Abstract
We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS '04) and the type system of Hunt and Sands (POPL '06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.
- S. Agrawal and B. Bonakdarpour. Runtime verification of k-safety hyperproperties in HyperLTL. In IEEE Computer Security Foundations Symposium, pages 239–252, 2016.Google Scholar
Cross Ref
- M. S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith. Measuring information leakage using generalized gain functions. In IEEE Computer Security Foundations Symposium, pages 265–279, 2012. Google Scholar
Digital Library
- T. Amtoft and A. Banerjee. Information flow analysis in logical form. In Static Analysis Symposium, pages 100–115, 2004.Google Scholar
Cross Ref
- T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow in object-oriented programs. In ACM Symposium on Principles of Programming Languages, pages 91–102, 2006. Google Scholar
Digital Library
- A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In IEEE Symposium on Security and Privacy, 2007. Google Scholar
Digital Library
- A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. In European Symposium on Research in Computer Security, volume 5283 of LNCS, 2008. Google Scholar
Digital Library
- M. Assaf. From Qualitative to Quantitative Program Analysis : Permissive Enforcement of Secure Information Flow. PhD thesis, Université de Rennes 1, May 2015. https://hal.inria.fr/tel-01184857.Google Scholar
- M. Assaf and D. Naumann. Calculational design of information flow monitors. In IEEE Computer Security Foundations Symposium, pages 210–224, 2016.Google Scholar
Cross Ref
- M. Assaf, D. Naumann, J. Signoles, É. Totel, and F. Tronel. Hypercollecting semantics and its application to static analysis of information flow. Technical report, Apr. 2016a.Google Scholar
- 01654.Google Scholar
- M. Assaf, J. Signoles, É. Totel, and F. Tronel. The cardinal abstraction for quantitative information flow. In Workshop on Foundations of Computer Security (FCS), June 2016b. https://hal.inria.fr/hal- 01334604.Google Scholar
- M. Backes, B. Köpf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In IEEE Symposium on Security and Privacy, pages 141–153. IEEE, 2009. Google Scholar
Digital Library
- A. Banerjee, D. A. Naumann, and S. Rosenberg. Expressive declassification policies and modular static enforcement. In IEEE Symposium on Security and Privacy, pages 339–353, 2008. Google Scholar
Digital Library
- A. Banerjee, D. A. Naumann, and M. Nikouei. Relational logic with framing and hypotheses. In 36th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, 2016. To appear. G. Barthe, P. R. D’Argenio, and T. Rezk. Secure information flow by selfcomposition. In IEEE Computer Security Foundations Workshop, pages 100–114, 2004. Google Scholar
Digital Library
- L. Bello, D. Hedin, and A. Sabelfeld. Value sensitivity and observable abstract values for information flow control. In Logic for Programming, Artificial Intelligence, and Reasoning (LPAR), pages 63–78, 2015.Google Scholar
Digital Library
- N. Benton. Simple relational correctness proofs for static analyses and program transformations. In ACM Symposium on Principles of Programming Languages, pages 14–25, 2004. Google Scholar
Digital Library
- J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Static analysis and verification of aerospace software by abstract interpretation. In AIAA [email protected] 2010, 2012. Google Scholar
Digital Library
- J. Bertrane, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Static analysis and verification of aerospace software by abstract interpretation. Foundations and Trends in Programming Languages, 2 (2-3):71–190, 2015. Google Scholar
Digital Library
- F. Besson, N. Bielova, and T. Jensen. Hybrid information flow monitoring against web tracking. In IEEE Computer Security Foundations Symposium, pages 240–254. IEEE, 2013. Google Scholar
Digital Library
- F. Besson, N. Bielova, and T. Jensen. Hybrid monitoring of attacker knowledge. In IEEE Computer Security Foundations Symposium, pages 225–238, 2016.Google Scholar
Cross Ref
- G. Boudol. Secure information flow as a safety property. In Formal Aspects in Security and Trust, pages 20–34, 2008.Google Scholar
