Flexible Scheduler-Independent Security

  • Heiko Mantel
  • Henning Sudbrock
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6345)


We propose an approach to certify the information flow security of multi-threaded programs independently from the scheduling algorithm. A scheduler-independent verification is desirable because the scheduler is part of the runtime environment and, hence, usually not known when a program is analyzed. Unlike for other system properties, it is not straightforward to achieve scheduler independence when verifying information flow security, and the existing independence results are very restrictive. In this article, we show how some of these restrictions can be overcome. The key insight in our development of a novel scheduler-independent information flow property was the identification of a suitable class of schedulers that covers the most relevant schedulers. The contributions of this article include a novel security property, a scheduler independence result, and a provably sound program analysis.


Security Property Label Transition System Concurrent Program Strong Security Multithreaded Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Goguen, J.A., Meseguer, J.: Security Policies and Security Models. In: 3rd IEEE Symposium on Security and Privacy, pp. 11–20. IEEE, Los Alamitos (1982)Google Scholar
  2. 2.
    Jacob, J.: On the Derivation of Secure Components. In: 10th IEEE Symposium on Security and Privacy, pp. 242–247. IEEE, Los Alamitos (1989)CrossRefGoogle Scholar
  3. 3.
    Volpano, D., Smith, G.: Probabilistic Noninterference in a Concurrent Language. Journal of Computer Security 7(2,3), 231–253 (1999)Google Scholar
  4. 4.
    Russo, A., Hughes, J., Naumann, D.A., Sabelfeld, A.: Closing Internal Timing Channels by Transformation. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 120–135. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Smith, G., Volpano, D.: Secure Information Flow in a Multi-threaded Imperative Language. In: 25th ACM Symposium on Principles of Programming Languages, pp. 355–364. ACM, New York (1998)CrossRefGoogle Scholar
  6. 6.
    Zdancewic, S., Myers, A.C.: Observational Determinism for Concurrent Program Security. In: 16th IEEE Computer Security Foundations Workshop, pp. 29–43. IEEE, Los Alamitos (2003)CrossRefGoogle Scholar
  7. 7.
    Sabelfeld, A., Sands, D.: Probabilistic Noninterference for Multi-threaded Programs. In: 13th IEEE Computer Security Foundations Workshop, pp. 200–214. IEEE, Los Alamitos (2000)Google Scholar
  8. 8.
    Boudol, G., Castellani, I.: Noninterference for Concurrent Programs and Thread Systems. Theoretical Computer Science 281(1-2), 109–130 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Russo, A., Sabelfeld, A.: Securing Interaction between Threads and the Scheduler. In: 19th IEEE Computer Security Foundations Workshop, pp. 177–189. IEEE, Los Alamitos (2006)CrossRefGoogle Scholar
  10. 10.
    Sabelfeld, A.: Confidentiality for Multithreaded Programs via Bisimulation. In: Broy, M., Zamulin, A.V. (eds.) PSI 2003. LNCS, vol. 2890, pp. 260–274. Springer, Heidelberg (2004)Google Scholar
  11. 11.
    Smith, G.: Probabilistic Noninterference through Weak Probabilistic Bisimulation. In: 16th IEEE Computer Security Foundations Workshop, pp. 3–13. IEEE, Los Alamitos (2003)CrossRefGoogle Scholar
  12. 12.
    Sabelfeld, A., Sands, D.: A Per Model of Secure Information Flow in Sequential Programs. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 50–59. Springer, Heidelberg (1999)Google Scholar
  13. 13.
    Volpano, D., Smith, G., Irvine, C.: A Sound Type System for Secure Flow Analysis. Journal of Computer Security 4(2,3), 167–188 (1996)Google Scholar
  14. 14.
    Mantel, H., Sands, D.: Controlled Declassification Based on Intransitive Noninterference. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Smith, G.: A New Type System for Secure Information Flow. In: 14th IEEE Computer Security Foundations Workshop, pp. 115–125. IEEE, Los Alamitos (2001)CrossRefGoogle Scholar
