Advertisement

Using Dependence Graphs to Assist Verification and Testing of Information-Flow Properties

  • Mihai HerdaEmail author
  • Shmuel TyszberowiczEmail author
  • Bernhard BeckertEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10889)

Abstract

Information-flow control (IFC) techniques assist in avoiding information leakage of sensitive data to an observable output. Unfortunately, the various IFC approaches are either imprecise, thus producing many false positive alerts, or they do not scale. Using system dependence graphs (SDGs) to model the syntactic dependencies between different program parts is a highly scalable approach that enables to check whether the observable output depends on the sensitive input. While this approach is sound, security violations that it reports can be false alarms. We present a technique to overcome these problems by combining two existing approaches in a novel way. We show how each security violation reported by an SDG-based approach can be used to create a simplified program that can then be handled with a second approach to prove or disprove the reported violation. As the second approach we use deductive verification and test case generation. We show that our approach is sound, and demonstrate its benefits by means of examples. We discuss the challenges of implementing the approach using JOANA and KeY.

Keywords

Information flow control Noninterference System dependence graph Deductive verification Testing 

References

  1. 1.
    Agrawal, H.: On slicing programs with jump statements. In: ACM SIGPLAN Notices, vol. 29, pp. 302–312. ACM (1994)CrossRefGoogle Scholar
  2. 2.
    Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification - The KeY Book: From Theory to Practice. LNCS, vol. 10001. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-49812-6CrossRefGoogle Scholar
  3. 3.
    Ahrendt, W., Chimento, J.M., Pace, G.J., Schneider, G.: Verifying data- and control-oriented properties combining static and runtime verification: theory and tools. Formal Methods Syst. Des. 51(1), 200–265 (2017)CrossRefGoogle Scholar
  4. 4.
    Artho, C., Biere, A.: Combined static and dynamic analysis. Electron. Notes Theor. Comput. Sci. 131, 3–14 (2005)CrossRefGoogle Scholar
  5. 5.
    Ball, T., Horwitz, S.: Slicing programs with arbitrary control-flow. In: Fritzson, P.A. (ed.) AADEBUG 1993. LNCS, vol. 749, pp. 206–222. Springer, Heidelberg (1993).  https://doi.org/10.1007/BFb0019410CrossRefGoogle Scholar
  6. 6.
    Beckert, B., Bischof, S., Herda, M., Kirsten, M., Kleine Büning, M.: Combining graph-based and deduction-based information-flow analysis. In: Workshop on Hot Issues in Security Principles and Trust (HotSpot), pp. 6–25 (2017)Google Scholar
  7. 7.
    Beckert, B., Bruns, D., Klebanov, V., Scheben, C., Schmitt, P.H., Ulbrich, M.: Information flow in object-oriented software. In: Gupta, G., Peña, R. (eds.) LOPSTR 2013. LNCS, vol. 8901, pp. 19–37. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-14125-1_2CrossRefGoogle Scholar
  8. 8.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefGoogle Scholar
  10. 10.
    Do, Q.H., Kamburjan, E., Wasser, N.: Towards fully automatic logic-based information flow analysis: an electronic-voting case study. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 97–115. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49635-0_6CrossRefGoogle Scholar
  11. 11.
    Ernst, M.D., Perkins, J.H., Guo, P.J., McCamant, S., Pacheco, C., Tschantz, M.S., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69(1), 35–45 (2007)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)CrossRefGoogle Scholar
  13. 13.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Symposium on Security and Privacy (SP), pp. 11–20 (1982)Google Scholar
  14. 14.
