Information flow control systems provide the guarantees that are required in today’s security-relevant systems. While the literature has produced a wealth of techniques to ensure a given security policy, there is only a small number of implementations, and even these are mostly restricted to theoretical languages or a subset of an existing language.

Previously, we presented the theoretical foundations and algorithms for dependence-graph-based information flow control (IFC). As a complement, this paper presents the implementation and evaluation of our new approach, the first implementation of a dependence-graph based analysis that accepts full Java bytecode. It shows that the security policy can be annotated in a succinct manner; and the evaluation shows that the increased runtime of our analysis—a result of being flow-, context-, and object-sensitive—is mitigated by better analysis results and elevated practicability. Finally, we show that the scalability of our analysis is not limited by the sheer size of either the security lattice or the dependence graph that represents the program.


software security noninterference program dependence graph information flow control evaluation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aït-Kaci, H., Boyer, R., Lincoln, P., Nasr, R.: Efficient implementation of lattice operations. ACM TOPLAS 11(1), 115–146 (1989)CrossRefGoogle Scholar
  2. 2.
    Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL 2006, pp. 91–102. ACM, New York (2006)CrossRefGoogle Scholar
  3. 3.
    Askarov, A., Sabelfeld, A.: Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 197–221. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Barthe, G., Pichardie, D., Rezk, T.: A certified lightweight non-interference Java bytecode verifier. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 125–140. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Bieber, P., Cazin, J., Marouani, A.E., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: The PACAP prototype: a tool for detecting Java Card illegal flow. In: Attali, I., Jensen, T. (eds.) JavaCard 2000. LNCS, vol. 2041, pp. 25–37. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Binkley, D., Harman, M., Krinke, J.: Empirical study of optimization techniques for massive slicing. ACM TOPLAS 30(1), 3 (2007)CrossRefGoogle Scholar
  7. 7.
    Chandra, D., Franz, M.: Fine-grained information flow analysis and enforcement in a Java virtual machine. In: 23rd Annual Computer Security Applications Conference, pp. 463–475. IEEE, Los Alamitos (2007)Google Scholar
  8. 8.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM TOPLAS 9(3), 319–349 (1987)MATHCrossRefGoogle Scholar
  9. 9.
    Ganguly, D.D., Mohan, C.K., Ranka, S.: A space-and-time-efficient coding algorithm for lattice computations. IEEE Trans. on Knowl. and Data Eng. 6(5), 819–829 (1994)CrossRefGoogle Scholar
  10. 10.
    Genaim, S., Spoto, F.: Information flow analysis for Java bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 346–362. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Symposium on Security and Privacy, pp. 75–86. IEEE, Los Alamitos (1984)Google Scholar
  12. 12.
    Hammer, C.: Information flow control for Java - a comprehensive approach based on path conditions in dependence graphs. Ph.D. thesis, Universität Karlsruhe (TH), Fak. f. Informatik (2009), URN urn=urn:nbn:de:0072-120494Google Scholar
  13. 13.
    Hammer, C., Schaade, R., Snelting, G.: Static path conditions for Java. In: PLAS 2008, pp. 57–66. ACM, New York (2008)CrossRefGoogle Scholar
  14. 14.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. Journal of Information Security 8(6), 399–422 (2009)CrossRefGoogle Scholar
  15. 15.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM TOPLAS 12(1), 26–60 (1990)CrossRefGoogle Scholar
  16. 16.
    Hubert, L.: A non-null annotation inferencer for Java bytecode. In: PASTE 2008, pp. 36–42. ACM, New York (2008)CrossRefGoogle Scholar
  17. 17.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006, pp. 79–90. ACM, New York (2006)CrossRefGoogle Scholar
  18. 18.
    Myers, A.C., Chong, S., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java information flow, http://www.cs.cornell.edu/jif/
  19. 19.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM TOSEM 9(4), 410–442 (2000)CrossRefGoogle Scholar
  20. 20.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  21. 21.
    Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 17(5), 517–548 (2009)Google Scholar
  22. 22.
    Smith, S.F., Thober, M.: Improving usability of information flow security in Java. In: PLAS 2007, pp. 11–20. ACM, New York (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Christian Hammer
    • 1
  1. 1.Purdue University 

Personalised recommendations