skip to main content
research-article
Free Access

Dependent Type Theory for Verification of Information Flow and Access Control Policies

Published:01 July 2013Publication History
Skip Abstract Section

Abstract

Dedicated to the memory of John C. Reynolds (1935--2013).

We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

References

  1. Abadi, M., Banerjee, A., Heintze, N., and Riecke, J. G. 1999. A core calculus of dependency. In Proceedings of the ACM Symposium on Principles of Programming Languages. 147--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ahmed, A., Dreyer, D., and Rossberg, A. 2009. State-dependent representation independence. In Proceedings of the ACM Symposium on Principles of Programming Languages. 340--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Amtoft, T., Bandhakavi, S., and Banerjee, A. 2006. A logic for information flow in object-oriented programs. In Proceedings of the ACM Symposium on Principles of Programming Languages. 91--102. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Appel, A. W. and Felten, E. W. 1999. Proof-carrying authentication. In Proceedings of the ACM Conference on Computer and Communications Security. 52--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Askarov, A. and Myers, A. 2010. A semantic framework for declassification and endorsement. In Proceedings of the European Symposium on Programming. 64--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Askarov, A. and Sabelfeld, A. 2007. Gradual release: Unifying declassification, encryption and key release policies. In Proceedings of the IEEE Symposium on Security and Privacy. 207--221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Austin, T. H. and Flanagan, C. 2010. Permissive dynamic information flow analysis. In Proceedings of the ACM Workshop on Programming Languages and Analysis for Security. 3:1--3:12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Avijit, K., Datta, A., and Harper, R. 2010. Distributed programming with distributed authorization. In Proceedings of the ACM SIGPLAN International Workshop on Types in Languages Design and Implementation. 27--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Banerjee, A. and Naumann, D. A. 2005. Stack-based access control and secure information flow. J. Funct. Program. 15, 2, 131--177. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Banerjee, A., Naumann, D. A., and Rosenberg, S. 2008. Expressive declassification policies and their modular static enforcement. In Proceedings of the IEEE Symposium on Security and Privacy. 339--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Barthe, G., D’Argenio, P. R., and Rezk, T. 2004. Secure information flow by self-composition. In Proceedings of the IEEE Computer Security Foundations Workshop. 100--114. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Bell, D. and LaPadula, L. 1973. Secure computer systems: Mathematical foundations. Tech. rep. MTR-2547, MITRE Corp.Google ScholarGoogle Scholar
  13. Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A. D., and Maffeis, S. 2011. Refinement types for secure implementations. ACM Trans. Program. Lang. Syst. 33, 2, 8:1--8:45. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Benton, N. 2004. Simple relational correctness proofs for static analyses and program transformations. In Proceedings of the ACM Symposium on Principles of Programming Languages. 14--25. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Beringer, L. 2010. Relational bytecode correlations. J. Logic. Algebr. Program. 79, 7, 483--514.Google ScholarGoogle ScholarCross RefCross Ref
  16. Bernardy, J.-P. and Moulin, G. 2012. A computational interpretation of parametricity. In Proceedings of the IEEE Symposium on Logic in Computer Science. 135--144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Bernardy, J.-P., Jansson, P., and Paterson, R. 2012. Proofs for free | parametricity for dependent types. J. Funct. Program. 22, 2, 107--152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Birgisson, A., Hedin, D., and Sabelfeld, A. 2012. Boosting the permissiveness of dynamic information-flow tracking by testing. In Proceedings of the European Symposium on Research in Computer Security. 55--72.Google ScholarGoogle Scholar
  19. Birkedal, L. and Yang, H. 2008. Relational parametricity and separation logic. Logical Meth. Comput. Sci. 4, 2:6, 1--27.Google ScholarGoogle Scholar
  20. Borgström, J., Chen, J., and Swamy, N. 2011a. Verifying stateful programs with substructural state and Hoare types. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages Meets Program Verification. 15--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Borgström, Gordon, A. D., and Pucella, R. 2011b. Roles, stacks, histories: A triple for Hoare. J. Funct. Program. 21, 2, 159--207.Google ScholarGoogle ScholarCross RefCross Ref
  22. Broberg, N. and Sands, D. 2010. Paralocks: Role-based information flow control and beyond. In Proceedings of the ACM Symposium on Principles of Programming Languages. 431--444. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Chaudhuri, A. and Garg, D. 2009. PCAL: Language support for proof-carrying authorization systems. In Proceedings of the European Symposium on Research in Computer Security. 184--199. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Chong, S. and Myers, A. C. 2004. Security policies for downgrading. In Proceedings of the ACM Conference on Computer and Communications Security. 198--209. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Chong, S. and Myers, A. C. 2005. Language-based information erasure. In Proceedings of the IEEE Computer Security Foundations Workshop. 241--254. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Chong, S. and Myers, A. C. 2008. End-to-end enforcement of erasure and declassification. In Proceedings of the IEEE Computer Security Foundations Symposium. 98--111. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Clarkson, M. R. and Schneider, F. B. 2010. Hyperproperties. J. Comput. Security 18, 6, 1157--1210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Coq development team. 2009. The Coq proof assistant reference manual. LogiCal project, INRIA. Version 8.2.Google ScholarGoogle Scholar
  29. de Roever, W.-P. and Engelhardt, K. 1998. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press.Google ScholarGoogle ScholarCross RefCross Ref
  30. Denning, D. 1976. A lattice model of secure information flow. Commun. ACM 19, 5, 236--242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of program. Commun. ACM 18, 8, 453--457. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Dwork, C., McSherry, F., Nissim, K., and Smith, A. 2006. Calibrating noise to sensitivity in private data analysis. In Proceedings of the Theory of Cryptography Conference. 265--284. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Fagin, R., Halpern, J. Y., Moses, Y., and Vardi, M. Y. 1995. Reasoning About Knowledge. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Goguen, J. and Meseguer, J. 1982. Security policies and security models. In Proceedings of the IEEE Symposium on Security and Privacy. 11--20.Google ScholarGoogle Scholar
