Secure information flow and pointer con .nement in a java-like language

  title={Secure information flow and pointer con .nement in a java-like language},
  author={Anindya Banerjee and David A. Naumann},
  journal={Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15},
  • A. BanerjeeD. Naumann
  • Published 24 June 2002
  • Computer Science
  • Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15
We consider a sequential object-oriented language with pointers and mutable state, private fields and class-based visibility, dynamic binding and inheritance, recursive classes, casts and type tests, and recursive methods. Programs are annotated with security levels, constrainedby security typing rules. A noninterference theorem shows how the rules ensure pointer confinement and secure information flow. 

Tables from this paper

Modular and Constraint-Based Information Flow Inference for an Object-Oriented Language

This paper addresses the problem of checking programs written in an object-oriented language to ensure that they satisfy the information flow policies, confidentiality and integrity by presenting an algorithm that infers such security types in a modular manner.

A Design for a Security-Typed Language with Certificate-Based Declassification

A conditioned version of the noninterference theorem such that authorization for declassification is justified by digital certificates from public-key infrastructures is proved.

Constraint-based modular secure information flow inference for object-oriented programs

This thesis presents a constraint-based inference system for secure information flow for a Java-like language with method inheritance and override, which is inter-procedural and modular: incremental inference can be performed on individual program components, and result used as libraries for other components.

Observational determinism for concurrent program security

  • S. ZdancewicA. Myers
  • Computer Science
    16th IEEE Computer Security Foundations Workshop, 2003. Proceedings.
  • 2003
This paper presents a relatively expressive secure concurrent calculi, provides first-class channels, high-order functions, and an unbounded number of threads.

Program-level Specification and Deductive Verification of Security Properties

This thesis shows how highly precise specification and deductive verification of language-based secure information flow can be made feasible by using the precision provided by the underlying calculus for Java Dynamic Logic.

Stack-based access control and secure information flow

A design pattern by which this mechanism can be used to achieve confidentiality and integrity goals: a single interface serves callers of more than one security level and dynamic access control prevents release of high information to low callers is investigated.

Type-based information flow analysis for bytecode languages with variable object field policies

A flow-sensitive type system for statically detecting illegal flows of information in a JVM-like language that allows the level of a field to vary at different object creation points is presented and a noninterference result is proved.

Verifying a Secure Information Flow Analyzer

Denotational semantics for a substantial fragment of Java is formalized by deep embedding in PVS, making extensive use of dependent types. A static analyzer for secure information flow for this

Formally verifying information flow type systems for concurrent and thread systems

Using the proof assistant Isabelle/HOL, a recent work of Boudol and Castellani cite BC02:tcs is machine-checked, which defines an information flow type system for a concurrent language with scheduling, and shows that typable programs are non-interferent.

Information Flow in Object-Oriented Software

A formalization of a popular object-sensitive non-interference property in a program logic – JavaDL in this case – which allows using an existing tool without requiring program modification, and a novel fine-grained specification methodology.



A Sound Type System for Secure Flow Analysis

This work forms Denning’s approach as a type system and presents a notion of soundness for the system that can be viewed as a form of noninterference.

Certification of programs for secure information flow

This paper presents a mechanism for verifying the secure flow of information through a program that exploits the properties of a lattice structure among security classes and proves that a program cannot cause supposedly nonconfidential results to depend on confidential input data.

Secure information flow in a multi-threaded imperative language

By modifying the sequential type system, the analysis is extended to deal with a multithreaded language and shows how a more restrictive type system can guarantee noninterference, given a more deterministic scheduling policy, such as round-robin time slicing.

Confinement Properties for Multi-Threaded Programs

A Type-Based Approach to Program Security

A type system which guarantees that well-typed programs in a procedural programming language satisfy a noninterference security property, which basically states that a program output can never change as a result of modifying only inputs classified at higher levels.

JFlow: practical mostly-static information flow control

The new language JFlow is described, an extension to the Java language that adds statically-checked information flow annotations and provides several new features that make information flow checking more flexible and convenient than in previous models.

A core calculus of dependency

It is argued that there is a central notion of dependency common to these settings that can be captured within a single calculus, the Dependency Core Calculus (DCC), a small extension of Moggi's computational lambda calculus.

A new type system for secure information flow

  • Geoffrey Smith
  • Computer Science
    Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001.
  • 2001
A new type system is presented that gives each command a type that ensures that no assignment to an L variable may sequentially follow a command whose running time depends on H variables, and can use H variables more flexibly.

A Per Model of Secure Information Flow in Sequential Programs

The approach is inspired by (and in the deterministic case equivalent to) the use of partial equivalence relations in specifying binding-time analysis, and is thus able to specify security properties of higher-order functions and “partially confidential data”.

Partial Evaluation and Non-interference for Object Calculi

We prove the correctness of a multi-level partial evaluator and of an information flow analysis for Abadi and Cardelli’s FOb 1 ≤ :, a simply typed object calculus with function and object types,