  16. 16.
    Matos, A.A., Boudol, G., Castellani, I.: Typing Noninterference for Reactive Programs. Journal of Logic and Algebraic Programming 72(2), 124–156 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Sabelfeld, A., Myers, A.C.: Language-based Information-Flow Security. IEEE Journal on Selected Areas in Communication 21(1), 5–19 (2003)CrossRefGoogle Scholar
  18. 18.
    Sabelfeld, A.: The Impact of Synchronisation on Secure Information Flow in Concurrent Programs. In: Bjørner, D., Broy, M., Zamulin, A.V. (eds.) PSI 2001. LNCS, vol. 2244, pp. 225–239. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure Information Flow by Self-Composition. In: 17th IEEE Computer Security Foundations Workshop, pp. 100–114. IEEE, Los Alamitos (2004)CrossRefGoogle Scholar
  20. 20.
    Mantel, H., Sudbrock, H., Kraußer, T.: Combining Different Proof Techniques for Verifying Information Flow Security. In: Puebla, G. (ed.) LOPSTR 2006. LNCS, vol. 4407, pp. 94–110. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Mantel, H., Reinhard, A.: Controlling the What and Where of Declassification in Language-Based Security. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 141–156. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Russo, A., Sabelfeld, A.: Security for Multithreaded Programs under Cooperative Scheduling. In: Virbitskaite, I., Voronkov, A. (eds.) PSI 2006. LNCS, vol. 4378, pp. 474–480. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    McLean, J.D.: Proving Noninterference and Functional Correctness using Traces. Journal of Computer Security 1(1), 37–57 (1992)MathSciNetGoogle Scholar
  24. 24.
    Roscoe, A.W., Woodcock, J.C.P., Wulf, L.: Non-interference through Determinism. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 33–53. Springer, Heidelberg (1994)Google Scholar
  25. 25.
    Roscoe, A.W.: CSP and Determinism in Security Modelling. In: 16th IEEE Symposium on Security and Privacy, pp. 114–127. IEEE, Los Alamitos (1995)Google Scholar
  26. 26.
    Huisman, M., Worah, P., Sunesen, K.: A Temporal Logic Characterisation of Observational Determinism. In: 19th IEEE Computer Security Foundations Workshop, pp. 3–15. IEEE, Los Alamitos (2006)CrossRefGoogle Scholar
  27. 27.
    Mantel, H., Sabelfeld, A.: A Unifying Approach to the Security of Distributed and Multi-threaded Programs. Journal of Computer Security 11(4), 615–676 (2003)Google Scholar
  28. 28.
    Focardi, R., Rossi, S., Sabelfeld, A.: Bridging Language-Based and Process Calculi Security. In: Sassone, V. (ed.) FOSSACS 2005. LNCS, vol. 3441, pp. 299–315. Springer, Heidelberg (2005)Google Scholar
  29. 29.
    Köpf, B., Mantel, H.: Transformational Typing and Unification for Automatically Correcting Insecure Programs. International Journal of Information Security 6(2-3), 107–131 (2007)CrossRefGoogle Scholar
  30. 30.
    Lux, A., Mantel, H.: Declassification with Explicit Reference Points. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 69–85. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  31. 31.
    Barthe, G., Rezk, T., Russo, A., Sabelfeld, A.: Security of Multithreaded Programs by Compilation. In: Biskup, J., Lopez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 2–18. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Russo, A., Sabelfeld, A.: Securing Interaction between Threads and the Scheduler in the Presence of Synchronization. Journal of Logic and Algebraic Programming 78(7), 593–618 (2009)zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    van der Meyden, R., Zhang, C.: Information Flow in Systems with Schedulers. In: 21st IEEE Computer Security Foundations Symposium, pp. 301–312. IEEE, Los Alamitos (2008)Google Scholar
  34. 34.
    Chatzikokolakis, K., Palamidessi, C.: Making Random Choices Invisible to the Scheduler. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 42–58. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Heiko Mantel
    • 1
  • Henning Sudbrock
    • 1
  1. 1.Computer ScienceTU DarmstadtGermany

Personalised recommendations