Dependent Type Theory for Verification of Information Flow and Access Control Policies

Nanevski, Aleksandar; Banerjee, Anindya; Garg, Deepak

doi:10.1145/2491522.2491523

Cited by 43 publications

(45 citation statements)

References 86 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…in this paper. Following Nanevski et al [24], we assume heaps are indistinguishable iff they are exactly equal, i.e., they contain equal addresses, storing equal values. Thus we also guard against attackers that can distinguish concrete representations of pointers as integer addresses, and perform pointer arithmetic.…”

Section: Attack Modelmentioning

confidence: 99%

“…We briefly recapitulate the main components of the RHTT framework introduced by Nanevski et al [24]. Fundamentally, RHTT is based on the following aspects of dependent type theory: dependent function types, inductive types and module systems.…”

Section: Background: Rhttmentioning

confidence: 99%

“…We specify and statically enforce A's policy above using higher-order methods [24]. A's interface exposes a higher-order method, endorse, which takes a method (e.g.…”

Section: Introductionmentioning

confidence: 99%

“…We use Relational Hoare Type Theory (RHTT, [24]) for both programming and proof throughout this paper. RHTT is a programming language and logic for specifying and enforcing expressive, state-based access control and information flow policies of imperative programs.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures

Stewart

Banerjee

Nanevski

2013

Proceedings of the 15th Symposium on Principles and Practice of Declarative Programming

Self Cite

View full text Add to dashboard Cite

We consider verification of information flow and erasure properties in programs with heterogeneous heap-based data structures, in the presence of procedures with local state. A heterogeneous data structure, such as a hash table implementing a medical record database, may store both secret and public data simultaneously. In contrast, extant work primarily focuses on homogeneous data structures which store data of a uniform security level. Heterogeneity, however, does not come for free. For example, standard implementations of hash tables do not support heterogeneity, and may leak sensitive information easily owing to hash collisions. In this paper we identify unique representation as a sufficient condition for a heterogeneous data structure to be leak-free, while simultaneously supporting abstraction and modularity in verification. As a case study, we implement and verify a novel uniquely-represented variant of heterogeneous hash tables. Furthermore, we demonstrate modular reasoning by showing how specifications of the hash table methods can be used in a client application; we thereby obtain abstract and concise formal proofs of erasure. We formalize our work in Relational Hoare Type Theory (RHTT), an expressive, higherorder imperative language and program logic embedded in the Coq proof assistant.

show abstract

Section: Attack Modelmentioning

confidence: 99%

Section: Background: Rhttmentioning

confidence: 99%

“…We specify and statically enforce A's policy above using higher-order methods [24]. A's interface exposes a higher-order method, endorse, which takes a method (e.g.…”

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures

Stewart

Banerjee

Nanevski

2013

Proceedings of the 15th Symposium on Principles and Practice of Declarative Programming

Self Cite

View full text Add to dashboard Cite

show abstract

“…In ongoing work, we have extended RL to a relational version, akin to [3,22,14] but featuring a proof rule for representation independence. We plan to use this as basis for a proof system that allows use of observationally pure methods in specifications, which relies on relational consequences of encapsulation [9,15].…”

Section: Introductionmentioning

confidence: 99%

A Logical Analysis of Framing for Specifications with Pure Method Calls

Banerjee

Naumann

2014

Verified Software: Theories, Tools and Experiments

Self Cite

View full text Add to dashboard Cite

Abstract. For specifying and reasoning about object-based programs it is often attractive for contracts to be expressed using calls to pure methods. It is useful for pure methods to have contracts, including read effects to support local reasoning based on frame conditions. This leads to puzzles such as the use of a pure method in its own contract. These ideas have been explored in connection with verification tools based on axiomatic semantics, guided by the need to avoid logical inconsistency, and focusing on encodings that cater for first order automated provers. This paper adds pure methods and read effects to region logic, a firstorder program logic that features frame-based local reasoning and a proof rule for linking of clients with modules to achieve end-to-end correctness by modular reasoning. Soundness is proved with respect to a conventional operational semantics and using the extensional (i.e., relational) interpretation of read effects.

show abstract