Model-Checking Secure Information Flow for Multi-threaded Programs

  • Marieke Huisman
  • Henri-Charles Blondeel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6993)


This paper shows how secure information flow properties of multi-threaded programs can be verified by model checking in a precise and efficient way, by using the idea of self-composition.

It discusses two properties that aim to capture secure information flow for multi-threaded programs, and it shows how these properties can be characterised in modal μ-calculus. For this characterisation, a self-composed model of the program is constructed. More precisely, this is a model that contains two copies of the labelled transition system induced by the program, so that the program is executed in parallel with itself. The self-composed model allows to compare two program executions in a single temporal formula that characterises a secure information flow property.

Both the formula and model are translated into the input language for the Concurrency Workbench model checker. We discuss this encoding, and use it for some practical experiments on several simple examples.


Model Checker Temporal Logic Secure Information Operational Semantic Program Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Computer Security Foundation Workshop (CSFW 2017). IEEE Press, Los Alamitos (2004)Google Scholar
  2. 2.
    Blondeel, H.-C.: Security by logic: characterizing non-interference in temporal logic. Master’s thesis, KTH Sweden (2007),
  3. 3.
    Boudol, G., Castellani, I.: Noninterference for concurrent programs and thread systems. Theor. Comput. Sci. 281(1-2), 109–130 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Chen, T., Ploeger, S.C.W., van de Pol, J.C., Willemse, T.A.C.: Equivalence checking for infinite systems using parameterized boolean equation systems. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 120–135. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Dam, M., Gurov, D.: mu-calculus with explicit points and approximations. Journal of Logic and Computation 12, 43–57 (2002)CrossRefzbMATHGoogle Scholar
  6. 6.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Garavel, H., Lang, F., Mateescu, R., Serwe, W.: CADP 2006: A toolbox for the construction and analysis of distributed processes. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 158–163. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Goguen, J., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  9. 9.
    Groote, J.F., Orzan, S.: Parameterised anonymity. In: Degano, P., Guttman, J.D., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 177–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Huisman, M., Ngo, M.T.: A new definition of confidentiality for multi-threaded programs (2010) (manuscript)Google Scholar
  11. 11.
    Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Computer Security Foundations Workshop (2006)Google Scholar
  12. 12.
    Kozen, D.: Results on the propositional μ-calculus. Theoretical Computer Science 27, 333–354 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Kwiatkowska, M., Norman, G., Parker, D.: PRISM: Probabilistic model checking for performance and reliability analysis. ACM SIGMETRICS Performance Evaluation Review 36(4), 40–45 (2009)CrossRefGoogle Scholar
  14. 14.
    Milner, R.: A Calculus of Communicating Systems. Springer, Heidelberg (1980)CrossRefzbMATHGoogle Scholar
  15. 15.
    Moller, F., Stevens, P.: Edinburgh Concurrency Workbench user manual (version 7.1),
  16. 16.
    Roscoe, A.: CSP and determinism in security modelling. In: Symposium on Security and Privacy, pp. 114–127. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  17. 17.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Computer Security Foundations Workshop, pp. 200–215. IEEE Press, Los Alamitos (2000)Google Scholar
  18. 18.
    Smith, G., Volpano, D.: Secure Information Flow in a Multi-threaded Imperative Language. In: Principles of Programming Languages, pp. 355–364 (1998)Google Scholar
  19. 19.
    Smith, G., Volpano, D.: Confinement properties for multi-threaded programs. Electronic Notes in Theoretical Computer Science 20 (1999)Google Scholar
  20. 20.
    Terauchi, T.: A type system for observational determinism. In: Computer Security Foundation, CSF 2008 (2008)Google Scholar
  21. 21.
    Terauchi, T., Aiken, A.: Secure Information Flow as a Safety Problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Volpano, D., Smith, G.: Probabilistic noninterference in a concurrent language. Journal of Computer Security 7, 231–253 (1999)CrossRefGoogle Scholar
  23. 23.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: 16th IEEE Computer Security Foundations Workshop (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Marieke Huisman
    • 1
  • Henri-Charles Blondeel
    • 2
  1. 1.University of TwenteNetherlands
  2. 2.INRIA GrenobleRhône-AlpesFrance

Personalised recommendations