Combining type-based analysis and model checking for finding counterexamples against non-interference

Unno, Hiroshi; Kobayashi, Naoki; Yonezawa, Akinori

doi:10.1145/1134744.1134750

Cited by 19 publications

(30 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unno et al (Unno et al 2006) have proposed a method for automatically finding counterexamples of secure information flow, which combines security type-based analysis for standard NI and model checking. Our context is more general, since standard NI is a particular case of DNI.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Modelling declassification policies using abstract domain completeness

Mastroeni¹,

Banerjee²

2011

Math. Struct. Comp. Sci.

View full text Add to dashboard Cite

This paper explores a three dimensional characterization of a declassification-based noninterference policy and its consequences. Two of the dimensions consist in specifying (a) the power of the attacker, that is, what public information an attacker can observe of a program, and (b) what secret information of a program needs to be protected. Both these dimensions are regulated by the third dimension, (c) the choice of program semantics, for example, trace semantics or denotational semantics, or, for instance, any semantics in Cousot's semantics hierarchy.To check whether a program satisfies a noninterference policy one can compute an abstract domain that over-approximates the information released by the policy and can subsequently check whether program execution may release more information than what is permitted by the policy. Counterexamples to a policy can be generated by using a variant of the Paige-Tarjan algorithm for partition refinement. Given the counterexamples the policy can be refined so that the least amount of confidential information necessary for making the program secure is declassified.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Also next example shows how the refinement process works , but moreover it allows us to compare our technique with the (Unno et al 2006) characterization of counterexamples to declassification policies. …”

Section: Refining Confidentiality Policiesmentioning

confidence: 99%

Modelling declassification policies using abstract domain completeness

Mastroeni¹,

Banerjee²

2011

Math. Struct. Comp. Sci.

View full text Add to dashboard Cite

show abstract

“…Line 2 identifies pairs of paths that witness information leaks with respect to the current candidate equivalence relation R. We discover such paths automatically by analyzing pairs of program runs, e.g., see [5], [39].…”

Section: Discovery Of Information Leaksmentioning

confidence: 99%

“…Our method can be used to synthesize such assertions. The idea that secure information flow can be verified by analyzing pairs of program runs can be found in [5], [16], [23], [38], [39].…”

Section: Introductionmentioning

confidence: 99%

Automatic Discovery and Quantification of Information Leaks

Backes

Köpf

Rybalchenko

2009

2009 30th IEEE Symposium on Security and Privacy

179

228

View full text Add to dashboard Cite

Information-flow analysis is a powerful technique for reasoning about the sensitive information exposed by a program during its execution. We present the first automatic method for information-flow analysis that discovers what information is leaked and computes its comprehensive quantitative interpretation. The leaked information is characterized by an equivalence relation on secret artifacts, and is represented by a logical assertion over the corresponding program variables. Our measurement procedure computes the number of discovered equivalence classes and their sizes. This provides a basis for computing a set of quantitative properties, which includes all established information-theoretic measures in quantitative information-flow. Our method exploits an inherent connection between formal models of qualitative information-flow and program verification techniques. We provide an implementation of our method that builds upon existing tools for program verification and informationtheoretic analysis. Our experimental evaluation indicates the practical applicability of the presented method.

show abstract

“…2 Regarding 2. ), we show that the k-observable subset of the observable hyperproperties is amenable to verification via self composition [5,13,30,26,31], much like k-safety hyperproperties, and identify which QIF problems belong to that family. We also show that the hardest of the QIF problems (but nevertheless one of the most popular) can only be classified as a general liveness hyperproperty, suggesting that liveness hyperproperty is a quite permissive class of hyperproperties.…”

Section: Introductionmentioning

confidence: 99%

Quantitative information flow as safety and liveness hyperproperties

Yasuoka

Terauchi

2014

Theoretical Computer Science

View full text Add to dashboard Cite

We employ Clarkson and Schneider's "hyperproperties" to classify various verification problems of quantitative information flow. The results of this paper unify and extend the previous results on the hardness of checking and inferring quantitative information flow. In particular, we identify a subclass of liveness hyperproperties, which we call "k-observable hyperproperties", that can be checked relative to a reachability oracle via self composition.

show abstract

Combining type-based analysis and model checking for finding counterexamples against non-interference

Cited by 19 publications

References 26 publications

Modelling declassification policies using abstract domain completeness

Modelling declassification policies using abstract domain completeness

Automatic Discovery and Quantification of Information Leaks

Quantitative information flow as safety and liveness hyperproperties

Contact Info

Product

Resources

About