A Conference Management System with Verified Document Confidentiality

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8559)


We present a case study in verified security for realistic systems: the implementation of a conference management system, whose functional kernel is faithfully represented in the Isabelle theorem prover, where we specify and verify confidentiality properties. The various theoretical and practical challenges posed by this development led to a novel security model and verification method generally applicable to systems describable as input–output automata.


Security Model Program Committee Safety Property Epistemic Logic Paper Authorship 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Jif: Java + information flow (2014),
  2. 2.
    The Scala Programming Language (2014),
  3. 3.
    Arapinis, M., Bursuc, S., Ryan, M.: Privacy supporting cloud computing: Confichair, a case study. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 89–108. Springer, Heidelberg (2012)Google Scholar
  4. 4.
    Bell, E.D., La Padula, J.L.: Secure computer system: Unified exposition and multics interpretation, Technical Report MTR-2997, MITRE, Bedford, MA (1975)Google Scholar
  5. 5.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: LICS, pp. 331–340 (2005)Google Scholar
  6. 6.
    Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Cohen, E.S.: Information transmission in computational systems. In: SOSP, pp. 133–139 (1977)Google Scholar
  8. 8.
    de Amorim, A.A., Collins, N., DeHon, A., Demange, D., Hritcu, C., Pichardie, D., Pierce, B.C., Pollack, R., Tolmach, A.: A verified information-flow architecture. In: POPL, pp. 165–178 (2014)Google Scholar
  9. 9.
    Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    The EasyChair conference system (2014),
  11. 11.
    The HotCRP conference management system (2014),
  12. 12.
    Focardi, R., Gorrieri, R.: Classification of security properties (part i: Information flow). In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  14. 14.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: IEEE Symposium on Security and Privacy, pp. 75–87 (1984)Google Scholar
  15. 15.
    Gollmann, D.: Computer Security, 2nd edn. Wiley (2005)Google Scholar
  16. 16.
    Haftmann, F.: Code Generation from Specifications in Higher-Order Logic. Ph.D. thesis, Technische Universität München (2009)Google Scholar
  17. 17.
    Haftmann, F., Nipkow, T.: Code generation via higher-order rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) FLOPS 2010. LNCS, vol. 6009, pp. 103–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Halpern, J.Y., O’Neill, K.R.: Secrecy in multiagent systems. ACM Trans. Inf. Syst. Secur. 12(1) (2008)Google Scholar
  19. 19.
    IEEE Symposium on Security and Privacy. Email notification (2012)Google Scholar
  20. 20.
    Kanav, S., Lammich, P., Popescu, A.: The CoCon website,
  21. 21.
    Lampson, B.W.: Protection. Operating Systems Review 8(1), 18–24 (1974)CrossRefGoogle Scholar
  22. 22.
    Mantel, H.: Information flow control and applications - bridging a gap -. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001)Google Scholar
  23. 23.
    Mantel, H.: A Uniform Framework for the Formal Specification and Verification of Information Flow Security. PhD thesis, University of Saarbrücken (2003)Google Scholar
  24. 24.
    Mantel, H.: Information flow and noninterference. In: Encyclopedia of Cryptography and Security, 2nd edn., pp. 605–607 (2011)Google Scholar
  25. 25.
    McCullough, D.: Specifications for multi-level security and a hook-up property. In: IEEE Symposium on Security and Privacy (1987)Google Scholar
  26. 26.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proc. IEEE Symposium on Security and Privacy, pp. 79–93 (1994)Google Scholar
  27. 27.
    McLean, J.: Security models. In: Encyclopedia of Software Engineering (1994)Google Scholar
  28. 28.
    Murray, T., Matichuk, D., Brassil, M., Gammie, P., Klein, G.: Noninterference for operating system kernels. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 126–142. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  29. 29.
    Nipkow, T., Klein, G.: Concrete Semantics. With Isabelle/HOL, p. 310. Springer (forthcoming),
  30. 30.
    Nipkow, T., Paulson, L.C., Wenzel, M.T. (eds.): Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  31. 31.
    O’Halloran, C.: A calculus of information flow. In: ESORICS, pp. 147–159 (1990)Google Scholar
  32. 32.
    Popek, G.J., Farber, D.A.: A model for verification of data security in operating systems. Commun. ACM 21(9), 737–749 (1978)CrossRefzbMATHGoogle Scholar
  33. 33.
    Ronald Fagin, Y.M., Halpern, J.Y., Vardi, M.: Reasoning about knowledge. MIT Press (2003)Google Scholar
  34. 34.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies. Tech. report (December 1992)Google Scholar
  35. 35.
    Ryan, P.Y.A.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  36. 36.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  37. 37.
    Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 17(5), 517–548 (2009)Google Scholar
  38. 38.
    Sutherland, D.: A model of information. In: 9th National Security Conference, pp. 175–183 (1986)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Fakultät für InformatikTechnische Universität MünchenGermany

Personalised recommendations