- F. Bourdoncle. Journal of Functional Programming, 2(04):407–435, 1992.Google Scholar
Cross Ref
- C. Braun, K. Chatzikokolakis, and C. Palamidessi. Quantitative notions of leakage for one-try attacks. In Mathematical Foundations of Programming Semantics (MFPS), volume 249, pages 75–91, 2009. Google Scholar
Digital Library
- D. Cachera and D. Pichardie. A certified denotational abstract interpreter. In Interactive Theorem Proving (ITP), pages 9–24. 2010. Google Scholar
Digital Library
- M. R. Clarkson and F. B. Schneider. Hyperproperties. In IEEE Computer Security Foundations Symposium, pages 51–65, 2008. Google Scholar
Digital Library
- M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157–1210, 2010. Google Scholar
Digital Library
- M. R. Clarkson, A. C. Myers, and F. B. Schneider. Quantifying information flow with beliefs. Journal of Computer Security, 17:655–701, 2009. Google Scholar
Digital Library
- M. R. Clarkson, B. Finkbeiner, M. Koleini, K. K. Micinski, M. N. Rabe, and C. Sánchez. Temporal logics for hyperproperties. In Principles of Security and Trust, volume 8414 of LNCS, pages 265–284, 2014.Google Scholar
Cross Ref
- E. Cohen. Information transmission in computational systems. In Proceedings of the sixth ACM Symposium on Operating Systems Principles, pages 133–139, 1977. Google Scholar
Digital Library
- A. Cortesi and M. Zanioli. Widening and narrowing operators for abstract interpretation. Computer Languages, Systems & Structures, pages 24–42, 2011. Google Scholar
Digital Library
- A. Cortesi, G. Costantini, and P. Ferrara. A survey on product operators in abstract interpretation. In Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, volume 129 of EPTCS, pages 325–336, 2013.Google Scholar
Cross Ref
- P. Cousot. The calculational design of a generic abstract interpreter. In M. Broy and R. Steinbrüggen, editors, Calculational System Design, volume 173, pages 421–506. NATO ASI Series F. IOS Press, Amsterdam, 1999.Google Scholar
- P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theoretical Computer Science, 277 (1-2):47–103, 2002. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and per analysis of functional languages). P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In ACM Symposium on Principles of Programming Languages, pages 238–252, 1977. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In ACM Symposium on Principles of Programming Languages, pages 269–282, 1979. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Comparing the galois connection and widening/narrowing approaches to abstract interpretation. In Programming Language Implementation and Logic Programming (PLILP), pages 269–295, 1992. Google Scholar
Digital Library
- P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In ACM Symposium on Principles of Programming Languages, pages 84–96, 1978. Google Scholar
Digital Library
- Á. Darvas, R. Hähnle, and D. Sands. A theorem proving approach to analysis of secure information flow. In Security in Pervasive Computing, pages 193–209. 2005. Google Scholar
Digital Library
- D. E. R. Denning. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., 1982.Google Scholar
Digital Library
- D. E. R. Denning and P. J. Denning. Certification of programs for secure information flow. Communications of ACM, 20(7):504–513, 1977. Google Scholar
Digital Library
- G. Doychev, D. Feld, B. Köpf, L. Mauborgne, and J. Reineke. Cacheaudit: A tool for the static analysis of cache side channels. In USENIX Security Symposium, pages 431–446, 2013. Google Scholar
Digital Library
- C. Dwork. A firm foundation for private data analysis. Communications of ACM, pages 86–95, 2011. Google Scholar
Digital Library
- B. Finkbeiner, M. N. Rabe, and C. Sánchez. Algorithms for model checking HyperLTL and HyperCTL ˆ*. In Computer Aided Verification, volume 9206 of LNCS, pages 30–48, 2015.Google Scholar
Cross Ref
- R. Giacobazzi and I. Mastroeni. Abstract non-interference: parameterizing non-interference by abstract interpretation. In ACM Symposium on Principles of Programming Languages, pages 186–197, 2004. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11–20, 1982.Google Scholar
Cross Ref
