Abstract
In today’s society, people have very little control over what kinds of personal data are collected and stored by various agencies in both the private and public sectors. We describe an approach to addressing this problem that allows individuals to specify constraints on the way their own data is used. Our solution uses formal methods to allow developers of software that processes personal data to provide assurances that the software meets the specified privacy constraints. In the domain of privacy, it is often not sufficient to express properties of interest as a relation between the input and output of a program as is done for general program correctness. Here we consider a stronger class of properties that allows us to express constraints on information flow. In particular, we can express that an algorithm does not leak any information from particular “sensitive” values. We describe a general methodology for expressing this kind of information flow property as Hoare-style program verification judgments. We begin with the Java Modelling Language (JML), which is a behavioral interface specification language designed for Java, and we extend the language to include new concepts and keywords for expressing such properties. We use the Krakatoa tool which starts from JML-annotated Java programs, generates proof obligations in the Coq Proof Assistant, and helps to automate their proofs. We extend the Krakatoa tool to understand our extensions to JML and to generate the new form of required proof obligations. We illustrate our method on several data mining algorithms implemented in Java.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop, p. 253. IEEE Computer Society, Los Alamitos (2002)
Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 100–114. IEEE Computer Society, Los Alamitos (2004)
Felty, A., Matwin, S.: Privacy-oriented data mining by proof checking. In: Elomaa, T., Mannila, H., Toivonen, H. (eds.) PKDD 2002. LNCS (LNAI), vol. 2431, p. 138. Springer, Heidelberg (2002)
Ferrari, E., Samarati, P., Bertino, E., Jajodia, S.: Providing flexibility in information flow control for object-oriented systems. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy (May 1997)
Filliâtre, J.-C.: Why: A multi-language multi-prover verification tool. Research Report 1366, LRI, Université Paris Sud (March 2003)
Giambiagi, P., Dam, M.: Verification of confidentiality properties for Java Card applets. Manuscript (2003)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of 1982 IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 302–313. Springer, Heidelberg (2005)
Hoare, C.A.R.: An axiomatic basis for computer programming. Commununications of ACM 12(10), 576–580 (1969)
JACK: Java Applet Correctness Kit., http://www-sop.inria.fr/everest/soft/Jack/jack.html
Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Behavioral Specifications of Businesses and Systems, pp. 175–188. Kluwer Academic Publishers, Dordrecht (1999), http://www.jmlspecs.org
Marché, C., Paulin-Mohring, C., Urbain, X.: The Krakatoa Tool for Certification of Java/JavaCard Programs annotated in JML. Journal of Logic and Algebraic Programming 58(1–2), 86–106 (2004)
Matwin, S., Felty, A., Hernádvölgyi, I., Capretta, V.: Privacy in data mining using formal methods. In: Proceedings of the Seventh International Conference on Typed Lambda Calculi and Applications. LNCS, vol. 2841, Springer, Heidelberg (2005)
Coq Development Team. The Coq Proof Assistant Reference Manual – Version 8.0 (2004), http://coq.inria.fr/doc/
Information and Privacy Commissioner/Ontario. Data mining: Staking a claim on your privacy (January 1998), http://www.ipc.on.ca/scripts/index.asp?action=31&P_ID=11387
Meyer, B.: Object-Oriented Software Construction, 2nd edn. Prentice Hall, Englewood Cliffs (1997)
Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Symposium on Principles of Programming Languages (POPL), January 1999, pp. 228–241 (1999)
Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, pp. 172–186. IEEE Computer Society, Los Alamitos (2004)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)
Smith, G.: A new type system for secure information flow. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, p. 115. IEEE Computer Society, Los Alamitos (2001)
The LOOP Project, http://www.cs.kun.nl/sos/research/loop/
Witten, I.H., Frank, E.: Data Mining. Morgan Kaufmann, San Francisco (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dufay, G., Felty, A., Matwin, S. (2005). Privacy-Sensitive Information Flow with JML. In: Nieuwenhuis, R. (eds) Automated Deduction – CADE-20. CADE 2005. Lecture Notes in Computer Science(), vol 3632. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11532231_9
Download citation
DOI: https://doi.org/10.1007/11532231_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28005-7
Online ISBN: 978-3-540-31864-4
eBook Packages: Computer ScienceComputer Science (R0)