On PDG-based noninterference and its modular proof

Wasserrab, Daniel; Lohner, Denis; Snelting, Gregor

doi:10.1145/1554339.1554345

Cited by 30 publications

(40 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…conversion between SDG and CFG nodes, initial states often consist of only one call frame, etc. Previous work [29] verified this connection between intraprocedural slicing and noninterference.…”

Section: Slicing Guarantees Information Flow Noninterferencesupporting

confidence: 61%

Proving Information Flow Noninterference by Reusing a Machine-Checked Correctness Proof for Slicing

Wasserrab¹,

Lohner²

EPiC Series in Computing

Self Cite

View full text Add to dashboard Cite

We present a machine-checked correctness proof for information flow noninterference based on interprocedural slicing. It reuses a correctness proof of the context-sensitive interprocedural slicing algorithm of Horwitz, Reps, and Binkley. The underlying slicing framework is modular in the programming language used; by instantiating this framework the correctness proofs hold for the respective language, without reproving anything in the correctness proofs for slicing and noninterference. We present instantiations with two different languages to show the applicability of the framework, and thus a verified noninterference algorithm for these languages. The formalization and proofs are conducted in the proof assistant Isabelle/HOL.

show abstract

Section: Slicing Guarantees Information Flow Noninterferencesupporting

confidence: 61%

Proving Information Flow Noninterference by Reusing a Machine-Checked Correctness Proof for Slicing

Wasserrab¹,

Lohner²

EPiC Series in Computing

Self Cite

View full text Add to dashboard Cite

show abstract

“…This result was proved formally by Wasserrab et al [59]. As seen in Section 2, this is equivalent to the PIDGINQL query pgm.between(source, sink) evaluating to an empty graph.…”

Section: Security Guarantees From Pdgsmentioning

confidence: 81%

“…They have developed JOANA [21], an object sensitive and context sensitive tool for checking noninterference in Java bytecode [22], shown their techniques to be sound [59], and considered information flow in concurrent programs [17]. They also use path conditions to improve precision by ruling out impossible paths [54].…”

Section: Related Workmentioning

confidence: 99%

Exploring and enforcing security guarantees via program dependence graphs

et al. 2015

View full text Add to dashboard Cite

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise applicationspecific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples.PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies.PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing.We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

show abstract

“…Our verified Java compiler is part of a larger project which aims to completely verify an infrastructure for language-based security [9,28]. Still, much remains to be done: Without a trusted VM, the guarantee of the verified compiler is vacuous.…”

Section: Discussionmentioning

confidence: 99%

Verifying a Compiler for Java Threads

Lochbihler

2010

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract.A verified compiler is an integral part of every security infrastructure. Previous work has come up with formal semantics for sequential and concurrent variants of Java and has proven the correctness of compilers for the sequential part. This paper presents a rigorous formalisation (in the proof assistant Isabelle/HOL) of concurrent Java source and byte code together with an executable compiler and its correctness proof. It guarantees that the generated byte code shows exactly the same observable behaviour as the semantics for the multithreaded source code.

show abstract

On PDG-based noninterference and its modular proof

Cited by 30 publications

References 37 publications

Proving Information Flow Noninterference by Reusing a Machine-Checked Correctness Proof for Slicing

Proving Information Flow Noninterference by Reusing a Machine-Checked Correctness Proof for Slicing

Exploring and enforcing security guarantees via program dependence graphs

Verifying a Compiler for Java Threads

Contact Info

Product

Resources

About