    Graf, J., Hecker, M., Mohr, M.: Using JOANA for information flow control in Java programs - a practical guide. In: Software Engineering 2013 - Workshopband (inkl. Doktorandensymposium), Fachtagung des GI-Fachbereichs Softwaretechnik, Aachen, 26 Februar–1 März 2013, pp. 123–138 (2013). http://subs.emis.de/LNI/Proceedings/Proceedings215/article6906.html
  15. 15.
    Gruska, D.P.: Information flow testing. Fundamenta Informaticae 128(1–2), 81–95 (2013)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Hackett, B., Guo, S.Y.: Fast and precise hybrid type inference for JavaScript. SIGPLAN Not. 47(6), 239–250 (2012)CrossRefGoogle Scholar
  17. 17.
    Hammer, C., Krinke, J., Snelting, G.: Information flow control for Java based on path conditions in dependence graphs. In: Symposium on Secure Software Engineering, pp. 87–96 (2006)Google Scholar
  18. 18.
    Harman, M., Lakhotia, A., Binkley, D.: Theory and algorithms for slicing unstructured programs. Inf. Softw. Technol. 48(7), 549–565 (2006)CrossRefGoogle Scholar
  19. 19.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)CrossRefGoogle Scholar
  20. 20.
    Hritcu, C., Lampropoulos, L., Spector-Zabusky, A., de Amorim, A.A., Dénès, M., Hughes, J., Pierce, B.C., Vytiniotis, D.: Testing noninterference, quickly. J. Functi. Program. 26 (2016).  https://doi.org/10.1017/S0956796816000058
  21. 21.
    Kiefer, M., Klebanov, V., Ulbrich, M.: Relational program reasoning using compiler IR. J. Autom. Reason. 60(3), 337–363 (2018)CrossRefGoogle Scholar
  22. 22.
    Küsters, R., Truderung, T., Beckert, B., Bruns, D., Kirsten, M., Mohr, M.: A hybrid approach for proving noninterference of Java programs. In: Fournet, C., Hicks, M.W., Viganò, L. (eds.) Computer Security Foundations Symposium (CSF), pp. 305–319. IEEE Computer Society (2015)Google Scholar
  23. 23.
    Le Guernic, G.: Information flow testing. In: Cervesato, Iliano (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 33–47. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76929-3_4CrossRefGoogle Scholar
  24. 24.
    Leavens, G.T., Kiniry, J.R., Poll, E.: A JML tutorial: modular specification and verification of functional behavior for Java. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, p. 37. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73368-3_6CrossRefGoogle Scholar
  25. 25.
    Lortz, S., Mantel, H., Starostin, A., Bähr, T., Schneider, D., Weber, A.: Cassandra: towards a certifying app store for Android. In: ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 93–104. ACM (2014)Google Scholar
  26. 26.
    Milushev, D., Beck, W., Clarke, D.: Noninterference via symbolic execution. In: Giese, H., Rosu, G. (eds.) FMOODS/FORTE -2012. LNCS, vol. 7273, pp. 152–168. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-30793-5_10CrossRefGoogle Scholar
  27. 27.
    Petiot, G., Kosmatov, N., Botella, B., Giorgetti, A., Julliand, J.: Your proof fails? Testing helps to find the reason. In: Aichernig, B.K., Furia, C.A. (eds.) TAP 2016. LNCS, vol. 9762, pp. 130–150. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-41135-4_8CrossRefGoogle Scholar
  28. 28.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2006)CrossRefGoogle Scholar
  29. 29.
    Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: Cousot, R., Schmidt, D.A. (eds.) SAS 1996. LNCS, vol. 1145, pp. 332–348. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-61739-6_51CrossRefGoogle Scholar
  30. 30.
    Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006)CrossRefGoogle Scholar
  31. 31.
    Wasserrab, D., Lohner, D.: Proving information flow noninterference by reusing a machine-checked correctness proof for slicing. In: Aderhold, M., Autexier, S., Mantel, H. (eds.) Verification Workshop (VERIFY). EPiC Series in Computing, vol. 3, pp. 141–155 (2010)Google Scholar
  32. 32.
    Weiser, M.: Program slicing. In: International Conference on Software Engineering (ICSE), pp. 439–449. IEEE Press (1981)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.The Academic College Tel Aviv YaffoTel AvivIsrael

Personalised recommendations