Verification of Information Flow Properties of Java Programs without Approximations

  • Christoph Scheben
  • Peter H. Schmitt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7421)


In this paper we propose a methodology for the specification and verification of information flow properties for sequential Java programs. This proposal also covers declassification. We define an extension of the Java Modeling Language (JML) that significantly goes beyond previous approaches. The JML specification clauses are translated into proof obligations in Dynamic Logic. An experimental implementation within the KeY-system shows the feasibility of the approach.


Security Policy Class Diagram Java Program Dynamic Logic Proof Obligation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amtoft, T., Banerjee, A.: Information Flow Analysis in Logical Form. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 100–115. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: IEEE Symp. on Security and Privacy, pp. 339–353 (2008)Google Scholar
  3. 3.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Proceedings of the 17th IEEE Workshop on Computer Security Foundations, CSFW 2004, pp. 100–115. IEEE Computer Society, Washington, DC (2004)CrossRefGoogle Scholar
  4. 4.
    Bubel, R., Hähnle, R., Weiß, B.: Abstract Interpretation of Symbolic Execution with Explicit State Updates. In: de Boer, F.S., Bonsangue, M.M., Madelaine, E. (eds.) FMCO 2008. LNCS, vol. 5751, pp. 247–277. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Darvas, Á., Hähnle, R., Sands, D.: A Theorem Proving Approach to Analysis of Secure Information Flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005), doi:10.1007/978-3-540-32004-3_20CrossRefGoogle Scholar
  6. 6.
    Dufay, G., Felty, A.P., Matwin, S.: Privacy-Sensitive Information Flow with JML. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS (LNAI), vol. 3632, pp. 116–130. Springer, Heidelberg (2005), doi:10.1007/11532231_9CrossRefGoogle Scholar
  7. 7.
    Haack, C., Poll, E., Schubert, A.: Explicit information flow properties in JML. In: 3rd Benelux Workshop on Information and System Security (WISSec) (November 2008)Google Scholar
  8. 8.
    Hähnle, R., Pan, J., Rümmer, P., Walter, D.: Integration of a Security Type System into a Program Logic. In: Montanari, U., Sannella, D., Bruni, R. (eds.) TGC 2006. LNCS, vol. 4661, pp. 116–131. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Harel, D.: First-Order Dynamic Logic. LNCS, vol. 68. Springer, Heidelberg (1979)zbMATHCrossRefGoogle Scholar
  10. 10.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. The MIT Press (2000)Google Scholar
  11. 11.
    Hunt, S., Sands, D.: On flow-sensitive security types. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006, pp. 79–90. ACM, New York (2006)CrossRefGoogle Scholar
  12. 12.
    Kassios, I.: The dynamic frames theory. Formal Aspects of Computing 23, 267–288 (2011), doi:10.1007/s00165-010-0152-5MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: a behavioral interface specification language for Java. SIGSOFT Softw. Eng. Notes 31, 1–38 (2006)CrossRefGoogle Scholar
  14. 14.
    Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1999, pp. 228–241. ACM, New York (1999)CrossRefGoogle Scholar
  15. 15.
    Nanevski, A., Banerjee, A., Garg, D.: Verification of information flow and access control policies with dependent types. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 165–179 (May 2011)Google Scholar
  16. 16.
    Pan, J.: A theorem proving approach to analysis of secure information flow using data abstraction. Master’s thesis, Department of Computer Science and Engineering, Chalmers University of Technology (2005)Google Scholar
  17. 17.
    Ranise, S., Tinelli, C.: The SMT-LIB standard, v 1.2. Technical report, U. of Iowa (2006)Google Scholar
  18. 18.
    Sabelfeld, A., Myers, A.C.: A Model for Delimited Information Release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004), doi:10.1007/978-3-540-37621-7_9CrossRefGoogle Scholar
  19. 19.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  20. 20.
    Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. J. Comput. Secur. 17, 517–548 (2009)Google Scholar
  21. 21.
    van Delft, B.: Abstraction, objects and information flow analysis. Master’s thesis, Institute for Computing and Information Science, Radboud University Nijmegen (2011)Google Scholar
  22. 22.
    Warnier, M.: Language Based Security for Java and JML. PhD thesis, Radboud University, Nijmegen, The Netherlands (2006)Google Scholar
  23. 23.
    Weiß, B.: Deductive Verification of Object-Oriented Software: Dynamic Frames, Dynamic Logic and Predicate Abstraction. PhD thesis, Karlsruhe Institute of Technology (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Christoph Scheben
    • 1
  • Peter H. Schmitt
    • 1
  1. 1.Karlsruhe Institute of Technology (KIT)KarlsruheGermany

Personalised recommendations