Proving Concurrent Noninterference

  • Andrei Popescu
  • Johannes Hölzl
  • Tobias Nipkow
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7679)

Abstract

We perform a formal analysis of compositionality techniques for proving possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninterference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ensure weighed against the harshness of the syntactic conditions they enforce. This results in a simple implementable algorithm for proving that a program has a specific noninterference property, using only compositionality, which captures uniformly several security type-system results from the literature and suggests a further improved type system. All formalism and theorems have been mechanically verified in Isabelle/HOL.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agat, J.: Transforming out timing leaks. In: POPL, pp. 40–53 (2000)Google Scholar
  2. 2.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: IEEE Computer Security Foundations Workshop, pp. 100–114 (2004)Google Scholar
  3. 3.
    Barthe, G., Nieto, L.P.: Formally verifying information flow type systems for concurrent and thread systems. In: FMSE, pp. 13–22 (2004)Google Scholar
  4. 4.
    Boudol, G.: On Typing Information Flow. In: Van Hung, D., Wirsing, M. (eds.) ICTAC 2005. LNCS, vol. 3722, pp. 366–380. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Boudol, G., Castellani, I.: Noninterference for Concurrent Programs. In: Yu, Y., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 382–395. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Boudol, G., Castellani, I.: Noninterference for concurrent programs and thread systems. Theoretical Computer Science 281(1-2), 109–130 (2002)MathSciNetMATHCrossRefGoogle Scholar
  7. 7.
    Darvas, Á., Hähnle, R., Sands, D.: A Theorem Proving Approach to Analysis of Secure Information Flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Focardi, R., Gorrieri, R.: Classification of Security Properties (Part i: Information Flow). In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Halpern, J.Y., O’Neill, K.R.: Secrecy in multiagent systems. ACM Trans. Inf. Syst. Secur. 12(1) (2008)Google Scholar
  10. 10.
    Jones, C.B.: Specification and design of (parallel) programs. In: IFIP Congress 1983, pp. 321–332 (1983)Google Scholar
  11. 11.
    Mantel, H.: On the composition of secure systems. In: IEEE Symposium on Security and Privacy, pp. 88–101 (2002)Google Scholar
  12. 12.
    Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: CSF 2011, Cernay-la-Ville, France, pp. 218–232 (2011)Google Scholar
  13. 13.
    Mantel, H., Sudbrock, H.: Flexible Scheduler-Independent Security. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 116–133. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Mantel, H., Sudbrock, H., Kraußer, T.: Combining Different Proof Techniques for Verifying Information Flow Security. In: Puebla, G. (ed.) LOPSTR 2006. LNCS, vol. 4407, pp. 94–110. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions, pp. 79–93 (May 1994)Google Scholar
  16. 16.
    Milner, R.: Communication and concurrency. Prentice Hall (1989)Google Scholar
  17. 17.
    Plotkin, G.D.: A structural approach to operational semantics. J. Log. Algebr. Program. 60-61, 17–139 (2004)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Popescu, A., Hölzl, J.: Possibilistic noninterference formalized in Isabelle/HOL. Archive for Formal Proofs (2012), http://afp.sourceforge.net/entries/Possibilistic_Noninterference.shtml
  19. 19.
    Russo, A., Hughes, J., Naumann, D.A., Sabelfeld, A.: Closing Internal Timing Channels by Transformation. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 120–135. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Russo, A., Sabelfeld, A.: Security for Multithreaded Programs Under Cooperative Scheduling. In: Virbitskaite, I., Voronkov, A. (eds.) PSI 2006. LNCS, vol. 4378, pp. 474–480. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Sabelfeld, A.: The Impact of Synchronisation on Secure Information Flow in Concurrent Programs. In: Bjørner, D., Broy, M., Zamulin, A.V. (eds.) PSI 2001. LNCS, vol. 2244, pp. 225–239. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Sabelfeld, A.: Confidentiality for Multithreaded Programs via Bisimulation. In: Broy, M., Zamulin, A.V. (eds.) PSI 2003. LNCS, vol. 2890, pp. 260–274. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  24. 24.
    Sabelfeld, A., Sands, D.: A Per Model of Secure Information Flow in Sequential Programs. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, pp. 40–58. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. 25.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: IEEE Computer Security Foundations Workshop, pp. 200–214 (2000)Google Scholar
  26. 26.
    Smith, G.: A new type system for secure information flow. In: IEEE Computer Security Foundations Workshop, pp. 115–125 (2001)Google Scholar
  27. 27.
    Smith, G.: Probabilistic noninterference through weak probabilistic bisimulation. In: IEEE Computer Security Foundations Workshop, pp. 3–13 (2003)Google Scholar
  28. 28.
    Smith, G.: Improved typings for probabilistic noninterference in a multi-threaded language. Journal of Computer Security 14(6), 591–623 (2006)Google Scholar
  29. 29.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: ACM Symposium on Principles of Programming Languages, pp. 355–364 (1998)Google Scholar
  30. 30.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security 4(2,3), 167–187 (1996)Google Scholar
  31. 31.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: IEEE Computer Security Foundations Workshop, pp. 29–43 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Andrei Popescu
    • 1
    • 2
  • Johannes Hölzl
    • 1
  • Tobias Nipkow
    • 1
  1. 1.Technische Universität MünchenGermany
  2. 2.Institute of Mathematics Simion StoilowRomania

Personalised recommendations