  35. Gries, D. 1993. Data refinement and the transform. In Program Design Calculi, M. Broy Ed., Springer.Google ScholarGoogle Scholar
  36. Harper, R. and Lillibridge, M. 1994. A type-theoretic approach to higher-order modules with sharing. In Proceedings of the ACM Symposium on Principles of Programming Languages. 123--137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Jia, L. and Zdancewic, S. 2009. Encoding information flow in Aura. In Proceedings of the ACM Workshopon Programming Languages and Analysis for Security. 17--29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jia, L., Vaughan, J. A., Mazurak, K., Zhao, J., Zarko, L., Schorr, J., and Zdancewic, S. 2008. AURA: A programming language for authorization and audit. In Proceedings of the International Conference on Functional Programming. 27--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Leroy, X. 1994. Manifest types, modules, and separate compilation. In Proceedings of the ACM Symposium on Principles of Programming Languages. 109--122. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Li, P. and Zdancewic, S. 2010. Arrows for secure information flow. Theor. Comput. Sci. 411, 19, 1974--1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Martin-Löf, P. 1984. Intuitionistic Type Theory. Bibliopolis.Google ScholarGoogle Scholar
  42. Mitchell, J. C. and Plotkin, G. D. 1988. Abstract types have existential type. ACM Trans. Program. Lang. Syst. 10, 3, 470--502. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Morgenstern, J. and Licata, D. 2010. Security-typed programming within dependently-typed programming. In Proceedings of the International Conference on Functional Programming. 169--180. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Myers, A. C. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Languages. 228--241. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Nanevski, A., Morrisett, J. G., and Birkedal, L. 2008. Hoare type theory, polymorphism and separation. J. Funct. Program. 18, 5--6, 865--911. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Nanevski, A., Banerjee, A., and Garg, D. 2011. Verification of information flow and access control policies via dependent types. In Proceedings of the IEEE Symposium on Security and Privacy. 165--179. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Nanevski, A., Vafeiadis, V., and Berdine, J. 2010. Structuring the verification of heap-manipulating programs. In Proceedings of the ACM Symposium on Principles of Programming Languages. 261--274. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Norell, U. 2007. Towards a practical programming language based on dependent type theory. Ph.D. thesis, Chalmers University of Technology.Google ScholarGoogle Scholar
  49. Peyton Jones, S. L. and Wadler, P. 1993. Imperative functional programming. In Proceedings of the ACM Symposium on Principles of Programming Languages. 71--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Plotkin, G. D. and Abadi, M. 1993. A logic for parametric polymorphism. In Typed Lambda Calculus and Applications. 361--375. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Reed, J. and Pierce, B. C. 2010. Distance makes the types grow stronger. In Proceedings of the International Conference on Functional Programming. 157--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Reynolds, J. C. 1981. The Craft of Programming. Prentice-Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Reynolds, J. C. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the IEEE Symposium on Logic in Computer Science. 55--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Russo, A., Claessen, K., and Hughes, J. 2008. A library for light-weight information-flow security in Haskell. In Proceedings of the Haskell Symposium. 13--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Russo, A., Sabelfeld, A., and Chudnov, A. 2009. Tracking information flow in dynamic tree structures. In Proceedings of the European Symposium on Research in Computer Security. 86--103. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Sabelfeld, A. and Sands, D. 1999. A PER model of secure information flow in sequential programs. In Proceedings of the European Symposium on Programming. 40--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Sabelfeld, A. and Sands, D. 2009. Declassification: Dimensions and principles. J. Computer Security 17, 5, 517--548. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Simonet, V. 2002. Fine-grained information flow analysis for a λ-calculus with sum types. In Proceedings of the IEEE Computer Security Foundations Workshop. 223--237. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Swamy, N., Hicks, M., Tse, S., and Zdancewic, S. 2006. Managing policy updates in security-typed languages. In Proceedings of the IEEE Computer Security Foundations Workshop. 202--216. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Swamy, N., Corcoran, B. J., and Hicks, M. 2008. Fable: A language for enforcing user-defined security policies. In Proceedings of the IEEE Symposium on Security and Privacy. 369--383. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Swamy, N., Chen, J., and Chugh, R. 2010. Enforcing stateful authorization and information flow policies in Fine. In Proceedings of the European Symposium on Programming. 529--549. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Swamy, N., Chen, J., Fournet, C., Strub, P.-Y., Bhargavan, K., and Yang, J. 2011. Secure distributed programming with value-dependent types. In Proceedings of the International Conference on Functional Programming. 266--278. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Terauchi, T. and Aiken, A. 2005. Secure information flow as a safety problem. In Proceedings of the Static Analysis Symposium. 352--367. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Thamsborg, J., Birkedal, L., and Yang, H. 2012. Two for the price of one: Lifting separation logic assertions. Logical Meth. Comput. Sci. 8, 3.Google ScholarGoogle ScholarCross RefCross Ref
  65. Volpano, D. M., Irvine, C. E., and Smith, G. 1996. A sound type system for secure flow analysis. J. Computer Security 4, 2/3, 167--188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Yang, H. 2007. Relational separation logic. Theor. Comput. Sci. 375, 308--334. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Yang, H. and O’Hearn, P. W. 2002. A semantic basis for local reasoning. In Proceedings of the International Conference on Foundations of Software Science and Computational Structures. 402--416. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Dependent Type Theory for Verification of Information Flow and Access Control Policies

