Runtime Enforcement of Information Flow Security in Tree Manipulating Processes

  • Máté Kovács
  • Helmut Seidl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7159)


We consider the problem of enforcing information flow policies in Xml manipulating programs such as Web services and business processes implemented in current workflow languages. We propose a runtime monitor that can enforce the secrecy of freely chosen subtrees of the data throughout the execution. The key idea is to apply a generalized constant propagation for computing the public effect of branching constructs whose conditions may depend on the secret. This allows for a better precision than runtime monitors which rely on tainting of variables or nodes alone. We demonstrate our approach for a minimalistic tree manipulating programming language and prove its correctness w.r.t. the concrete semantics of programs.


Semi-structured data information flow control runtime enforcement 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    van der Aalst, W.M.P., ter Hofstede, A.H.M.: YAWL: yet another workflow language. Information Systems 30(4), 245–275 (2005)CrossRefGoogle Scholar
  2. 2.
    van der Aalst, W.M.P., van Hee, K.M.: Workflow Management: Models, Methods, and Systems. MIT Press (2002)Google Scholar
  3. 3.
    Accorsi, R., Wonnemann, C.: Static information flow analysis of workflow models. In: Abramowicz, W., Alt, R., Fähnrich, K.P., Franczyk, B., Maciaszek, L.A. (eds.) ISSS/BPSC. LNI, vol. 177, pp. 194–205. GI (2010)Google Scholar
  4. 4.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif:java + information flow (July 2001-2011), Software release. Located at,
  5. 5.
    Alves, A., Arkin, A., Askary, S., Barreto, C., Bloch, B., Curbera, F., Ford, M., Goland, Y., Guízar, A., Kartha, N., Liu, C.K., Khalaf, R., Koenig, D., Marin, M., Mehta, V., Thatte, S., Rijn, D., Yendluri, P., Yiu, A.: Web services business process execution language version 2.0 (OASIS standard). WS-BPEL TC OASIS (2007),
  6. 6.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-Insensitive Noninterference Leaks more than Just a Bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. CoRR abs/cs/0701193 (2007)Google Scholar
  8. 8.
    Broberg, N., Sands, D.: Paralocks – role-based information flow control and beyond. In: POPL 2010: Proceedings of the 37th Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (2010)Google Scholar
  9. 9.
    Bruni, R., Melgratti, H.C., Montanari, U.: Theoretical foundations for compensations in flow composition languages. In: Palsberg, J., Abadi, M. (eds.) POPL, pp. 209–220. ACM (2005)Google Scholar
  10. 10.
    Chong, S., Vikram, K., Myers, A.C.: SIF: enforcing confidentiality and integrity in web applications. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1:1–1:16. USENIX Association, Berkeley (2007)Google Scholar
  11. 11.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977)CrossRefzbMATHGoogle Scholar
  13. 13.
    Guernic, G.L.: Automaton-based confidentiality monitoring of concurrent programs. In: CSF, pp. 218–232. IEEE Computer Society (2007)Google Scholar
  14. 14.
    Guidi, C., Lucchi, R., Gorrieri, R., Busi, N., Zavattaro, G.: Sock: A Calculus for Service Oriented Computing. In: Dan, A., Lamersdorf, W. (eds.) ICSOC 2006. LNCS, vol. 4294, pp. 327–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8(6), 399–422 (2009)CrossRefGoogle Scholar
  16. 16.
    Hinz, S., Schmidt, K., Stahl, C.: Transforming BPEL to Petri Nets. In: van der Aalst, W.M.P., Benatallah, B., Casati, F., Curbera, F. (eds.) BPM 2005. LNCS, vol. 3649, pp. 220–235. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: POPL 1988: Proceedings of the 15th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pp. 146–157. ACM, New York (1988)Google Scholar
  18. 18.
    Köpf, B., Mantel, H.: Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec. 6(2-3), 107–131 (2007)CrossRefGoogle Scholar
  19. 19.
    Kovács, M., Seidl, H.: Runtime enforcement of information flow security in tree manipulating processes (proofs). Tech. rep., Technische Universität München, Institut für Informatik (2011)Google Scholar
  20. 20.
    Lucchi, R., Mazzara, M.: A pi-calculus based semantics for WS-BPEL. J. Log. Algebr. Program. 70(1), 96–118 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Mantel, H., Sands, D.: Controlled Declassification Based on Intransitive Noninterference. In: Chin, W.N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Milner, R.: Communicating and Mobile Systems: the Π-calculus. Cambridge University Press (1999)Google Scholar
  23. 23.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pp. 228–241 (1999)Google Scholar
  24. 24.
    Ouyang, C., Verbeek, E., van der Aalst, W.M.P., Breutel, S., Dumas, M., ter Hofstede, A.H.M.: WofBPEL: A Tool for Automated Analysis of BPEL Processes. In: Benatallah, B., Casati, F., Traverso, P. (eds.) ICSOC 2005. LNCS, vol. 3826, pp. 484–489. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Rouached, M., Godart, C.: Requirements-driven verification of WSBPEL processes. In: IEEE International Conference on Web Services, ICWS 2007, pp. 354–363 (July 2007)Google Scholar
  26. 26.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  28. 28.
    Sabelfeld, A., Russo, A.: From Dynamic to Static and Back: Riding the Roller Coaster of Information-flow Control Research. In: Pnueli, A., Virbitskaite, I., Voronkov, A. (eds.) PSI 2009. LNCS, vol. 5947, pp. 352–365. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Seidl, H., Wilhelm, R., Hack, S.: Compiler Design: Analysis and Transformation. Springer, Heidelberg (2011)zbMATHGoogle Scholar
  30. 30.
    Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably Correct Runtime Enforcement of Non-Interference Properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure ow analysis. Journal of Computer Security 4(2/3), 167–188 (1996)CrossRefGoogle Scholar
  32. 32.
    Wirsing, M., Clark, A., Gilmore, S., Hölzl, M., Knapp, A., Koch, N., Schroeder, A.: Semantic-Based Development of Service-Oriented Systems. In: Najm, E., Pradat-Peyre, J.-F., Donzeau-Gouge, V.V. (eds.) FORTE 2006. LNCS, vol. 4229, pp. 24–45. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Wolter, C., Miseldine, P., Meinel, C.: Verification of Business Process Entailment Constraints using SPIN. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 1–15. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Máté Kovács
    • 1
  • Helmut Seidl
    • 1
  1. 1.Technische Universität MünchenGermany

Personalised recommendations