Abstract
Information Flow Analysis (IFA) aims at detecting illegal flows of information between program entities. “Legality” is therein specified in terms of various security policies. For the analysis, this opens up two possibilities: building generic, policy independent and building specific, policy dependent IFAs. While the former needs to track all dependencies between program entities, the latter allows for a reduced and thus more efficient analysis.
In this paper, we start out by formally defining a policy independent information flow analysis. Next, we show how to specialize this IFA via policy specific variable tracking, and prove soundness of the specialization. We furthermore investigate refinement relationships between policies, allowing an IFA for one policy to be employed for its refinements. As policy refinement depends on concrete program entities, we additionally propose a precomputation of policy refinement conditions, enabling an efficient refinement check for concrete programs.
This work was partially supported by the German Research Foundation (DFG) within the Collaborative Research Centre “On-The-Fly Computing” (SFB 901).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Actually, Ubuntu was executed in the Oracle VM Virtual Box version 4.3.28 running on a 64 bit Windows with 8192.
References
Amtoft, T., Banerjee, A.: Information flow analysis in logical form. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 100–115. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27864-1_10
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI, pp. 259–269. ACM (2014)
Beyer, D., Henzinger, T.A., Théoduloz, G.: Configurable software verification: concretizing the convergence of model checking and program analysis. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 504–518. Springer, Heidelberg (2007). doi:10.1007/978-3-540-73368-3_51
Beyer, D., Keremoglu, M.E., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: Bloem, R., Sharygina, N. (eds.) FMCAD 2010, pp. 189–197. IEEE (2010)
Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, 1989, pp. 206–214. IEEE Computer Society (1989)
Foley, S.N.: Unifying Information Flow Policies. Technical report, DTIC Document (1990)
Foley, S.N.: Aggregation and separation as noninterference properties. J. Comput. Secur. 1(2), 159–188 (1992)
Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: IEEE International Symposium on Secure Software Engineering 2006 (2006)
Holavanalli, S., Manuel, D., Nanjundaswamy, V., Rosenberg, B., Shen, F., Ko, S.Y., Ziarek, L.: Flow permissions for android. In: ASE, pp. 652–657 (2013)
Horwitz, S., Reps, T.W.: The use of program dependence graphs in software engineering. In: Montgomery, T., Clarke, L.A., Ghezzi, C. (eds.) ICSE 1992, pp. 392–411. ACM Press (1992)
Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006 (2006)
Jakobs, M., Wehrheim, H.: Certification for configurable program analysis. In: Rungta, N., Tkachuk, O. (eds.) SPIN 2014, pp. 30–39. ACM (2014)
Jakobs, M., Wehrheim, H.: Programs from proofs of predicated dataflow analyses. In: Wainwright, R.L., Corchado, J.M., Bechini, A., Hong, J. (eds.) SAC 2015, pp. 1729–1736. ACM (2015)
Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In: SOAP, pp. 1–6 (2014)
Rustan, K., Leino, M., Joshi, R.: A semantic approach to secure information flow. In: Jeuring, J. (ed.) MPC 1998. LNCS, vol. 1422, pp. 254–271. Springer, Heidelberg (1998). doi:10.1007/BFb0054294
Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. 1(1), 121–141 (1979)
Mantel, H.: Possibilistic definitions of security - an assembly kit. In: IEEE Computer Security Foundations Workshop, CSFW 2000. IEEE Computer Society (2000)
Mantel, H.: Preserving information flow properties under refinement. In: IEEE Symposium on Security and Privacy 2001, pp. 78–91. IEEE Computer Society (2001)
Mantel, H.: On the composition of secure systems. In: IEEE Symposium on Security and Privacy 2002 (2002)
Necula, G.C.: Proof-carrying code. In: Lee, P., Henglein, F., Jones, N.D. (eds.) POPL 1997, pp. 106–119. ACM Press (1997)
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, New York (1999)
Taghdiri, M., Snelting, G., Sinz, C.: Information flow analysis via path condition refinement. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 65–79. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19751-2_5
Töws, M., Wehrheim, H.: A CEGAR scheme for information flow analysis. In: Ogata, K., Lawford, M., Liu, S. (eds.) ICFEM 2016. LNCS, vol. 10009, pp. 466–483. Springer, Cham (2016). doi:10.1007/978-3-319-47846-3_29
Wei, F., Roy, S., Ou, X., Robby: amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS, pp. 1329–1341. ACM, New York (2014)
Yang, Z., Yang, M.: LeakMiner: detect information leakage on android with static taint analysis. In: WCSE, pp. 101–104 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Töws, M., Wehrheim, H. (2017). Policy Dependent and Independent Information Flow Analyses. In: Duan, Z., Ong, L. (eds) Formal Methods and Software Engineering. ICFEM 2017. Lecture Notes in Computer Science(), vol 10610. Springer, Cham. https://doi.org/10.1007/978-3-319-68690-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-68690-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68689-9
Online ISBN: 978-3-319-68690-5
eBook Packages: Computer ScienceComputer Science (R0)