research-article

Lattice-Based Information Flow Control-by-Construction for Security-by-Design

Authors:

Alexander Knüppel,

Ina SchaeferAuthors Info & Claims

FormaliSE '20: Proceedings of the 8th International Conference on Formal Methods in Software Engineering

Pages 44 - 54

https://doi.org/10.1145/3372020.3391565

Published: 07 October 2020 Publication History

Abstract

Many software applications contain confidential information, which has to be prevented from leaking through unauthorized access. To enforce confidentiality, there are language-based security mechanisms that rely on information flow control. Typically, these mechanisms work post-hoc by checking whether confidential data is accessed unauthorizedly after the complete program is written. The disadvantage is that incomplete programs cannot be interpreted properly and information flow properties cannot be built in constructively. In this work, we present a methodology to construct programs incrementally using refinement rules to follow a lattice-based information flow policy. In every refinement step, confidentiality and functional correctness of the program is guaranteed, such that insecure programs are prohibited by construction. Our contribution is fourfold. We formalize refinement rules for the constructive information flow control methodology, prove soundness of the refinement rules, show that our approach is at least as expressive as standard language-based mechanisms for information flow, and implement it in a graphical editor called CorC. Our methodology is also usable for integrity properties, which are dual to confidentiality.

References

[1]

Jean-Raymond Abrial. 2010. Modeling in Event-B - System and Software Engineering. Cambridge University Press.

[2]

Jean-Raymond Abrial, Michael Butler, Stefan Hallerstede, Thai Son Hoang, Farhad Mehta, and Laurent Voisin. 2010. Rodin: An Open Toolset for Modelling and Reasoning in Event-B. STTT 12, 6 (2010), 447--466.

[3]

Torben Amtoft and Anindya Banerjee. 2004. Information Flow Analysis in Logical Form. In SAS (LNCS), Vol. 3148. Springer, 100--115.

[4]

Torben Amtoft, John Hatcliff, Edwin Rodriguez, Robby, Jonathan Hoag, and David A. Greve. 2008. Specification and Checking of Software Contracts for Conditional Information Flow. In FM. Springer, 229--245.

[5]

Gregory R. Andrews and Richard P. Reitman. 1980. An Axiomatic Approach to Information Flow in Programs. TOPLAS 2, 1 (1980), 56--76.

Digital Library

[6]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick D. McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In PLDI, Vol. 49. ACM, 259--269.

[7]

Ralph-Johan Back. 2009. Invariant Based Programming: Basic Approach and Teaching Experiences. FAOC 21, 3 (2009), 227--244.

[8]

Ralph-Johan Back, Johannes Eriksson, and Magnus Myreen. 2007. Testing and Verifying Invariant Based Programs in the SOCOS Environment. In TAP (LNCS), Vol. 4454. Springer, 61--78.

[9]

Ralph-Johan Back and Joakim Wright. 2012. Refinement Calculus: A Systematic Introduction. Springer Science & Business Media.

[10]

Anindya Banerjee and David A Naumann. 2002. Secure Information Flow and Pointer Confinement in a Java-like Language. In CSFW, Vol. 2. 253.

Digital Library

[11]

D Elliott Bell and Leonard J La Padula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report. MITRE Corp Bedford MA.

[12]

Kenneth J Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report. MITRE Corp Bedford MA.

[13]

Bart De Win, Riccardo Scandariato, Koen Buyens, Johan Grégoire, and Wouter Joosen. 2009. On the Secure Software Development Process: CLASP, SDL and Touchpoints Compared. InfSof 51, 7 (2009), 1152--1171.

[14]

Dorothy E Denning. 1976. A Lattice Model of Secure Information Flow. CACM 19, 5 (1976), 236--243.

Digital Library

[15]

Edsger W. Dijkstra. 1976. A Discipline of Programming. Prentice Hall.

Digital Library

[16]

Michael Howard, Steve Lipner, U Index, U Part, U Chapter, U Why In, U First Steps, U New Threats, U Windows, U Seeking Scalability, et al. 2006. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press.

[17]

Sebastian Hunt and David Sands. 2006. On Flow-Sensitive Security Types. SIG-PLANNot. 41, 1 (Jan. 2006), 79--90.

[18]

Derrick G. Kourie and Bruce W. Watson. 2012. The Correctness-By-Construction Approach to Programming. Springer.

[19]

Peixuan Li and Danfeng Zhang. 2017. Towards a Flow-and Path-Sensitive Information Flow Analysis. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 53--67.

[20]

Carroll Morgan. 1994. Programming from Specifications (2nd ed.). Prentice Hall.

Digital Library

[21]

Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. ACM, New York, NY, USA, 228--241.

[22]

Andrew C. Myers and Barbara Liskov. 2000. Protecting Privacy Using the Decentralized Label Model. TOSEM 9, 4 (2000), 410--442.

Digital Library

[23]

Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer.

Digital Library

[24]

Marcel Vinicius Medeiros Oliveira, Ana Cavalcanti, and Jim Woodcock. 2003. ArcAngel: A Tactic Language for Refinement. FAOC 15, 1 (2003), 28--47.

[25]

Tobias Runge, Ina Schaefer, Loek Cleophas, Thomas Thüm, Derrick Kourie, and Bruce W Watson. 2019. Tool Support for Correctness-by-Construction. In EASE (LNCS), Vol. 11424. Springer, 25--42.

[26]

Tobias Runge, Thomas Thüm, Loek Cleophas, Ina Schaefer, and Bruce W Watson. 2019. Comparing Correctness-by-Construction with Post-Hoc Verification - A Qualitative User Study. In Refine. Springer. To appear.

[27]

Alejandro Russo and Andrei Sabelfeld. 2010. Dynamic vs. Static Flow-Sensitive Security Analysis. In 2010 23rd IEEE Computer Security Foundations Symposium. IEEE, 186--199.

[28]

Andrei Sabelfeld and Andrew C. Myers. 2003. Language-Based Information-Flow Security. J-SAC 21, 1 (2003), 5--19.

Digital Library

[29]

Ina Schaefer, Tobias Runge, Alexander Knüppel, Loek Cleophas, Derrick Kourie, and Bruce W Watson. 2018. Towards Confidentiality-by-Construction. In ISoLA (LNCS), Vol 11244. Springer, 502--515.

[30]

Katja Turna, Riccardo Scandariato, and Musard Balliu. 2019. Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis. In ICSA. IEEE, 191--200.

[31]

Dennis M. Volpano, Cynthia E. Irvine, and Geoffrey Smith. 1996. A Sound Type System for Secure Flow Analysis. JCS 4, 2/3 (1996), 167--188.

[32]

Bruce W. Watson, Derrick G. Kourie, Ina Schaefer, and Loek Cleophas. 2016. Correctness-by-Construction and Post-hoc Verification: A Marriage of Convenience?. In ISoLA (LNCS), Vol. 9952. Springer, 730--748.

[33]

Steve Zdancewic and Andrew C. Myers. 2001. Robust Declassification. In CSFW. IEEE, 15--23.

Cited By

Bordis TKodetzki MSchaefer I(2024)From Concept to Reality: Leveraging Correctness-by-Construction for Better Algorithm DesignComputer10.1109/MC.2024.339094857:7(113-119)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/MC.2024.3390948
Bordis TRunge TKittelmann ASchaefer I(2023)Correctness-by-ConstructionACM SIGAda Ada Letters10.1145/3591335.359134342:2(75-78)Online publication date: 5-Apr-2023
https://dl.acm.org/doi/10.1145/3591335.3591343
Runge TServetto MPotanin ASchaefer I(2022)Immutability and Encapsulation for Sound OO Information Flow ControlACM Transactions on Programming Languages and Systems10.1145/3573270Online publication date: 2-Dec-2022
https://doi.org/10.1145/3573270
Show More Cited By

Lattice-Based Information Flow Control-by-Construction for Security-by-Design
1. Security and privacy
  1. Systems security

Recommendations

Information Flow Control-by-Construction for an Object-Oriented Language
Software Engineering and Formal Methods
Abstract
In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A ...
Security Information Flow Control Model and Method in MILS
CIS '12: Proceedings of the 2012 Eighth International Conference on Computational Intelligence and Security

Multiple Independent Levels of Security (MILS) is a high-assurance architecture which protects information sharing at different security levels. MILS ensures mutual independence and prevents the spread of the error effectively between partitions. ...
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

FormaliSE '20: Proceedings of the 8th International Conference on Formal Methods in Software Engineering

October 2020

163 pages

ISBN:9781450370714

DOI:10.1145/3372020

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

FormaliSE '20

Sponsor:

SIGSOFT

FormaliSE '20: 8th International Conference on Formal Methods in Software Engineering

October 7 - 8, 2020

Seoul, Republic of Korea

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
223
Total Downloads

Downloads (Last 12 months)123
Downloads (Last 6 weeks)3

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bordis TKodetzki MSchaefer I(2024)From Concept to Reality: Leveraging Correctness-by-Construction for Better Algorithm DesignComputer10.1109/MC.2024.339094857:7(113-119)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/MC.2024.3390948
Bordis TRunge TKittelmann ASchaefer I(2023)Correctness-by-ConstructionACM SIGAda Ada Letters10.1145/3591335.359134342:2(75-78)Online publication date: 5-Apr-2023
https://dl.acm.org/doi/10.1145/3591335.3591343
Runge TServetto MPotanin ASchaefer I(2022)Immutability and Encapsulation for Sound OO Information Flow ControlACM Transactions on Programming Languages and Systems10.1145/3573270Online publication date: 2-Dec-2022
https://doi.org/10.1145/3573270
Seifermann SHeinrich RWerle DReussner R(2022)Detecting violations of access control and information flow policies in data flow diagramsJournal of Systems and Software10.1016/j.jss.2021.111138184:COnline publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.jss.2021.111138
Kittelmann ARunge TBordis TSchaefer I(2022)Runtime Verification of Correct-by-Construction Driving ManeuversLeveraging Applications of Formal Methods, Verification and Validation. Verification Principles10.1007/978-3-031-19849-6_15(242-263)Online publication date: 17-Oct-2022
https://doi.org/10.1007/978-3-031-19849-6_15
Runge TKittelmann AServetto MPotanin ASchaefer I(2022)Information Flow Control-by-Construction for an Object-Oriented LanguageSoftware Engineering and Formal Methods10.1007/978-3-031-17108-6_13(209-226)Online publication date: 2022
https://doi.org/10.1007/978-3-031-17108-6_13
Schaefer IRunge TCleophas LWatson B(2021)Tutorial: The Correctness-by-Construction Approach to Programming Using CorC2021 IEEE Secure Development Conference (SecDev)10.1109/SecDev51306.2021.00012(1-2)Online publication date: Oct-2021
https://doi.org/10.1109/SecDev51306.2021.00012
Knüppel ARunge TSchaefer I(2020)Scaling Correctness-by-ConstructionLeveraging Applications of Formal Methods, Verification and Validation: Verification Principles10.1007/978-3-030-61362-4_10(187-207)Online publication date: 29-Oct-2020
https://doi.org/10.1007/978-3-030-61362-4_10

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents