Verifying Information Flow Control over Unbounded Processes

  • William R. Harris
  • Nicholas A. Kidd
  • Sagar Chaki
  • Somesh Jha
  • Thomas Reps
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5850)

Abstract

Decentralized Information Flow Control (DIFC) systems enable programmers to express a desired DIFC policy, and to have the policy enforced via a reference monitor that restricts interactions between system objects, such as processes and files. Past research on DIFC systems focused on the reference-monitor implementation, and assumed that the desired DIFC policy is correctly specified. The focus of this paper is an automatic technique to verify that an application, plus its calls to DIFC primitives, does indeed correctly implement a desired policy. We present an abstraction that allows a model checker to reason soundly about DIFC programs that manipulate potentially unbounded sets of processes, principals, and communication channels. We implemented our approach and evaluated it on a set of real-world programs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. SIGOPS Oper. Syst. Rev. 39(5), 17–30 (2005)CrossRefGoogle Scholar
  2. 2.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: OSDI (2006)Google Scholar
  3. 3.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard os abstractions. In: SOSP (2007)Google Scholar
  4. 4.
    Conover, M.: Analysis of the Windows Vista Security Model. Technical report, Symantec Corporation (2008)Google Scholar
  5. 5.
    Chaki, S., Clarke, E., Groce, A., Ouaknine, J., Strichman, O., Yorav, K.: Efficient verification of sequential and concurrent C programs. Form. Methods Syst. Des. 25(2-3), 129–166 (2004)MATHCrossRefGoogle Scholar
  6. 6.
    Kidd, N.A., Reps, T.W., Dolby, J., Vaziri, M.: Finding concurrency-related bugs using random isolation. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 198–213. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Apache: Apache, http://www.apache.org
  8. 8.
    ClamAV: ClamAV, http://www.clamav.net
  9. 9.
    OpenVPN: OpenVPN, http://www.openvpn.net
  10. 10.
    Chaudhuri, A., Naldurg, P., Rajamani, S.K., Ramalingam, G., Velaga, L.: EON: Modeling and analyzing dynamic access control systems with logic programs. In: CCS (2008)Google Scholar
  11. 11.
    Krohn, M., Tromer, E.: Non-interference for a practical DIFC-based operating system. In: IEEE Symposium on Security and Privacy (2009)Google Scholar
  12. 12.
    Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  13. 13.
    Harris, W.R., Kidd, N.A., Chaki, S., Jha, S., Reps, T.: Verifying information flow control over unbounded processes. Technical Report UW-CS-TR-1655, Univ. of Wisc (May 2009)Google Scholar
  14. 14.
    Necula, G., McPeak, S., Rahul, S., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs (2002)Google Scholar
  15. 15.
    MoinMoin: The MoinMoin wiki engine (December 2006), http://moinmoin.wikiwikiweb.de
  16. 16.
    Vandebogart, S., Efstathopoulos, P., Kohler, E., Krohn, M., Frey, C., Ziegler, D., Kaashoek, F., Morris, R., Mazières, D.: Labels and Event Processes in the Asbestos Operating System. ACM Trans. Comput. Syst. 25(4), 11 (2007)CrossRefGoogle Scholar
  17. 17.
    Yahav, E.: Verifying safety properties of concurrent java programs using 3-valued logic. In: POPL (2001)Google Scholar
  18. 18.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)MATHCrossRefGoogle Scholar
  19. 19.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: POPL (1999)Google Scholar
  20. 20.
    Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying Information-Flow Goals in Security-Enhanced Linux. Journal of Computer Security (2005)Google Scholar
  21. 21.
    Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for static analysis of authorization hook placement. In: USENIX Security Symposium, pp. 33–48 (2002)Google Scholar

Copyright information

© 2009 Carnegie Mellon University 2009

Authors and Affiliations

  • William R. Harris
    • 1
  • Nicholas A. Kidd
    • 1
  • Sagar Chaki
    • 2
  • Somesh Jha
    • 1
  • Thomas Reps
    • 1
    • 3
  1. 1.University of Wisconsin 
  2. 2.Soft. Eng. Inst.Carnegie Mellon University 
  3. 3.GrammaTech Inc. 

Personalised recommendations