Hypercollecting semantics and its application to static analysis of information flow

Assaf, Mounir; Naumann, David A.; Signoles, Julien; Totel, Éric; Tronel, Frédéric

doi:10.1145/3009837.3009889

Cited by 25 publications

(35 citation statements)

References 85 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mathematically, abstract interpretation is very close to data refinement, where intermediate steps involve changes of data representation. For example, the state space Σ of R : Σ ⊸Σ would be connected with another, say ∆, by a coupling relation ρ : ∆ ⊸ Σ subject to a simulation condition such as S ; ρ ⊇ ρ ; R, recall (3). With a functional coupling, the connection could be ρ( S ∆) ⊒ R (ρ∆).…”

Section: Specifications and Refinementmentioning

confidence: 99%

“…Mantel considers a range of security properties via closure operators [24]. The limited usefulness of trace refinement for proving NI even for deterministic programs, as in the chain (12), is discussed by Assaf and Pasqua [3,27]. The formulation of possibilistic noninterference as ∼;R;∼ = R;∼ is due to Joshi and Leino [22] and resembles the formulation of Roscoe et al [35].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Whither Specifications as Programs

Naumann

Ngo

2019

Unifying Theories of Programming

Self Cite

View full text Add to dashboard Cite

Unifying theories distil common features of programming languages and design methods by means of algebraic operators and their laws. Several practical concerns -e.g., improvement of a program, conformance of code with design, correctness with respect to specified requirements -are subsumed by the beautiful notion that programs and designs are special forms of specification and their relationships are instances of logical implication between specifications. Mathematical development of this idea has been fruitful but limited to an impoverished notion of specification: trace properties. Some mathematically precise properties of programs, dubbed hyperproperties, refer to traces collectively. For example, confidentiality involves knowledge of possible traces. This article reports on both obvious and surprising results about lifting algebras of programming to hyperproperties, especially in connection with loops, and suggests directions for further research. The technical results are: a compositional semantics, at the hyper level, of imperative programs with loops, and proof that this semantics coincides with the direct image of a standard semantics, for subset closed hyperproperties.

show abstract

Section: Specifications and Refinementmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Whither Specifications as Programs

Naumann

Ngo

2019

Unifying Theories of Programming

Self Cite

View full text Add to dashboard Cite

show abstract

“…Doing so directly (e.g. by constructing a self-composition [7,36] or a relational program analysis [5,9,11,34,40]) can magnify the overall state space to consider.…”

Section: Decomposition: the Basicsmentioning

confidence: 99%

“…Other recent uses of product programs for program equivalence include [28,44]. Also, a recent work by Assaf et al [5] proposes to verify k-safety (and more general hyper-safety) problems via an abstract interpretation over program trace sets (as opposed to traces), which may be understood as an abstract interpretation over a (possibly unbounded) product of program copies. Recent work by Çiçek et al on relational cost analysis [11] describes a program analysis for checking and inferring resource-usage properties spanning multiple programs.…”

Section: Related Workmentioning

confidence: 99%

“…As such, several works have looked to improve the basic idea by exploiting structural similarities in the program (e.g., using interleaving composition [27,36,37]). Other works applied similar ideas to improve relational verifiers directly [5,11,31,34]. As discussed Section 7, these approaches (and others) nevertheless rely, at least implicitly, on making k copies of the program, which means that invariants are split across the product program.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Decomposition instead of self-composition for proving the absence of timing channels

Antonopoulos

Gazzillo

Hicks

et al. 2017

Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

We present a novel approach to proving the absence of timing channels. The idea is to partition the program's execution traces in such a way that each partition component is checked for timing attack resilience by a time complexity analysis and that per-component resilience implies the resilience of the whole program. We construct a partition by splitting the program traces at secret-independent branches. This ensures that any pair of traces with the same public input has a component containing both traces. Crucially, the per-component checks can be normal safety properties expressed in terms of a single execution. Our approach is thus in contrast to prior approaches, such as self-composition, that aim to reason about multiple (k ≥ 2) executions at once. We formalize the above as an approach called quotient partitioning, generalized to any k-safety property, and prove it to be sound. A key feature of our approach is a demanddriven partitioning strategy that uses a regex-like notion called trails to identify sets of execution traces, particularly those influenced by tainted (or secret) data. We have applied our technique in a prototype implementation tool called Blazer, based on WALA, PPL, and the brics automaton library. We have proved timing-channel freedom of (or synthesized an attack specification for) 24 programs written in Java bytecode, including 6 classic examples from the literature and 6 examples extracted from the DARPA STAC challenge problems. CCS Concepts • Security and privacy → Logic and verification; • Theory of computation → Program reasoning; Logic and verification; • Software and its engineering → Formal methods

show abstract

Information Flow Certificates

Töws

Wehrheim

2018

Theoretical Aspects of Computing – ICTAC 2018

View full text Add to dashboard Cite

Hypercollecting semantics and its application to static analysis of information flow

Cited by 25 publications

References 85 publications

Whither Specifications as Programs

Whither Specifications as Programs

Decomposition instead of self-composition for proving the absence of timing channels

Information Flow Certificates

Contact Info

Product

Resources

About