- P. Granger. Improving the results of static analyses programs by local decreasing iteration. In Foundations of Software Technology and Theoretical Computer Science, volume 652, pages 68–79, 1992. Google Scholar
Digital Library
- M. Handjieva and S. Tzolovski. Refining dtatic analyses by trace-based partitioning using control flow. In International Static Analysis Symposium, 1998.Google Scholar
Cross Ref
- D. Hedin, L. Bello, and A. Sabelfeld. Value-sensitive hybrid information flow control for a JavaScript-Like language. In IEEE Computer Security Foundations Symposium, pages 351–365, 2015. Google Scholar
Digital Library
- J. Heusser and P. Malacaria. Applied quantitative information flow and statistical databases. In Formal Aspects in Security and Trust, pages 96–110, 2009. Google Scholar
Digital Library
- S. Hunt. PERs generalize projections for strictness analysis (extended abstract). In Proceedings of the Third Annual Glasgow Workshop on Functional Programming, 1990.Google Scholar
- S. Hunt and D. Sands. Binding time analysis: A new PERspective. In Proceedings of the Symposium on Partial Evaluation and Semantics-Based Program Manipulation, PEPM’91, Yale University, New Haven, Connecticut, USA, June 17-19, 1991, pages 154–165, 1991. Google Scholar
Digital Library
- S. Hunt and D. Sands. On flow-sensitive security types. In ACM Symposium on Principles of Programming Languages, pages 79–90, 2006. Google Scholar
Digital Library
- S. Hunt and D. Sands. From exponential to polynomial-time security typing via principal types. In ACM Workshop on Programming Languages and Analysis for Security, pages 297–316, 2011. Google Scholar
Digital Library
- V. Klebanov. Precise quantitative information flow analysis - a symbolic approach. Theoretical Computer Science, 538:124–139, 2014.Google Scholar
Cross Ref
- B. Köpf and A. Rybalchenko. Approximation and randomization for quantitative information-flow analysis. In IEEE Computer Security Foundations Symposium, pages 3–14, 2010. Google Scholar
Digital Library
- B. Köpf and A. Rybalchenko. Automation of quantitative information-flow analysis. In Formal Methods for Dynamical Systems - 13th International School on Formal Methods for the Design of Computer, Communication, and Software Systems, volume 7938 of LNCS, pages 1–28, 2013.Google Scholar
Cross Ref
- M. Kovács, H. Seidl, and B. Finkbeiner. Relational abstract interpretation for the verification of 2-hypersafety properties. In ACM SIGSAC conference on Computer and Communications Security, pages 211–222, 2013. Google Scholar
Digital Library
- P. Mardziel, S. Magill, M. Hicks, and M. Srivatsa. Dynamic enforcement of knowledge-based security policies. In IEEE Computer Security Foundations Symposium, pages 114–128. IEEE, 2011. Google Scholar
Digital Library
- P. Mardziel, S. Magill, M. Hicks, and M. Srivatsa. Dynamic enforcement of knowledge-based security policies using probabilistic abstract interpretation. Journal of Computer Security, 21(4):463–532, 2013. Google Scholar
Digital Library
- I. Mastroeni. Abstract interpretation-based approaches to security - A survey on abstract non-interference and its challenging applications. In Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, volume 129 of EPTCS, pages 41–65, 2013.Google Scholar
Cross Ref
- I. Mastroeni and A. Banerjee. Modelling declassification policies using abstract domain completeness. Mathematical Structures in Computer Science, 21(06):1253–1299, 2011. Google Scholar
Digital Library
- J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In IEEE Symposium on Security and Privacy, pages 79–93, 1994. Google Scholar
Digital Library
- A. Miné. The octagon abstract domain. Higher-order and symbolic computation, 19(1):31–100, 2006a. A. Miné. Symbolic methods to enhance the precision of numerical abstract domains. In Verification, Model Checking, and Abstract Interpretation, pages 348–363. 2006b. C. Müller, M. Kovács, and H. Seidl. An analysis of universal information flow based on self-composition. In IEEE Computer Security Foundations Symposium, pages 380–393, 2015. Google Scholar
Digital Library
- F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer, 1999. Google Scholar
Digital Library
