Code Abstractions for Automatic Information Flow Control in a Model-Driven Approach

  • Kuzman KatkalovEmail author
  • Kurt Stenzel
  • Wolfgang Reif
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10658)


Automatic information flow control (IFC) can be used to guarantee the absence of information leaks in security-critical applications. However, IFC of real-world, complex, distributed systems is challenging. In this paper, we show how a model-driven approach for development of such applications consisting of mobile apps and web services can help solve those challenges using automatic code abstractions.


Information flow IFC Model-driven development Security by design Privacy by design 



This work is sponsored by the Priority Programme 1496 “Reliably Secure Software Systems - RS\(^{3}\)” of the Deutsche Forschungsgemeinschaft (DFG).


  1. 1.
    Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) ETAPS 2014. LNCS, vol. 8415, pp. 1–20. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  2. 2.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association (2011)Google Scholar
  3. 3.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM (2011)Google Scholar
  4. 4.
    Graf, J., Hecker, M., Mohr, M., Snelting, G.: Checking applications using security APIs with JOANA. In: 8th International Workshop on Analysis of Security APIs, July 2015Google Scholar
  5. 5.
    Hammer, C.: Information Flow Control for Java - A Comprehensive Approach based on Path Conditions in Dependence Graphs. Ph.D. thesis, Universität Karlsruhe (TH), Fak. f. Informatik, July 2009. ISBN 978-3-86644-398-3Google Scholar
  6. 6.
    Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  7. 7.
    Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Model-driven development of information flow-secure systems with IFlow. ASE Sci. J. 2(2), 65–82 (2013)Google Scholar
  8. 8.
    Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Modeling information flow properties with UML. In: 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). IEEE Conference Publications (2015).
  9. 9.
    Küsters, R., Scapin, E., Truderung, T., Graf, J.: Extending and applying a framework for the cryptographic verification of Java programs. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 220–239. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  10. 10.
    Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of java-like programs. In: Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF 2012, pp. 198–212. IEEE Computer Society, Washington, DC (2012)Google Scholar
  11. 11.
    Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The Soot framework for Java program analysis: a retrospective. In: Cetus Users and Compiler Infrastructure Workshop, Galveston Island, TX, October 2011Google Scholar
  12. 12.
    Mohr, M., Graf, J., Hecker, M.: JoDroid: adding android support to a static information flow control tool. In: Gemeinsamer Tagungsband der Workshops der Tagung Software Engineering 2015, Dresden, Germany, 17.–18. März 2015. CEUR Workshop Proceedings, vol. 1337, pp. 140–145. (2015)Google Scholar
  13. 13.
    Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS (2014)Google Scholar
  14. 14.
    Seehusen, F.: Model-driven security: exemplified for information flow properties and policies. Ph.D. thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, January 2009Google Scholar
  15. 15.
    Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Formalizing information flow control in a model-driven approach. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds.) ICT-EurAsia 2014. LNCS, vol. 8407, pp. 456–461. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  16. 16.
    Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Declassification of information with complex filter functions. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy, pp. 490–497 (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Software Engineering and Programming LanguagesUniversity of AugsburgAugsburgGermany

Personalised recommendations