Certifying information flow properties of programs

Reitman, Richard P.; Andrews, Gregory R.

doi:10.1145/567752.567779

Cited by 9 publications

(9 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There exists quite a large body of literature studying different instances of secure information flow, e.g., [3,4,5,7,10,11,12,13,14,15,16]. With the notable exception of [15,16], security is defined through noninterference, i.e., it is required that the public outputs of the program do not contain any information (in the information-theoretic sense) about the confidential inputs.…”

Section: Introductionmentioning

confidence: 99%

Semantics and Program Analysis of Computationally Secure Information Flow

Laud

2001

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. This paper presents a definition of secure information flow. It is not based on noninterference, but on computational indistinguishability of the secret inputs, when the public outputs are observed. This definition allows cryptographic primitives to be handled. This paper also presents a Denning-style information-flow analysis for programs that use encryption as a primitive operation. The proof of the correctness of the analysis is sketched.

show abstract

Section: Introductionmentioning

confidence: 99%

Semantics and Program Analysis of Computationally Secure Information Flow

Laud

2001

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Information Flow Security for Concurrent Programs: To our knowledge, the first approach to information flow analysis for concurrent programs is proposed by Andrews and Reitman [7], [44]. It considers a flow logic that supports the derivation of noninterference proofs for programs.…”

Section: Related Workmentioning

confidence: 99%

“…Their work initiated a long line of research on noninterference-like properties, culminating in frameworks for comparing and engineering such security properties (see, e.g., [4], [5], [6]). Even earlier, Reitman and Andrews proposed an information flow analysis for concurrent programs [7], but they did not yet provide a soundness proof or precise claim about which security property their analysis enforces. These shortcomings were overcome 17 years later by Volpano and Smith [8].…”

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

“…Some approaches do not support a compositional analysis [7], [9], although compositionality is essential for making the analysis scale. The existing approaches either are overly restrictive or do not have satisfactory semantic foundations (e.g., [7], [10], [11]). There are three main facets of the former deficiency: too conservative assumptions about the environment of the thread under analysis (e.g., [8], [12], [13], [14]), severe restrictions on the communication between threads (e.g., [15], [16], [17]), or assumptions about the run-time environment which do not match existing implementations (e.g., [18], [19]).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Assumptions and Guarantees for Compositional Noninterference

Mantel

Sands

Sudbrock

2011

2011 IEEE 24th Computer Security Foundations Symposium

View full text Add to dashboard Cite

Abstract-The idea of building secure systems by plugging together "secure" components is appealing, but this requires a definition of security which, in addition to taking care of toplevel security goals, is strengthened appropriately in order to be compositional. This approach has been previously studied for information-flow security of shared-variable concurrent programs, but the price for compositionality is very high: a thread must be extremely pessimistic about what an environment might do with shared resources. This pessimism leads to many intuitively secure threads being labelled as insecure.Since in practice it is only meaningful to compose threads which follow an agreed protocol for data access, we take advantage of this to develop a more liberal compositional security condition. The idea is to give the security definition access to the intended pattern of data usage, as expressed by assumption-guarantee style conditions associated with each thread. We illustrate the improved precision by developing the first flow-sensitive security type system that provably enforces a noninterference-like property for concurrent programs.

show abstract

An interview with Richard Roe

Battle

1984

International Journal of Project Management

View full text Add to dashboard Cite

Certifying information flow properties of programs

Abstract: Interesting program properties other than func-

Cited by 9 publications

References 8 publications

Semantics and Program Analysis of Computationally Secure Information Flow

Semantics and Program Analysis of Computationally Secure Information Flow

Assumptions and Guarantees for Compositional Noninterference

An interview with Richard Roe

Contact Info

Product

Resources

About