Adjoining Declassification and Attack Models by Abstract Interpretation

  • Roberto Giacobazzi
  • Isabella Mastroeni
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3444)


In this paper we prove that attack models and robust declassification in language-based security can be viewed as adjoint transformations of abstract interpretations. This is achieved by interpreting the well known Joshi and Leino’s semantic approach to non-interference as a problem of making an abstraction complete relatively to a program’s semantics. This observation allows us to prove that the most abstract property on confidential data which flows, here called private observation, and the most concrete harmless attacker observing public data, here called public observable, both modeled as abstractions of the program’s semantics, are respectively the adjoint solutions of a completeness problem in standard abstract interpretation theory. In particular declassification corresponds to refining the given model of an attacker with the minimal amount of information in order to achieve completeness, which is non-interference, while the harmless attacker corresponds to remove this information. This proves an adjunction relation between two basic approaches to language-based security: declassification and the construction of suitable attack models, and allows us to apply relevant techniques for abstract domain transformation in language-based security.


Abstract interpretation language-based security declassification abstract non-interference attack models adjunction completeness 


  1. 1.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, MITRE Corp. Badford, MA (1973)Google Scholar
  2. 2.
    Blyth, T.S., Janowitz, M.F.: Residuation theory. Pergamon Press, Oxford (1972)zbMATHGoogle Scholar
  3. 3.
    Bodei, C., Degano, P., Nielson, F., Nielson, H.R.: Static analysis for secrecy and non-interference in networks of processes. In: Malyshkin, V.E. (ed.) PaCT 2001. LNCS, vol. 2127, pp. 27–41. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Clark, D., Hankin, C., Hunt, S.: Information flow for algol-like languages. Computer Languages 28(1), 3–28 (2002)zbMATHGoogle Scholar
  5. 5.
    Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. In: Workshop on Quantitative Aspects of Programming Laguages (QAPL 2001). Electronic Notes in Theoretical Computer Science, vol. 59. Elsevier, Amsterdam (2001)Google Scholar
  6. 6.
    Cohen, E.S.: Information transmission in computational systems. ACM SIGOPS Operating System Review 11(5), 133–139 (1977)CrossRefGoogle Scholar
  7. 7.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of Conf. Record of the 4th ACM Symp.on Principles of Programming Languages (POPL 1977), pp. 238–252. ACM Press, New York (1977)Google Scholar
  8. 8.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. of Conf. Record of the 6th ACM Symp. on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM Press, New York (1979)Google Scholar
  9. 9.
    Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–242 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Denning, D.E., Denning, P.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)zbMATHCrossRefGoogle Scholar
  11. 11.
    Filé, G., Giacobazzi, R., Ranzato, F.: A unifying view of abstract domain design. ACM Comput. Surv. 28(2), 333–336 (1996)CrossRefGoogle Scholar
  12. 12.
    Focardi, R., Gorrieri, R.: A classification of security properties for process algebras. Journal of Computer security 3(1), 5–33 (1995)Google Scholar
  13. 13.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: Proc. of the 31st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2004), pp. 186–197. ACM Press, NY (2004)CrossRefGoogle Scholar
  14. 14.
    Giacobazzi, R., Mastroeni, I.: Proving abstract non-interference. In: Marcinkowski, J., Tarlecki, A. (eds.) CSL 2004. LNCS, vol. 3210, pp. 280–294. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Giacobazzi, R., Quintarelli, E.: Incompleteness, counterexamples and refinements in abstract model-checking. In: Cousot, P. (ed.) SAS 2001. LNCS, vol. 2126, pp. 356–373. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Giacobazzi, R., Ranzato, F.: Refining and compressing abstract domains. In: Degano, P., Gorrieri, R., Marchetti-Spaccamela, A. (eds.) ICALP 1997. LNCS, vol. 1256, pp. 771–781. Springer, Heidelberg (1997)Google Scholar
  17. 17.
    Giacobazzi, R., Ranzato, F., Scozzari, F.: Making abstract interpretations complete. J. of the ACM 47(2), 361–416 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, pp. 11–20. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  19. 19.
    Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Science of Computer Programming 37, 113–138 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: Proc. of the 32st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2005). ACM Press, NY (2005) (to appear)Google Scholar
  22. 22.
    Mantel, H.: Possibilistic definitions of security – an assemply kit –. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 185–199. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  23. 23.
    McLean, J.: Proving noninterference and functional correcteness using traces. Journal of Computer security 1(1), 37–58 (1992)MathSciNetGoogle Scholar
  24. 24.
    Ranzato, F., Tapparo, F.: Strong preservation as completeness in abstract interpretation. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 18–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Ryan, P.: Mathematical models of computer security – tutorial lectures. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. on selected ares in communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  28. 28.
    Sabelfeld, A., Sands, D.: A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)zbMATHCrossRefGoogle Scholar
  29. 29.
    Skalka, C., Smith, S.: Static enforcement of security with types. In: ICFP 2000, pp. 254–267. ACM Press, New York (2000)Google Scholar
  30. 30.
    Volpano, D.: Safety versus secrecy. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  31. 31.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. Journal of Computer Security 4(2,3), 167–187 (1996)Google Scholar
  32. 32.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 15–23. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Roberto Giacobazzi
    • 1
  • Isabella Mastroeni
    • 1
  1. 1.Dipartimento di InformaticaUniversità di VeronaVeronaItaly

Personalised recommendations