skip to main content
research-article
Public Access

Hypercollecting semantics and its application to static analysis of information flow

Published:01 January 2017Publication History
Skip Abstract Section

Abstract

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS '04) and the type system of Hunt and Sands (POPL '06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

References

  1. S. Agrawal and B. Bonakdarpour. Runtime verification of k-safety hyperproperties in HyperLTL. In IEEE Computer Security Foundations Symposium, pages 239–252, 2016.Google ScholarGoogle ScholarCross RefCross Ref
  2. M. S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith. Measuring information leakage using generalized gain functions. In IEEE Computer Security Foundations Symposium, pages 265–279, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. Amtoft and A. Banerjee. Information flow analysis in logical form. In Static Analysis Symposium, pages 100–115, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  4. T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow in object-oriented programs. In ACM Symposium on Principles of Programming Languages, pages 91–102, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In IEEE Symposium on Security and Privacy, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In European Symposium on Research in Computer Security, volume 5283 of LNCS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. M. Assaf. From Qualitative to Quantitative Program Analysis : Permissive Enforcement of Secure Information Flow. PhD thesis, Université de Rennes 1, May 2015. https://hal.inria.fr/tel-01184857.Google ScholarGoogle Scholar
  8. M. Assaf and D. Naumann. Calculational design of information flow monitors. In IEEE Computer Security Foundations Symposium, pages 210–224, 2016.Google ScholarGoogle ScholarCross RefCross Ref
  9. M. Assaf, D. Naumann, J. Signoles, É. Totel, and F. Tronel. Hypercollecting semantics and its application to static analysis of information flow. Technical report, Apr. 2016a.Google ScholarGoogle Scholar
  10. 01654.Google ScholarGoogle Scholar
  11. M. Assaf, J. Signoles, É. Totel, and F. Tronel. The cardinal abstraction for quantitative information flow. In Workshop on Foundations of Computer Security (FCS), June 2016b. https://hal.inria.fr/hal- 01334604.Google ScholarGoogle Scholar
  12. M. Backes, B. Köpf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In IEEE Symposium on Security and Privacy, pages 141–153. IEEE, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Banerjee, D. A. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. In IEEE Symposium on Security and Privacy, pages 339–353, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Banerjee, D. A. Naumann, and M. Nikouei. Relational logic with framing and hypotheses. In 36th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, 2016. To appear. G. Barthe, P. R. D’Argenio, and T. Rezk. Secure information flow by selfcomposition. In IEEE Computer Security Foundations Workshop, pages 100–114, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. L. Bello, D. Hedin, and A. Sabelfeld. Value sensitivity and observable abstract values for information flow control. In Logic for Programming, Artificial Intelligence, and Reasoning (LPAR), pages 63–78, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. N. Benton. Simple relational correctness proofs for static analyses and program transformations. In ACM Symposium on Principles of Programming Languages, pages 14–25, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Static analysis and verification of aerospace software by abstract interpretation. In AIAA [email protected] 2010, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Static analysis and verification of aerospace software by abstract interpretation. Foundations and Trends in Programming Languages, 2 (2-3):71–190, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. F. Besson, N. Bielova, and T. Jensen. Hybrid information flow monitoring against web tracking. In IEEE Computer Security Foundations Symposium, pages 240–254. IEEE, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. F. Besson, N. Bielova, and T. Jensen. Hybrid monitoring of attacker knowledge. In IEEE Computer Security Foundations Symposium, pages 225–238, 2016.Google ScholarGoogle ScholarCross RefCross Ref
  21. G. Boudol. Secure information flow as a safety property. In Formal Aspects in Security and Trust, pages 20–34, 2008.Google ScholarGoogle Scholar
  22. F. Bourdoncle. Journal of Functional Programming, 2(04):407–435, 1992.Google ScholarGoogle ScholarCross RefCross Ref
  23. C. Braun, K. Chatzikokolakis, and C. Palamidessi. Quantitative notions of leakage for one-try attacks. In Mathematical Foundations of Programming Semantics (MFPS), volume 249, pages 75–91, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. D. Cachera and D. Pichardie. A certified denotational abstract interpreter. In Interactive Theorem Proving (ITP), pages 9–24. 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. M. R. Clarkson and F. B. Schneider. Hyperproperties. In IEEE Computer Security Foundations Symposium, pages 51–65, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157–1210, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. M. R. Clarkson, A. C. Myers, and F. B. Schneider. Quantifying information flow with beliefs. Journal of Computer Security, 17:655–701, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. R. Clarkson, B. Finkbeiner, M. Koleini, K. K. Micinski, M. N. Rabe, and C. Sánchez. Temporal logics for hyperproperties. In Principles of Security and Trust, volume 8414 of LNCS, pages 265–284, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  29. E. Cohen. Information transmission in computational systems. In Proceedings of the sixth ACM Symposium on Operating Systems Principles, pages 133–139, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. A. Cortesi and M. Zanioli. Widening and narrowing operators for abstract interpretation. Computer Languages, Systems & Structures, pages 24–42, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. A. Cortesi, G. Costantini, and P. Ferrara. A survey on product operators in abstract interpretation. In Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, volume 129 of EPTCS, pages 325–336, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  32. P. Cousot. The calculational design of a generic abstract interpreter. In M. Broy and R. Steinbrüggen, editors, Calculational System Design, volume 173, pages 421–506. NATO ASI Series F. IOS Press, Amsterdam, 1999.Google ScholarGoogle Scholar