- A. Rényi. On measures of entropy and information. In the Fourth Berkeley Symposium on Mathematical Statistics and Probability, 1961.Google Scholar
- X. Rival and L. Mauborgne. The trace partitioning abstract domain. ACM Transactions on Programming Languages and Systems, 29(5):26, 2007. Google Scholar
Digital Library
- J. Rushby. Security requirements specifications: How and what. In Symposium on Requirements Engineering for Information Security (SREIS), 2001.Google Scholar
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. Journal of Computer Security, 17(5), 2009. Google Scholar
Digital Library
- D. A. Schmidt. Abstract interpretation from a topological perspective. In Static Analysis, 16th International Symposium, volume 5673 of LNCS, pages 293–308, 2009. Google Scholar
Digital Library
- D. A. Schmidt. Inverse-limit and topological aspects of abstract interpretation. Theoretical Computer Science, 430:23–42, 2012. Google Scholar
Digital Library
- D. Schoepe, M. Balliu, B. C. Pierce, and A. Sabelfeld. Explicit secrecy: A policy for taint tracking. In IEEE European Symposium on Security and Privacy, pages 15–30, 2016.Google Scholar
Cross Ref
- C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27:379–423, 1948.Google Scholar
Cross Ref
- G. Smith. On the foundations of quantitative information flow. In International Conference on Foundations of Software Science and Computational Structures, pages 288–302, 2009.Google Scholar
Cross Ref
- G. Smith. Quantifying information flow using min-entropy. In Quantitative Evaluation of Systems (QEST), 2011 Eighth International Conference on, pages 159–167. IEEE, 2011. Google Scholar
Digital Library
- M. Sousa and I. Dillig. Cartesian Hoare logic for verifying k-safety properties. In ACM Conference on Programming Language Design and Implementation, pages 57–69, 2016. Google Scholar
Digital Library
- T. Terauchi and A. Aiken. Secure information flow as a safety problem. In Static Analysis Symposium, pages 352–367. 2005. Google Scholar
Digital Library
- D. Volpano and G. Smith. Eliminating covert flows with minimum typings. In IEEE Computer Security Foundations Workshop, pages 156–168, 1997. Google Scholar
Digital Library
- D. Volpano and G. Smith. Verifying secrets and relative secrecy. In ACM Symposium on Principles of Programming Languages, pages 268–276, 2000. Google Scholar
Digital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2-3):167–187, 1996. Google Scholar
Digital Library
- D. M. Volpano. Safety versus secrecy. In Static Analysis Symposium, pages 303–311, 1999. Google Scholar
Digital Library
- D. Wasserrab, D. Lohner, and G. Snelting. On PDG-based noninterference and its modular proof. In ACM Workshop on Programming Languages and Analysis for Security, pages 31–44, 2009. Google Scholar
Digital Library
- G. Winskel. The Formal Semantics of Programming Languages: an Introduction. Cambridge, 1993. Google Scholar
Digital Library
- H. Yasuoka and T. Terauchi. On bounding problems of quantitative information flow. Journal of Computer Security, 19(6):1029–1082, 2011. Google Scholar
Digital Library
- A. Zakinthinos and S. Lerner. A general theory of security properties. In IEEE Symposium on Security and Privacy, pages 94–102, 1997. Google Scholar
Digital Library
- M. Zanioli and A. Cortesi. Information leakage analysis by abstract interpretation. In SOFSEM 2011: Theory and Practice of Computer Science, pages 545–557. 2011. Google Scholar
Digital Library
- M. Zanotti. Security typings by abstract interpretation. In Static Analysis Symposium, volume 2477, pages 360–375, 2002. Google Scholar
Digital Library
Index Terms
Hypercollecting semantics and its application to static analysis of information flow
Recommendations
Hypercollecting semantics and its application to static analysis of information flow
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWe show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. ...
Pushdown control-flow analysis for free
POPL '16Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...
Pushdown control-flow analysis for free
POPL '16: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesTraditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...







Comments