Design and Verification of Microprocessor Systems for High-Assurance Applications

pp 341-379


Specification and Checking of Software Contracts for Conditional Information Flow

  • Torben AmtoftAffiliated withKansas State University Email author 
  • , John Hatcliff
  • , Edwin Rodríguez
  • , Robby
  • , Jonathan Hoag
  • , David Greve

* Final gross prices may vary according to local VAT.

Get Access


Information assurance applications built according to the multiple independent levels of security (MILS) architecture often contain information flow policies that are conditional in the sense that data is allowed to flow between system components only when the system satisfies certain state predicates. However, existing specification and verification environments, such as SPARK Ada, used to develop MILS applications can only capture unconditional information flows. Motivated by the need to better formally specify and certify MILS applications in industrial contexts, we present an enhancement of the SPARK information flow annotation language that enables specification, inferring, and compositional checking of conditional information flow contracts. A precondition generation algorithm is defined that automates the compositional checking and inference of conditional informational flow contracts. We report on the implementation and use of this framework for a collection of SPARK examples.