ABSTRACT
This paper specifies, via a Hoare-like logic, an interprocedural and flow sensitive (but termination insensitive) information flow analysis for object-oriented programs. Pointer aliasing is ubiquitous in such programs, and can potentially leak confidential information. Thus the logic employs independence assertions to describe the noninterference property that formalizes confidentiality, and employs region assertions to describe possible aliasing. Programmer assertions, in the style of JML, are also allowed, thereby permitting a more fine-grained specification of information flow policy.The logic supports local reasoning about state in the style of separation logic. Small specifications are used; they mention only the variables and addresses relevant to a command. Specifications are combined using a frame rule. An algorithm for the computation of postconditions is described: under certain assumptions, there exists a strongest postcondition which the algorithm computes.
- T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow analysis of pointer programs. Technical Report CIS TR 2005-1, Kansas State University, July 2005.]]Google Scholar
- T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS, LNCS 3148, pages 100--115. Springer-Verlag, 2004.]]Google Scholar
- T. Amtoft and A. Banerjee. A logic for information flow analysis with an application to forward slicing of simple imperative programs. Science of Computer Programming, special issue of SAS 2004. To appear.]] Google Scholar
Digital Library
- A. Askarov. Secure Implementation of cryptographic protocols: A case study of mutual distrust. Master's dissertation, Chalmers University of Technology, April 2005.]]Google Scholar
- A. Askarov and A. Sabelfeld. Security-typed languages for implementation of cryptographic protocols: A case study. In ESORICS, LNCS 3679, pages 197--221. Springer-Verlag, 2005.]] Google Scholar
Digital Library
- A. Banerjee and D. A. Naumann. Stack-based access control and secure information flow. JFP 15(2):131--177, Mar. 2005.]] Google Scholar
Digital Library
- M. Barnett, D. A. Naumann, W. Schulte, and Q. Sun. 99.44% pure: Useful abstractions in specifications. In ECOOP workshop on Formal Techniques for Java-like Programs (FTfJP), 2004.]]Google Scholar
- D. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, MITRE Corp., 1973.]]Google Scholar
- M. Berndl, O. Lhoták, F. Qian, L. J. Hendren, and N. Umanee. Points-to analysis using BDDs. In PLDI, pages 103--114, 2003.]] Google Scholar
Digital Library
- M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.]]Google Scholar
- A. Borgida, J. Mylopoulos, and R. Reiter. On the frame problem in procedure specifications. IEEE Transactions on Software Engineering 21(10):785--798, 1995.]] Google Scholar
Digital Library
- L. Burdy, Y. Cheon, D. R. Cok, M. D. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll. An overview of JML tools and applications. Electr. Notes Theor. Comput. Sci., 80, 2003.]]Google Scholar
- D. R. Chase, M. N. Wegman, and F. K. Zadeck. Analysis of pointers and structures (with retrospective). In Best of PLDI, pages 343--359, 1990.]] Google Scholar
Digital Library
- E. S. Cohen. Information transmission in sequential programs. In Foundations of Secure Computation, pages 297--335. Academic Press, 1978.]]Google Scholar
- D. Denning and P. Denning. Certification of programs for secure information flow. CACM 20(7):504--513, 1977.]] Google Scholar
Digital Library
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In PLDI, pages 234--245, 2002.]] Google Scholar
Digital Library
- J. Goguen and J. Meseguer. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy, pages 11--20, 1982.]]Google Scholar
Cross Ref
- S. Hunt and D. Sands. On flow-sensitive security types. In POPL 2006. To appear.]] Google Scholar
Digital Library
- A. C. Myers. JFlow: Practical mostly-static information flow control. In POPL, pages 228--241, 1999.]] Google Scholar
Digital Library
- F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag, 1999.]] Google Scholar
Digital Library
- P. O'Hearn, J. Reynolds, and H. Yang. Local reasoning about programs that alter data structures. In CSL, LNCS 2142, pages 1--19. Springer-Verlag, 2001.]] Google Scholar
Digital Library
- F. Pottier and V. Simonet. Information flow inference for ML. TOPLAS 25(1):117--158, Jan. 2003.]] Google Scholar
Digital Library
- J. C. Reynolds. Separation logic: a logic for shared mutable data structures. In LICS, pages 55--74. 2002.]] Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, Jan. 2003.]]Google Scholar
Digital Library
- Q. Sun, A. Banerjee, and D. A. Naumann. Modular and constraint-based information flow inference for an object-oriented language. In SAS, LNCS 3148, pages 84--99. Springer-Verlag, 2004.]]Google Scholar
- D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis. Journal of Computer Security, 4(2/3):167--188, 1996.]] Google Scholar
Cross Ref
Index Terms
A logic for information flow in object-oriented programs
Recommendations
A logic for information flow in object-oriented programs
Proceedings of the 2006 POPL ConferenceThis paper specifies, via a Hoare-like logic, an interprocedural and flow sensitive (but termination insensitive) information flow analysis for object-oriented programs. Pointer aliasing is ubiquitous in such programs, and can potentially leak ...
Graph-based object-oriented hoare logic
Theories of Programming and Formal MethodsWe are happy to contribute to this volume of essays in honor of He Jifeng on the occasion of his 70th birthday. This work combines and extends two recent pieces of work that He Jifeng has made significant contributions: the rCOS Relational Semantics of ...
Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems
Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...







Comments