Specification and Checking of Software Contracts for Conditional Information Flow

  • Torben Amtoft
  • John Hatcliff
  • Edwin Rodríguez
  • Robby
  • Jonathan Hoag
  • David Greve
Chapter

Abstract

Information assurance applications built according to the multiple independent levels of security (MILS) architecture often contain information flow policies that are conditional in the sense that data is allowed to flow between system components only when the system satisfies certain state predicates. However, existing specification and verification environments, such as SPARK Ada, used to develop MILS applications can only capture unconditional information flows. Motivated by the need to better formally specify and certify MILS applications in industrial contexts, we present an enhancement of the SPARK information flow annotation language that enables specification, inferring, and compositional checking of conditional information flow contracts. A precondition generation algorithm is defined that automates the compositional checking and inference of conditional informational flow contracts. We report on the implementation and use of this framework for a collection of SPARK examples.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Amtoft T, Banerjee A (2004) Information flow analysis in logical form. In: 11th static analysis symposium (SAS), LNCS, vol 3148. Springer, Berlin, pp 100–115Google Scholar
  2. 2.
    Amtoft T, Banerjee A (2007a) A logic for information flow analysis with an application to forward slicing of simple imperative programs. Sci Comp Prog 64(1):3–28MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Amtoft T, Banerjee A (2007b) Verification condition generation for conditional information flow. In: 5th ACM workshop on formal methods in security engineering (FMSE), a long version, with proofs, appears as technical report CIS TR 2007-2, Kansas State University, Manhattan, KS, pp 2–11Google Scholar
  4. 4.
    Amtoft T, Bandhakavi S, Banerjee A (2006) A logic for information flow in object-oriented programs. In: 33rd Principles of programming languages (POPL), pp 91–102Google Scholar
  5. 5.
    Amtoft T, Hatcliff J, Rodriguez E, Robby, Hoag J, Greve D (2007) Specification and checking of software contracts for conditional information flow (extended version). Technical report SAnToS-TR2007-5, CIS Department, Kansas State University. Available at http://www.sireum.org
  6. 6.
    Amtoft T, Hatcliff J, Rodríguez E (2009) Precise and automated contract-based reasoning for verification and certification of information flow properties of programs with arrays. Technical report, Kansas State University. URL http://www.cis.ksu.edu/~edwin/papers/TR-esop10.pdf, available from http://www.cis.ksu.edu/ edwin/papers/TR-esop10.pdf
  7. 7.
    Banerjee A, Naumann DA (2005) Stack-based access control and secure information flow. J Funct Program 2(15):131–177CrossRefMathSciNetGoogle Scholar
  8. 8.
    Barnes J (2003) High integrity software – the SPARK approach to safety and security. Addison-Wesley, Reading, MAGoogle Scholar
  9. 9.
    Barnett M, Leino KRM, Schulte W (2004) The Spec# programming system: an overview. In: Construction and analysis of safe, secure, and interoperable smart devices (CASSIS), pp 49–69Google Scholar
  10. 10.
    Barthe G, D’Argenio P, Rezk T (2004) Secure information flow by self-composition. In: Foccardi R (ed) CSFW’04. IEEE, New York, NY, pp 100–114Google Scholar
  11. 11.
    Bell D, LaPadula L (1973) Secure computer systems: mathematical foundations. Technical report, MTR-2547, MITRE CorpGoogle Scholar
  12. 12.
    Bergeretti JF, Carré BA (1985) Information-flow and data-flow analysis of while-programs. ACM TOPLAS 7(1):37–61MATHCrossRefGoogle Scholar
  13. 13.
    Chapman R, Hilton A (2004) Enforcing security and safety models with an information flow analysis tool. In: SIGAda’04, Atlanta, Georgia. ACM, New York, NY, pp 39–46Google Scholar
  14. 14.
    Cohen ES (1978) Information transmission in sequential programs. In: Foundations of secure computation. Academic, New York, NY, pp 297–335Google Scholar
  15. 15.
    Cok DR, Kiniry J (2004) ESC/Java2: uniting ESC/Java and JML. In: Construction and analysis of safe, secure, and interoperable smart devices (CASSIS), pp 108–128Google Scholar
  16. 16.
    Darvas A, Hähnle R, Sands D (2005) A theorem proving approach to analysis of secure information flow. In: 2nd International conference on security in pervasive computing (SPC 2005), LNCS, vol 3450. Springer, Berlin, pp 193–209Google Scholar
  17. 17.
    Goguen JA, Meseguer J (1982) Security policies and security models. In: IEEE symposium on security and privacy, pp 11–20Google Scholar
  18. 18.
    Greve D, Wilding M, Vanfleet WM (2003) A separation kernel formal security policy. In: 4th International workshop on the ACL2 prover and its applications (ACL2-2003)Google Scholar
  19. 19.
    Heitmeyer CL, Archer M, Leonard EI, McLean J (2006) Formal specification and verification of data separation in a separation kernel for an embedded system. In: 13th ACM conference on computer and communications security (CCS’06), pp 346–355Google Scholar
  20. 20.
    Henzinger TA, Jhala R, Majumdar R, Sutre G (2003) Software verification with blast. In: 10th SPIN workshop, LNCS, vol 2648. Springer, Berlin, pp 235–239Google Scholar
  21. 21.
    Jackson D, Thomas M, Millett LI (eds) (2007) Software for dependable systems: sufficient evidence? National Academies Press, Committee on certifiably dependable software systems, National Research CouncilGoogle Scholar
  22. 22.
    Kaufmann M, Manolios P, Moore JS (2000) Computer-aided reasoning: an approach. Kluwer, DordrechtGoogle Scholar
  23. 23.
    Myers AC (1999) JFlow: practical mostly-static information flow control. In: POPL’99, San Antonio, Texas. ACM, New York, NY, pp 228–241Google Scholar
  24. 24.
    Naumann DA (2006) From coupling relations to mated invariants for checking information flow. In: Gollmann D, Meier J, Sabelfeld A (eds) 11th European symposium on research in computer security (ESORICS’06), LNCS, vol 4189. Springer, Berlin, pp 279–296Google Scholar
  25. 25.
    Owre S, Rushby JM, Shankar N (1992) PVS: a prototype verification system. In: Proceedings of the 11th international conference on automated deduction (Lecture notes in computer science 607)Google Scholar
  26. 26.
    Rossebo B, Oman P, Alves-Foss J, Blue R, Jaszkowiak P (2006) Using SPARK-Ada to model and verify a MILS message router. In: Proceedings of the international symposium on secure software engineeringGoogle Scholar
  27. 27.
    Rushby J (1981) The design and verification of secure systems. In: 8th ACM symposium on operating systems principles, vol 15, Issue 5, pp 12–21Google Scholar
  28. 28.
    Simonet V (2003) Flow Caml in a nutshell. In: Hutton G (ed) First APPSEM-II workshop, pp 152–165Google Scholar
  29. 29.
    Sireum website. http://www.sireum.org
  30. 30.
    Snelting G, Robschink T, Krinke J (2006) Efficient path conditions in dependence graphs for software safety analysis. ACM Trans Softw Eng Method 15(4):410–457CrossRefGoogle Scholar
  31. 31.
    Terauchi T, Aiken A (2005) Secure information flow as a safety problem. In: 12th Static analysis symposium, LNCS, vol 3672. Springer, Berlin, pp 352–367Google Scholar
  32. 32.
    Vanfleet M, Luke J, Beckwith RW, Taylor C, Calloni B, Uchenick G (2005) MILS: architecture for high-assurance embedded computing. CrossTalk: J Defense Softw Eng 18:12–16Google Scholar
  33. 33.
    Volpano D, Smith G, Irvine C (1996) A sound type system for secure flow analysis. J Comput Security 4(3):167–188Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Torben Amtoft
    • 1
  • John Hatcliff
  • Edwin Rodríguez
  • Robby
  • Jonathan Hoag
  • David Greve
  1. 1.Kansas State UniversityManhattanUSA

Personalised recommendations