Policy Dependent and Independent Information Flow Analyses

  • Manuel TöwsEmail author
  • Heike Wehrheim
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10610)


Information Flow Analysis (IFA) aims at detecting illegal flows of information between program entities. “Legality” is therein specified in terms of various security policies. For the analysis, this opens up two possibilities: building generic, policy independent and building specific, policy dependent IFAs. While the former needs to track all dependencies between program entities, the latter allows for a reduced and thus more efficient analysis.

In this paper, we start out by formally defining a policy independent information flow analysis. Next, we show how to specialize this IFA via policy specific variable tracking, and prove soundness of the specialization. We furthermore investigate refinement relationships between policies, allowing an IFA for one policy to be employed for its refinements. As policy refinement depends on concrete program entities, we additionally propose a precomputation of policy refinement conditions, enabling an efficient refinement check for concrete programs.


  1. 1.
    Amtoft, T., Banerjee, A.: Information flow analysis in logical form. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 100–115. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-27864-1_10 CrossRefGoogle Scholar
  2. 2.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, pp. 259–269. ACM (2014)Google Scholar
  3. 3.
    Beyer, D., Henzinger, T.A., Théoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 504–518. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73368-3_51 CrossRefGoogle Scholar
  4. 4.
    Beyer, D., Keremoglu, M.E., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: Bloem, R., Sharygina, N. (eds.) FMCAD 2010, pp. 189–197. IEEE (2010)Google Scholar
  5. 5.
    Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, 1989, pp. 206–214. IEEE Computer Society (1989)Google Scholar
  6. 6.
    Foley, S.N.: Unifying Information Flow Policies. Technical report, DTIC Document (1990)Google Scholar
  7. 7.
    Foley, S.N.: Aggregation and separation as noninterference properties. J. Comput. Secur. 1(2), 159–188 (1992)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: IEEE International Symposium on Secure Software Engineering 2006 (2006)Google Scholar
  9. 9.
    Holavanalli, S., Manuel, D., Nanjundaswamy, V., Rosenberg, B., Shen, F., Ko, S.Y., Ziarek, L.: Flow permissions for android. In: ASE, pp. 652–657 (2013)Google Scholar
  10. 10.
    Horwitz, S., Reps, T.W.: The use of program dependence graphs in software engineering. In: Montgomery, T., Clarke, L.A., Ghezzi, C. (eds.) ICSE 1992, pp. 392–411. ACM Press (1992)Google Scholar
  11. 11.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006 (2006)Google Scholar
  12. 12.
    Jakobs, M., Wehrheim, H.: Certification for configurable program analysis. In: Rungta, N., Tkachuk, O. (eds.) SPIN 2014, pp. 30–39. ACM (2014)Google Scholar
  13. 13.
    Jakobs, M., Wehrheim, H.: Programs from proofs of predicated dataflow analyses. In: Wainwright, R.L., Corchado, J.M., Bechini, A., Hong, J. (eds.) SAC 2015, pp. 1729–1736. ACM (2015)Google Scholar
  14. 14.
    Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: SOAP, pp. 1–6 (2014)Google Scholar
  15. 15.
    Rustan, K., Leino, M., Joshi, R.: A semantic approach to secure information flow. In: Jeuring, J. (ed.) MPC 1998. LNCS, vol. 1422, pp. 254–271. Springer, Heidelberg (1998). doi: 10.1007/BFb0054294 CrossRefGoogle Scholar
  16. 16.
    Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. 1(1), 121–141 (1979)CrossRefzbMATHGoogle Scholar
  17. 17.
    Mantel, H.: Possibilistic definitions of security - an assembly kit. In: IEEE Computer Security Foundations Workshop, CSFW 2000. IEEE Computer Society (2000)Google Scholar
  18. 18.
    Mantel, H.: Preserving information flow properties under refinement. In: IEEE Symposium on Security and Privacy 2001, pp. 78–91. IEEE Computer Society (2001)Google Scholar
  19. 19.
    Mantel, H.: On the composition of secure systems. In: IEEE Symposium on Security and Privacy 2002 (2002)Google Scholar
  20. 20.
    Necula, G.C.: Proof-carrying code. In: Lee, P., Henglein, F., Jones, N.D. (eds.) POPL 1997, pp. 106–119. ACM Press (1997)Google Scholar
  21. 21.
    Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, New York (1999)CrossRefzbMATHGoogle Scholar
  22. 22.
    Taghdiri, M., Snelting, G., Sinz, C.: Information flow analysis via path condition refinement. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 65–79. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19751-2_5 CrossRefGoogle Scholar
  23. 23.
    Töws, M., Wehrheim, H.: A CEGAR scheme for information flow analysis. In: Ogata, K., Lawford, M., Liu, S. (eds.) ICFEM 2016. LNCS, vol. 10009, pp. 466–483. Springer, Cham (2016). doi: 10.1007/978-3-319-47846-3_29 CrossRefGoogle Scholar
  24. 24.
    Wei, F., Roy, S., Ou, X., Robby: amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS, pp. 1329–1341. ACM, New York (2014)Google Scholar
  25. 25.
    Yang, Z., Yang, M.: LeakMiner: detect information leakage on android with static taint analysis. In: WCSE, pp. 101–104 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer SciencePaderborn UniversityPaderbornGermany

Personalised recommendations