  33. P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theoretical Computer Science, 277 (1-2):47–103, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. P. Cousot and R. Cousot. Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and per analysis of functional languages). P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In ACM Symposium on Principles of Programming Languages, pages 238–252, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In ACM Symposium on Principles of Programming Languages, pages 269–282, 1979. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. P. Cousot and R. Cousot. Comparing the galois connection and widening/narrowing approaches to abstract interpretation. In Programming Language Implementation and Logic Programming (PLILP), pages 269–295, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In ACM Symposium on Principles of Programming Languages, pages 84–96, 1978. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Á. Darvas, R. Hähnle, and D. Sands. A theorem proving approach to analysis of secure information flow. In Security in Pervasive Computing, pages 193–209. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. D. E. R. Denning. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., 1982.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. D. E. R. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of ACM, 20(7):504–513, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. G. Doychev, D. Feld, B. Köpf, L. Mauborgne, and J. Reineke. Cacheaudit: A tool for the static analysis of cache side channels. In USENIX Security Symposium, pages 431–446, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. C. Dwork. A firm foundation for private data analysis. Communications of ACM, pages 86–95, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. B. Finkbeiner, M. N. Rabe, and C. Sánchez. Algorithms for model checking HyperLTL and HyperCTL ˆ*. In Computer Aided Verification, volume 9206 of LNCS, pages 30–48, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  44. R. Giacobazzi and I. Mastroeni. Abstract non-interference: parameterizing non-interference by abstract interpretation. In ACM Symposium on Principles of Programming Languages, pages 186–197, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11–20, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  46. P. Granger. Improving the results of static analyses programs by local decreasing iteration. In Foundations of Software Technology and Theoretical Computer Science, volume 652, pages 68–79, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. M. Handjieva and S. Tzolovski. Refining dtatic analyses by trace-based partitioning using control flow. In International Static Analysis Symposium, 1998.Google ScholarGoogle ScholarCross RefCross Ref
  48. D. Hedin, L. Bello, and A. Sabelfeld. Value-sensitive hybrid information flow control for a JavaScript-Like language. In IEEE Computer Security Foundations Symposium, pages 351–365, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. J. Heusser and P. Malacaria. Applied quantitative information flow and statistical databases. In Formal Aspects in Security and Trust, pages 96–110, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. S. Hunt. PERs generalize projections for strictness analysis (extended abstract). In Proceedings of the Third Annual Glasgow Workshop on Functional Programming, 1990.Google ScholarGoogle Scholar
  51. S. Hunt and D. Sands. Binding time analysis: A new PERspective. In Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, PEPM’91, Yale University, New Haven, Connecticut, USA, June 17-19, 1991, pages 154–165, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. S. Hunt and D. Sands. On flow-sensitive security types. In ACM Symposium on Principles of Programming Languages, pages 79–90, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. S. Hunt and D. Sands. From exponential to polynomial-time security typing via principal types. In ACM Workshop on Programming Languages and Analysis for Security, pages 297–316, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. V. Klebanov. Precise quantitative information flow analysis - a symbolic approach. Theoretical Computer Science, 538:124–139, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  55. B. Köpf and A. Rybalchenko. Approximation and randomization for quantitative information-flow analysis. In IEEE Computer Security Foundations Symposium, pages 3–14, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. B. Köpf and A. Rybalchenko. Automation of quantitative information-flow analysis. In Formal Methods for Dynamical Systems - 13th International School on Formal Methods for the Design of Computer, Communication, and Software Systems, volume 7938 of LNCS, pages 1–28, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  57. M. Kovács, H. Seidl, and B. Finkbeiner. Relational abstract interpretation for the verification of 2-hypersafety properties. In ACM SIGSAC conference on Computer and Communications Security, pages 211–222, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. P. Mardziel, S. Magill, M. Hicks, and M. Srivatsa. Dynamic enforcement of knowledge-based security policies. In IEEE Computer Security Foundations Symposium, pages 114–128. IEEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. P. Mardziel, S. Magill, M. Hicks, and M. Srivatsa. Dynamic enforcement of knowledge-based security policies using probabilistic abstract interpretation. Journal of Computer Security, 21(4):463–532, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. I. Mastroeni. Abstract interpretation-based approaches to security - A survey on abstract non-interference and its challenging applications. In Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, volume 129 of EPTCS, pages 41–65, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  61. I. Mastroeni and A. Banerjee. Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science, 21(06):1253–1299, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In IEEE Symposium on Security and Privacy, pages 79–93, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. A. Miné. The octagon abstract domain. Higher-order and symbolic computation, 19(1):31–100, 2006a. A. Miné. Symbolic methods to enhance the precision of numerical abstract domains. In Verification, Model Checking, and Abstract Interpretation, pages 348–363. 2006b. C. Müller, M. Kovács, and H. Seidl. An analysis of universal information flow based on self-composition. In IEEE Computer Security Foundations Symposium, pages 380–393, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. A. Rényi. On measures of entropy and information. In the Fourth Berkeley Symposium on Mathematical Statistics and Probability, 1961.Google ScholarGoogle Scholar
  66. X. Rival and L. Mauborgne. The trace partitioning abstract domain. ACM Transactions on Programming Languages and Systems, 29(5):26, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. J. Rushby. Security requirements specifications: How and what. In Symposium on Requirements Engineering for Information Security (SREIS), 2001.Google ScholarGoogle Scholar
  68. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. Journal of Computer Security, 17(5), 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. D. A. Schmidt. Abstract interpretation from a topological perspective. In Static Analysis, 16th International Symposium, volume 5673 of LNCS, pages 293–308, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. D. A. Schmidt. Inverse-limit and topological aspects of abstract interpretation. Theoretical Computer Science, 430:23–42, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. D. Schoepe, M. Balliu, B. C. Pierce, and A. Sabelfeld. Explicit secrecy: A policy for taint tracking. In IEEE European Symposium on Security and Privacy, pages 15–30, 2016.Google ScholarGoogle ScholarCross RefCross Ref
  73. C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27:379–423, 1948.Google ScholarGoogle ScholarCross RefCross Ref
  74. G. Smith. On the foundations of quantitative information flow. In International Conference on Foundations of Software Science and Computational Structures, pages 288–302, 2009.Google ScholarGoogle ScholarCross RefCross Ref
  75. G. Smith. Quantifying information flow using min-entropy. In Quantitative Evaluation of Systems (QEST), 2011 Eighth International Conference on, pages 159–167. IEEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. M. Sousa and I. Dillig. Cartesian Hoare logic for verifying k-safety properties. In ACM Conference on Programming Language Design and Implementation, pages 57–69, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. T. Terauchi and A. Aiken. Secure information flow as a safety problem. In Static Analysis Symposium, pages 352–367. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. In IEEE Computer Security Foundations Workshop, pages 156–168, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. D. Volpano and G. Smith. Verifying secrets and relative secrecy. In ACM Symposium on Principles of Programming Languages, pages 268–276, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167–187, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. D. M. Volpano. Safety versus secrecy. In Static Analysis Symposium, pages 303–311, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. D. Wasserrab, D. Lohner, and G. Snelting. On PDG-based noninterference and its modular proof. In ACM Workshop on Programming Languages and Analysis for Security, pages 31–44, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. G. Winskel. The Formal Semantics of Programming Languages: an Introduction. Cambridge, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. H. Yasuoka and T. Terauchi. On bounding problems of quantitative information flow. Journal of Computer Security, 19(6):1029–1082, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. A. Zakinthinos and S. Lerner. A general theory of security properties. In IEEE Symposium on Security and Privacy, pages 94–102, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. M. Zanioli and A. Cortesi. Information leakage analysis by abstract interpretation. In SOFSEM 2011: Theory and Practice of Computer Science, pages 545–557. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. M. Zanotti. Security typings by abstract interpretation. In Static Analysis Symposium, volume 2477, pages 360–375, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Hypercollecting semantics and its application to static analysis of information flow

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM SIGPLAN Notices
                  ACM SIGPLAN Notices  Volume 52, Issue 1
                  POPL '17
                  January 2017
                  901 pages
                  ISSN:0362-1340
                  EISSN:1558-1160
                  DOI:10.1145/3093333
                  Issue’s Table of Contents
                  • cover image ACM Conferences
                    POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages
                    January 2017
                    901 pages
                    ISBN:9781450346603
                    DOI:10.1145/3009837

                  Copyright © 2017 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 1 January 2017

                  Check for updates

                  Qualifiers

                  • research-article

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!