert, B., Hähnle, R., Schmitt, P.H., Ulbric, M. (eds.): Deductive Software Verification The KeY Book From Theory to Practice. LNCS, vol. 10001. Springer, Heidelberg (2016). Scholar
  3. 3.
    Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL, pp. 91–102 (2006)Google Scholar
  4. 4.
    Amtoft, T., Banerjee, A.: Information flow analysis in logical form. In: SAS, pp. 100–115 (2004)Google Scholar
  5. 5.
    Amtoft, T., Hatcliff, J., Rodríguez, E., Robby, Hoag, J., Greve, D.A.: Specification and checking of software contracts for conditional information flow. In: Cuellar, J., Maibaum, T. (eds.): FM 2008. LNCS, vol. 5014, pp. 229–245. Springer, Boston (2008)Google Scholar
  6. 6.
    Andrews, G.R., Reitman, R.P.: An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2(1), 56–76 (1980)CrossRefGoogle Scholar
  7. 7.
    Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, pp. 259–269 (2014)Google Scholar
  8. 8.
    Chapman, R.: Correctness by construction: a manifesto for high integrity software. In: Proceedings of the 10th Australian Workshop on Safety Critical Systems and Software, SCS 2005, vol. 55, pp. 43–46 (2006)Google Scholar
  9. 9.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005). Scholar
  10. 10.
    Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Englewood Cliffs (1976)zbMATHGoogle Scholar
  11. 11.
    Gries, D.: The Science of Programming. Springer, New York (1987). Scholar
  12. 12.
    Hähnle, R., Pan, J., Rümmer, P., Walter, D.: Integration of a security type system into a program logic. Theor. Comput. Sci. 402(2–3), 172–189 (2008)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Hall, A., Chapman, R.: Correctness by construction: developing a commercial secure system. IEEE Softw. 19(1), 18–25 (2002)CrossRefGoogle Scholar
  14. 14.
    Kourie, D.G., Watson, B.W.: The Correctness-By-Construction Approach to Programming. Springer, Heidelberg (2012). Scholar
  15. 15.
    Méry, D., Monahan, R.: Transforming event B models into verified C# implementations. In: First International Workshop on Verification and Program Transformation, VPT 2013, Saint Petersburg, Russia, pp. 57–73, 12–13 July 2013 (2013)Google Scholar
  16. 16.
    Morgan, C.: Programming from Specifications, 2nd edn. Prentice Hall, New York (1994)zbMATHGoogle Scholar
  17. 17.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000)CrossRefGoogle Scholar
  18. 18.
    Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999). Scholar
  19. 19.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  20. 20.
    Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2/3), 167–188 (1996)CrossRefGoogle Scholar
  21. 21.
    Watson, B.W., Kourie, D.G., Schaefer, I., Cleophas, L.: Correctness-by-construction and post-hoc verification: a marriage of convenience? In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 730–748. Springer, Cham (2016). Scholar
  22. 22.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, pp. 15–23, Cape Breton, Nova Scotia, Canada (2001)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Ina Schaefer
    • 1
    Email author
  • Tobias Runge
    • 1
  • Alexander Knüppel
    • 1
  • Loek Cleophas
    • 2
    • 3
  • Derrick Kourie
    • 3
    • 4
  • Bruce W. Watson
    • 3
    • 4
  1. 1.Software EngineeringTU BraunschweigBraunschweigGermany
  2. 2.Software Engineering Technology GroupTU EindhovenEindhovenThe Netherlands
  3. 3.Department of Information ScienceStellenbosch UniversityStellenboschSouth Africa
  4. 4.Centre for Artificial Intelligence ResearchStellenboschSouth Africa

Personalised recommendations