On Improvements of Low-Deterministic Security

  • Joachim Breitner
  • Jürgen Graf
  • Martin HeckerEmail author
  • Martin Mohr
  • Gregor Snelting
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9635)


Low-security observable determinism (LSOD), as introduced by Roscoe and Zdancewic [18, 24], is the simplest criterion which guarantees probabilistic noninterference for concurrent programs. But LSOD prohibits any, even secure low-nondeterminism. Giffhorn developed an improvement, named RLSOD, which allows some secure low-nondeterminism, and can handle full Java with high precision [5].

In this paper, we describe a new generalization of RLSOD. By applying aggressive program analysis, in particular dominators for multi-threaded programs, precision can be boosted and false alarms minimized. We explain details of the new algorithm, and provide a soundness proof. The improved RLSOD is integrated into the JOANA tool; a case study is described. We thus demonstrate that low-deterministic security is a highly precise and practically mature software security analysis method.


Information flow control Probabilistic noninterference Program analysis 



This work was partially supported by Deutsche Forschungsgemeinschaft in the scope of SPP “Reliably Secure Software Systems”, and by BMBF in the scope of the KASTEL project.


  1. 1.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    De Sutter, B., Van Put, L., De Bosschere, K.: A practical interprocedural dominance algorithm. ACM Trans. Program. Lang. Syst. 29(4), 19 (2007)CrossRefGoogle Scholar
  3. 3.
    Gawlitza, T.M., Lammich, P., Müller-Olm, M., Seidl, H., Wenner, A.: Join-lock-sensitive forward reachability analysis for concurrent programs with dynamic process creation. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 199–213. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Giffhorn, D.: Slicing of concurrent programs and its application to information flow control. Ph.D. thesis, Karlsruher Institut für Technologie, Fakultät für Informatik, May 2012Google Scholar
  5. 5.
    Giffhorn, D., Snelting, G.: A new algorithm for low-deterministic security. Int. J. Inf. Secur. 14(3), 263–287 (2015)CrossRefGoogle Scholar
  6. 6.
    Graf, J., Hecker, M., Mohr, M., Snelting, G.: Checking applications using security APIs with JOANA. In: 8th International Workshop on Analysis of Security APIs.
  7. 7.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)CrossRefGoogle Scholar
  8. 8.
    Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: Proceedings POPL 1988. pp. 146–157. ACM, New York, NY, USA (1988)Google Scholar
  9. 9.
    Huisman, M., Ngo, T.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. In: Proceedings Formal Verification of Object-Oriented Systems (2011)Google Scholar
  10. 10.
    Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proceedings of the 19th CSFW, pp. 3. IEEE (2006)Google Scholar
  11. 11.
    Küsters, R., Scapin, E., Truderung, T., Graf, J.: Extending and applying a framework for the cryptographic verification of java programs. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 220–239. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  12. 12.
    Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of Java-like programs. In: 2012 IEEE 25th Symposium on Computer Security Foundations (CSF). IEEE Computer Society (2012)Google Scholar
  13. 13.
    Mantel, H., Sudbrock, H.: Flexible Scheduler-independent security. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 116–133. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Mohr, M., Graf, J., Hecker, M.: JoDroid: adding android support to a static information flow control tool. In: Gemeinsamer Tagungsband der Workshops der Tagung Software Engineering 2015, Dresden, Germany, 17–18 Mäarz 2015, vol. 1337, pp. 140–145, CEUR Workshop Proceedings. (2015)Google Scholar
  15. 15.
    Ngo, T.M.: Qualitative and quantitative information flow analysis for multi-threaded programs. Ph.D. thesis, University of Enschede (2014)Google Scholar
  16. 16.
    Popescu, A., Hölzl, J., Nipkow, T.: Formalizing probabilistic noninterference. In: Gonthier, G., Norrish, M. (eds.) CPP 2013. LNCS, vol. 8307, pp. 259–275. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Popescu, A., Hölzl, J., Nipkow, T.: Noninterfering schedulers. In: Heckel, R., Milius, S. (eds.) CALCO 2013. LNCS, vol. 8089, pp. 236–252. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Roscoe, A.W., Woodcock, J.C.P., Wulf, L.: Non-interference through determinism. In: Gollmann, Dieter (ed.) ESORICS 1994. LNCS, vol. 875. Springer, Heidelberg (1994)Google Scholar
  19. 19.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW 2000) 3–5 July 2000, Cambridge, pp. 200–214 (2000)Google Scholar
  20. 20.
    Smith, G.: Improved typings for probabilistic noninterference in a multi-threaded language. J. Comput. Secur. 14(6), 591–623 (2006). CrossRefGoogle Scholar
  21. 21.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of POPL 1998, pp. 355–364. ACM, January 1998Google Scholar
  22. 22.
    Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: Cousot, Radhia, Schmidt, D.A. (eds.) SAS 1996. LNCS, vol. 1145. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  23. 23.
    Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006)CrossRefGoogle Scholar
  24. 24.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings CSFW, pp. 29–43. IEEE (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Joachim Breitner
    • 1
  • Jürgen Graf
    • 1
  • Martin Hecker
    • 1
    Email author
  • Martin Mohr
    • 1
  • Gregor Snelting
    • 1
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations