Towards Fully Automatic Logic-Based Information Flow Analysis: An Electronic-Voting Case Study

  • Quoc Huy DoEmail author
  • Eduard Kamburjan
  • Nathan Wasser
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9635)


Logic-based information flow analysis approaches generally are high precision, but lack automatic ability in the sense that they demand user interactions and user-defined specifications. To overcome this obstacle, we propose an approach that combines the strength of two available logic-based tools based on the KeY theorem prover: the KEG tool that detects information flow leaks for Java programs and a specification generation tool utilizing abstract interpretation on program logic. As a case study, we take a simplified e-voting system and show that our approach can lighten the user’s workload considerably, while still keeping high precision.


Test generation Information flow Invariant generation 



We would like to thank Richard Bubel for fruitful discussions and comments.


  1. 1.
    Avvenuti, M., Bernardeschi, C., Francesco, N.D., Masci, P.: JCSI: a tool for checking secure information flow in java card applications. J. Syst. Softw. 85(11), 2479–2493 (2012)CrossRefGoogle Scholar
  2. 2.
    Banerjee, A., Giacobazzi, R., Mastroeni, I.: What you lose is what you leak: information leakage in declassification policies. Electron. Notes Theor. Comput. Sci. 173, 47–66 (2007)CrossRefzbMATHGoogle Scholar
  3. 3.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Proceedings of the 17th IEEE Workshop on Computer Security Foundations, CSFW 2004, pp. 100–114. IEEE CS(2004)Google Scholar
  4. 4.
    Beckert, B., Bruns, D., Klebanov, V., Scheben, C., Schmitt, P.H., Ulbrich, M.: Information flow in object-oriented software. In: Gupta, G., Peña, R. (eds.) LOPSTR 2013, LNCS 8901. LNCS, vol. 8901, pp. 19–37. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software. Lecture Notes in Computer Science, vol. 4334. Springer, Heidelberg (2007)Google Scholar
  6. 6.
    Bubel, R., Hähnle, R., Weiß, B.: Abstract interpretation of symbolic execution with explicit state updates. In: de Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 247–277. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th Symposium on Principles of Programming Languages (POPL), pp. 238–252. ACM (1977)Google Scholar
  8. 8.
    Cousot, P., Cousot, R., Logozzo, F.: A parametric segmentation functor for fully automatic and scalable array content analysis. SIGPLAN Not. 46(1), 105–118 (2011)CrossRefzbMATHGoogle Scholar
  9. 9.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL 1978, pp. 84–96. ACM (1978)Google Scholar
  10. 10.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Gorrieri, R. (ed.) Workshop on Issues in the Theory of Security. IFIP WG 1.7, SIGPLAN and GI FoMSESS. ACM (2003)Google Scholar
  11. 11.
    de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Do, Q., Bubel, R., Hähnle, R.: Exploit generation for information flow leaks in object oriented programs. In: Federrath, H., Gollmann, D. (eds.) ICT SystemsSecurity and Privacy Protection. IFIP Advances in Information and Communication Technology, vol. 455, pp. 401–415. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  13. 13.
    Flanagan, C., Qadeer, S.: Predicate abstraction for software verification. SIGPLAN Not. 37(1), 191–202 (2002)CrossRefzbMATHGoogle Scholar
  14. 14.
    Graf, J., Hecker, M., Mohr, M.: Using JOANA for information flow control in java programs - a practical guide. In: Proceedings of the 6th Working Conference on Programming Languages. LNI, vol. 215, pp. 123–138. Springer, February 2013Google Scholar
  15. 15.
    Halbwachs, N., Péron, M.: Discovering properties about arrays in simple programs. SIGPLAN Not. 43(6), 339–348 (2008)CrossRefGoogle Scholar
  16. 16.
    Hentschel, M., Hähnle, R., Bubel, R.: Visualizing unbounded symbolic execution. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 82–98. Springer, Heidelberg (2014)Google Scholar
  17. 17.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: ACM SIGPLAN Notices, vol. 41, pp. 79–90. ACM (2006)Google Scholar
  18. 18.
    Janota, M.: Assertion-based loop invariant generation. In: Proceedings of the 1st International Workshop on Invariant Generation (WING 07), Wing 2004 (2007)Google Scholar
  19. 19.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Küsters, R., Truderung, T., Beckert, B., Bruns, D., Graf, J., Scheben, C.: A hybrid approach for proving noninterference and applications to the cryptographic verification of java programs. In: Grande Region Security and Reliability Day 2013, Extended Abstract (2013)Google Scholar
  21. 21.
    Küsters, R., Truderung, T., Beckert, B., Bruns, D., Kirsten, M., Mohr, M.: A hybrid approach for proving noninterference of java programs. In: Fournet, C., Hicks, M. (eds.) 28th IEEE Computer Security Foundations Symposium (2015)Google Scholar
  22. 22.
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: a java modeling language. In: Formal Underpinnings of Java Workshop (at OOPSLA 1998), pp. 404–420 (1998)Google Scholar
  23. 23.
    Leino, K.R.M., Monahan, R.: Reasoning about comprehensions with first-order SMT solvers. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 615–622. ACM, New York (2009)Google Scholar
  24. 24.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: Proceedings of 26th ACM Symposium on Principles of Programming Languages, pp. 228–241 (1999)Google Scholar
  25. 25.
    Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) Software Security - Theories and Systems. Lecture Notes in Computer Science, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Scheben, C., Schmitt, P.H.: Verification of information flow properties of java programs without approximations. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 232–249. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2), 167–187 (1996)CrossRefGoogle Scholar
  28. 28.
    Wasser, N.: Generating specifications for recursive methods by abstracting program states. In: Li, X., Liu, Z., Yi, W. (eds.) Dependable Software Engineering: Theories, Tools, and Applications. Lecture Notes in Computer Science, vol. 9409, pp. 243–257. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  29. 29.
    Wasser, N., Bubel, R.: A theorem prover backed approach to array abstraction. Technical. report, Department of Computer Science, Technische Universität Darmstadt, Germany , presented at the Vienna Summer of Logic 2014 5th International Workshop on Invariant Generation (2014)Google Scholar
  30. 30.
    Wasser, N., Bubel, R., Hähnle, R.: Array abstraction with symbolic pivots. Technical report, Department of Computer Science, Technische Universität Darmstadt, Germany, August 2015Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations