Abstract
Dedicated to the memory of John C. Reynolds (1935--2013).
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.
- Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. G. 1999. A core calculus of dependency. In Proceedings of the ACM Symposium on Principles of Programming Languages. 147--160. Google Scholar
Digital Library
- Ahmed, A., Dreyer, D., and Rossberg, A. 2009. State-dependent representation independence. In Proceedings of the ACM Symposium on Principles of Programming Languages. 340--353. Google Scholar
Digital Library
- Amtoft, T., Bandhakavi, S., and Banerjee, A. 2006. A logic for information flow in object-oriented programs. In Proceedings of the ACM Symposium on Principles of Programming Languages. 91--102. Google Scholar
Digital Library
- Appel, A. W. and Felten, E. W. 1999. Proof-carrying authentication. In Proceedings of the ACM Conference on Computer and Communications Security. 52--62. Google Scholar
Digital Library
- Askarov, A. and Myers, A. 2010. A semantic framework for declassification and endorsement. In Proceedings of the European Symposium on Programming. 64--84. Google Scholar
Digital Library
- Askarov, A. and Sabelfeld, A. 2007. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy. 207--221. Google Scholar
Digital Library
- Austin, T. H. and Flanagan, C. 2010. Permissive dynamic information flow analysis. In Proceedings of the ACM Workshop on Programming Languages and Analysis for Security. 3:1--3:12. Google Scholar
Digital Library
- Avijit, K., Datta, A., and Harper, R. 2010. Distributed programming with distributed authorization. In Proceedings of the ACM SIGPLAN International Workshop on Types in Languages Design and Implementation. 27--38. Google Scholar
Digital Library
- Banerjee, A. and Naumann, D. A. 2005. Stack-based access control and secure information flow. J. Funct. Program. 15, 2, 131--177. Google Scholar
Digital Library
- Banerjee, A., Naumann, D. A., and Rosenberg, S. 2008. Expressive declassification policies and their modular static enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 339--353. Google Scholar
Digital Library
- Barthe, G., D’Argenio, P. R., and Rezk, T. 2004. Secure information flow by self-composition. In Proceedings of the IEEE Computer Security Foundations Workshop. 100--114. Google Scholar
Digital Library
- Bell, D. and LaPadula, L. 1973. Secure computer systems: Mathematical foundations. Tech. rep. MTR-2547, MITRE Corp.Google Scholar
- Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2011. Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. 33, 2, 8:1--8:45. Google Scholar
Digital Library
- Benton, N. 2004. Simple relational correctness proofs for static analyses and program transformations. In Proceedings of the ACM Symposium on Principles of Programming Languages. 14--25. Google Scholar
Digital Library
- Beringer, L. 2010. Relational bytecode correlations. J. Logic. Algebr. Program. 79, 7, 483--514.Google Scholar
Cross Ref
- Bernardy, J.-P. and Moulin, G. 2012. A computational interpretation of parametricity. In Proceedings of the IEEE Symposium on Logic in Computer Science. 135--144. Google Scholar
Digital Library
- Bernardy, J.-P., Jansson, P., and Paterson, R. 2012. Proofs for free | parametricity for dependent types. J. Funct. Program. 22, 2, 107--152. Google Scholar
Digital Library
- Birgisson, A., Hedin, D., and Sabelfeld, A. 2012. Boosting the permissiveness of dynamic information-flow tracking by testing. In Proceedings of the European Symposium on Research in Computer Security. 55--72.Google Scholar
- Birkedal, L. and Yang, H. 2008. Relational parametricity and separation logic. Logical Meth. Comput. Sci. 4, 2:6, 1--27.Google Scholar
- Borgström, J., Chen, J., and Swamy, N. 2011a. Verifying stateful programs with substructural state and Hoare types. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages Meets Program Verification. 15--26. Google Scholar
Digital Library
- Borgström, Gordon, A. D., and Pucella, R. 2011b. Roles, stacks, histories: A triple for Hoare. J. Funct. Program. 21, 2, 159--207.Google Scholar
Cross Ref
- Broberg, N. and Sands, D. 2010. Paralocks: Role-based information flow control and beyond. In Proceedings of the ACM Symposium on Principles of Programming Languages. 431--444. Google Scholar
Digital Library
- Chaudhuri, A. and Garg, D. 2009. PCAL: Language support for proof-carrying authorization systems. In Proceedings of the European Symposium on Research in Computer Security. 184--199. Google Scholar
Digital Library
- Chong, S. and Myers, A. C. 2004. Security policies for downgrading. In Proceedings of the ACM Conference on Computer and Communications Security. 198--209. Google Scholar
Digital Library
- Chong, S. and Myers, A. C. 2005. Language-based information erasure. In Proceedings of the IEEE Computer Security Foundations Workshop. 241--254. Google Scholar
Digital Library
- Chong, S. and Myers, A. C. 2008. End-to-end enforcement of erasure and declassification. In Proceedings of the IEEE Computer Security Foundations Symposium. 98--111. Google Scholar
Digital Library
- Clarkson, M. R. and Schneider, F. B. 2010. Hyperproperties. J. Comput. Security 18, 6, 1157--1210. Google Scholar
Digital Library
- Coq development team. 2009. The Coq proof assistant reference manual. LogiCal project, INRIA. Version 8.2.Google Scholar
- de Roever, W.-P. and Engelhardt, K. 1998. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press.Google Scholar
Cross Ref
- Denning, D. 1976. A lattice model of secure information flow. Commun. ACM 19, 5, 236--242. Google Scholar
Digital Library
- Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of program. Commun. ACM 18, 8, 453--457. Google Scholar
Digital Library
- Dwork, C., McSherry, F., Nissim, K., and Smith, A. 2006. Calibrating noise to sensitivity in private data analysis. In Proceedings of the Theory of Cryptography Conference. 265--284. Google Scholar
Digital Library
- Fagin, R., Halpern, J. Y., Moses, Y., and Vardi, M. Y. 1995. Reasoning About Knowledge. MIT Press. Google Scholar
Digital Library
- Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. 11--20.Google Scholar
- Gries, D. 1993. Data refinement and the transform. In Program Design Calculi, M. Broy Ed., Springer.Google Scholar
- Harper, R. and Lillibridge, M. 1994. A type-theoretic approach to higher-order modules with sharing. In Proceedings of the ACM Symposium on Principles of Programming Languages. 123--137. Google Scholar
Digital Library
- Jia, L. and Zdancewic, S. 2009. Encoding information flow in Aura. In Proceedings of the ACM Workshopon Programming Languages and Analysis for Security. 17--29. Google Scholar
Digital Library
- Jia, L., Vaughan, J. A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., and Zdancewic, S. 2008. AURA: A programming language for authorization and audit. In Proceedings of the International Conference on Functional Programming. 27--38. Google Scholar
Digital Library
- Leroy, X. 1994. Manifest types, modules, and separate compilation. In Proceedings of the ACM Symposium on Principles of Programming Languages. 109--122. Google Scholar
Digital Library
- Li, P. and Zdancewic, S. 2010. Arrows for secure information flow. Theor. Comput. Sci. 411, 19, 1974--1994. Google Scholar
Digital Library
- Martin-Löf, P. 1984. Intuitionistic Type Theory. Bibliopolis.Google Scholar
- Mitchell, J. C. and Plotkin, G. D. 1988. Abstract types have existential type. ACM Trans. Program. Lang. Syst. 10, 3, 470--502. Google Scholar
Digital Library
- Morgenstern, J. and Licata, D. 2010. Security-typed programming within dependently-typed programming. In Proceedings of the International Conference on Functional Programming. 169--180. Google Scholar
Digital Library
- Myers, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Languages. 228--241. Google Scholar
Digital Library
- Nanevski, A., Morrisett, J. G., and Birkedal, L. 2008. Hoare type theory, polymorphism and separation. J. Funct. Program. 18, 5--6, 865--911. Google Scholar
Digital Library
- Nanevski, A., Banerjee, A., and Garg, D. 2011. Verification of information flow and access control policies via dependent types. In Proceedings of the IEEE Symposium on Security and Privacy. 165--179. Google Scholar
Digital Library
- Nanevski, A., Vafeiadis, V., and Berdine, J. 2010. Structuring the verification of heap-manipulating programs. In Proceedings of the ACM Symposium on Principles of Programming Languages. 261--274. Google Scholar
Digital Library
- Norell, U. 2007. Towards a practical programming language based on dependent type theory. Ph.D. thesis, Chalmers University of Technology.Google Scholar
- Peyton Jones, S. L. and Wadler, P. 1993. Imperative functional programming. In Proceedings of the ACM Symposium on Principles of Programming Languages. 71--84. Google Scholar
Digital Library
- Plotkin, G. D. and Abadi, M. 1993. A logic for parametric polymorphism. In Typed Lambda Calculus and Applications. 361--375. Google Scholar
Digital Library
- Reed, J. and Pierce, B. C. 2010. Distance makes the types grow stronger. In Proceedings of the International Conference on Functional Programming. 157--168. Google Scholar
Digital Library
- Reynolds, J. C. 1981. The Craft of Programming. Prentice-Hall. Google Scholar
Digital Library
- Reynolds, J. C. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the IEEE Symposium on Logic in Computer Science. 55--74. Google Scholar
Digital Library
- Russo, A., Claessen, K., and Hughes, J. 2008. A library for light-weight information-flow security in Haskell. In Proceedings of the Haskell Symposium. 13--24. Google Scholar
Digital Library
- Russo, A., Sabelfeld, A., and Chudnov, A. 2009. Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security. 86--103. Google Scholar
Digital Library
- Sabelfeld, A. and Sands, D. 1999. A PER model of secure information flow in sequential programs. In Proceedings of the European Symposium on Programming. 40--58. Google Scholar
Digital Library
- Sabelfeld, A. and Sands, D. 2009. Declassification: Dimensions and principles. J. Computer Security 17, 5, 517--548. Google Scholar
Digital Library
- Simonet, V. 2002. Fine-grained information flow analysis for a λ-calculus with sum types. In Proceedings of the IEEE Computer Security Foundations Workshop. 223--237. Google Scholar
Digital Library
- Swamy, N., Hicks, M., Tse, S., and Zdancewic, S. 2006. Managing policy updates in security-typed languages. In Proceedings of the IEEE Computer Security Foundations Workshop. 202--216. Google Scholar
Digital Library
- Swamy, N., Corcoran, B. J., and Hicks, M. 2008. Fable: A language for enforcing user-defined security policies. In Proceedings of the IEEE Symposium on Security and Privacy. 369--383. Google Scholar
Digital Library
- Swamy, N., Chen, J., and Chugh, R. 2010. Enforcing stateful authorization and information flow policies in Fine. In Proceedings of the European Symposium on Programming. 529--549. Google Scholar
Digital Library
- Swamy, N., Chen, J., Fournet, C., Strub, P.-Y., Bhargavan, K., and Yang, J. 2011. Secure distributed programming with value-dependent types. In Proceedings of the International Conference on Functional Programming. 266--278. Google Scholar
Digital Library
- Terauchi, T. and Aiken, A. 2005. Secure information flow as a safety problem. In Proceedings of the Static Analysis Symposium. 352--367. Google Scholar
Digital Library
- Thamsborg, J., Birkedal, L., and Yang, H. 2012. Two for the price of one: Lifting separation logic assertions. Logical Meth. Comput. Sci. 8, 3.Google Scholar
Cross Ref
- Volpano, D. M., Irvine, C. E., and Smith, G. 1996. A sound type system for secure flow analysis. J. Computer Security 4, 2/3, 167--188. Google Scholar
Digital Library
- Yang, H. 2007. Relational separation logic. Theor. Comput. Sci. 375, 308--334. Google Scholar
Digital Library
- Yang, H. and O’Hearn, P. W. 2002. A semantic basis for local reasoning. In Proceedings of the International Conference on Foundations of Software Science and Computational Structures. 402--416. Google Scholar
Digital Library
Index Terms
Dependent Type Theory for Verification of Information Flow and Access Control Policies
Recommendations
Dependent Information Flow Types
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesIn this paper, we develop a novel notion of dependent information flow types. Dependent information flow types fit within the standard framework of dependent type theory, but, unlike usual dependent types, crucially allow the security level of a type, ...
Verification of Information Flow and Access Control Policies with Dependent Types
SP '11: Proceedings of the 2011 IEEE Symposium on Security and PrivacyWe present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have ...
Specification and verification of access control policies in EB3SEC: work in progress
FPS'11: Proceedings of the 4th Canada-France MITACS conference on Foundations and Practice of SecurityInformation systems are widely used and help in the management of huge quantities of data. Generally, these data are valuable or sensitive, their access must be restricted to granted users. Security is a mandatory requirement for information systems. ...








Comments