                      Recommendations

                      Reviews

                      Pierre Jouvelot

                      Security issues are a growing concern in an increasingly connected society. Given the central role played by programming languages in the implementation of information technology systems, introducing such matters early in the specification phase of programs could have a significant impact on their reliability. To address this problem, the authors introduce relational Hoare type theory (RHTT), a typing framework that combines dependent typing (types may depend on values) with a logic for asserting confidentiality policies in programs. Using languages equipped with this formalism, programmers may specify and check that their programs satisfy sophisticated information flow properties such as authentication, authorization, or declassification. Within RHTT, data is labeled as either high (confidential) or low (public), with the goal of ensuring that programs do not leak any sensitive information. RHTT assertions are relational predicates in which the behaviors of two arbitrary runs of a program can be related, paving the way to the specification of the program's noninterference property: a low output must not depend on high inputs, thus preventing information leakage. The logic part of RHTT makes reasoning about such properties possible. The overall system has been formally specified, and the authors have machine-checked its soundness, using the Coq theorem prover. While this abstract, theoretical paper addresses an important issue, the audience is likely limited to researchers well versed in type theory and automated proof assistants. However, even though the material is dense, the authors have done a good job of presenting it in a pedagogical manner. Online Computing Reviews Service

                      Access critical reviews of Computing literature here

                      Become a reviewer for Computing Reviews.

                      Comments

                      Login options

                      Check if you have access through your login credentials or your institution to get full access on this article.

                      Sign in

                      Full Access

                      • Published in

                        cover image ACM Transactions on Programming Languages and Systems
                        ACM Transactions on Programming Languages and Systems  Volume 35, Issue 2
                        July 2013
                        136 pages
                        ISSN:0164-0925
                        EISSN:1558-4593
                        DOI:10.1145/2491522
                        Issue’s Table of Contents

                        Copyright © 2013 ACM

                        Publisher

                        Association for Computing Machinery

                        New York, NY, United States

                        Publication History

                        • Published: 1 July 2013
                        • Accepted: 1 March 2013
                        • Revised: 1 January 2013
                        • Received: 1 May 2012
                        Published in toplas Volume 35, Issue 2

                        Permissions

                        Request permissions about this article.

                        Request Permissions

                        Check for updates

                        Qualifiers

                        • research-article
                        • Research
                        • Refereed

                      PDF Format

                      View or Download as a PDF file.

                      PDF

                      eReader

                      View online with eReader.

                      eReader
                      About Cookies On This Site

                      We use cookies to ensure that we give you the best experience on our website.

                      Learn more

                      Got it!