Provably Correct Runtime Enforcement of Non-interference Properties

  • V. N. Venkatakrishnan
  • Wei Xu
  • Daniel C. DuVarney
  • R. Sekar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


Non-interference has become the standard criterion for ensuring confidentiality of sensitive data in the information flow literature. However, application of non-interference to practical software systems has been limited. This is partly due to the imprecision that is inherent in static analyses that have formed the basis of previous non-interference based techniques. Runtime approaches can be significantly more accurate than static analysis, and have often been more successful in practice. However, they can only reason about explicit information flows that take place via assignments in a program. Implicit flows that take place without involving assignments, and can be inferred from the structure and/or semantics of the program, are missed by runtime techniques. This paper seeks to bridge the gap between the accuracy provided by runtime techniques and the completeness provided by static analysis techniques. In particular, we develop a hybrid technique that relies primarily on runtime information-flow tracking, but augments it with static analysis to reason about implicit flows that arise due to unexecuted paths in a program. We prove that the resulting technique preserves non-interference, while providing some of the traditional benefits of dynamic analysis such as improved accuracy.


Transformation Rule Sensitive Information Execution Trace Program Counter Security Variable 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andrews, G.R., Reitman, R.P.: An axiomatic approach to information flow in programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 2(1), 56–75 (1980)MATHCrossRefGoogle Scholar
  2. 2.
    Banerjee, A., Naumann, D.A.: Using access control for secure information flow in a java-like language. In: Proc. IEEE Computer Security Foundations Workshop (2003)Google Scholar
  3. 3.
    Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Proc. IEEE Computer Security Foundations Workshop (2004)Google Scholar
  4. 4.
    Barthe, G., Rezk, T., Naumann, D.: Deriving an information flow checker and certifying compiler for java. In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  5. 5.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations. Technical Report MTR-2547, vol. 1, MITRE Corp. (1973)Google Scholar
  6. 6.
    Beres, Y., Dalton, C.: Dynamic label binding at run-time. In: New Security Paradigms Workshop (2003)Google Scholar
  7. 7.
    Broadwell, P., Harren, M., Sastry, N.: Scrash: A system for generating security crash information. In: USENIX Security Symposium (2003)Google Scholar
  8. 8.
    Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: IEEE International Conference on Dependable Systems and Networks (DSN) (2005)Google Scholar
  9. 9.
    Cooper, K.D., Kennedy, K.: Interprocedural side-effect analysis in linear time. In: Programming Languages Design and Implementation (PLDI) (1988)Google Scholar
  10. 10.
    Darvas, A., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Das, M.: Unification-based pointer analysis with directional assignments. In: Programming Languages Design and Implementation (PLDI) (2000)Google Scholar
  12. 12.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)MATHCrossRefGoogle Scholar
  13. 13.
    Fenton, J.S.: Memoryless subsystems. Computing J. 17(2), 143–147 (1974)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  15. 15.
    Guernic, G.L., Jensen, T.: Monitoring information flow. In: Workshop on Foundations of Computer Security (2005)Google Scholar
  16. 16.
    Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37(1–3), 113–138 (2000)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: ACM Symposium on Principles of Programming Languages (POPL) (2005)Google Scholar
  18. 18.
    McLean, J.: Proving noninterference and functional correctness using traces. Journal of Computer Security 1(1) (1992)Google Scholar
  19. 19.
    Myers, A., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proc. IEEE Computer Security Foundations Workshop (2004)Google Scholar
  20. 20.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: ACM Symposium on Principles of Programming Languages (POPL), pp. 228–241 (1999)Google Scholar
  21. 21.
    Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: IEEE Symposium on Security and Privacy, pp. 186–197 (1998)Google Scholar
  22. 22.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS) (2005)Google Scholar
  23. 23.
    Pottier, F., Simonet, V.: Information flow inference for ml. In: ACM Symposium on Principles of Programming Languages (POPL) (2002)Google Scholar
  24. 24.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1) (2003)Google Scholar
  25. 25.
    Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security (TISSEC) 3(1) (2001)Google Scholar
  26. 26.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96 (2004)Google Scholar
  27. 27.
    Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Tse, S., Zdancewic, S.: Run-time principals in information-flow type systems. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  29. 29.
    Venkatakrishnan, V.N., DuVarney, D.C., Xu, W., Sekar, R.: A program transformation technique for enforcement of information flow properties. Technical Report SECLAB-04-01, Department of Computer Science, Stony Brook University (2004)Google Scholar
  30. 30.
    Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  31. 31.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security (JCS) 4(3), 167–187 (1996)Google Scholar
  32. 32.
    Wall, L., Christiansen, T., Schwartz, R.: Programming Perl. O’Reilly, Sebastopol (1996)MATHGoogle Scholar
  33. 33.
    Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: Programming Languages Design and Implementation (PLDI) (2004)Google Scholar
  34. 34.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium (2006)Google Scholar
  35. 35.
    Zheng, L., Myers, A.: Dynamic security labels and noninterference. In: Workshop on Formal Aspects in Security and Trust (FAST) (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • V. N. Venkatakrishnan
    • 1
  • Wei Xu
    • 2
  • Daniel C. DuVarney
    • 2
  • R. Sekar
    • 2
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicago
  2. 2.Department of Computer ScienceStony Brook UniversityStony Brook

Personalised recommendations