Abstract
Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flow-insensitive, context-insensitive, or object-insensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on program dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multi-threaded programs, and explain precision gains due to flow-, context-, and object-sensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode.
Similar content being viewed by others
References
Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: POPL ’99: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 147–160. ACM, New York (1999). doi:10.1145/292540.292555
Agat, J.: Transforming out timing leaks. In: POPL ’00: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 40–53. ACM, New York (2000). doi:10.1145/325694.325702
Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 91–102. ACM, New York (2006). doi:10.1145/1111037.1111046
Anderson, P., Reps, T., Teitelbaum, T.: Design and implementation of a fine-grained software inspection tool. IEEE Trans. Softw. Eng. 29(8) (2003). doi:10.1109/TSE.2003.1223646
Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI ’05: Proceedings of the 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, pp. 103–112. ACM Press, New York (2005). doi:10.1145/1040294.1040304
Bell D.E., LaPadula L.J.: Secure computer systems: a mathematical model, vol. II. J. Comput. Secur. 4(2/3), 229–263 (1996). Based on MITRE Technical Report 2547, vol. II
Bergeretti J.F., Carré B.A.: Information-flow and data-flow analysis of while-programs. ACM Trans. Program. Lang. Syst. 7(1), 37–61 (1985). doi:10.1145/2363.2366
Biba, K.J.: Integrity considerations for secure computer systems. Tech. Rep. MTR-3153, The Mitre Corporation (1977). doi:100.2/ADA039324
Bieber, P., Cazin, J., Marouani, A.E., Girard, P., Lanet, J.L., Wiels, V., Zanon, G.: The PACAP prototype: a tool for detecting Java Card illegal flow. In: Proceedings of 1st International Workshop, Java Card 2000. Lecture Notes in Computer Sciences, vol. 2041, pp. 25–37. Springer, Cannes (2000). doi:10.1007/3-540-45165-X_3
Binkley D., Harman M., Krinke J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst. 30(1), 3 (2007). doi:10.1145/1290520.1290523
Chambers, C., Pechtchanski, I., Sarkar, V., Serrano, M.J., Srinivasan, H.: Dependence analysis for Java. In: Proceedings of the 12th International Workshop on Languages and Compilers for Parallel Computing, pp. 35–52. Springer, Berlin (1999). doi:10.1007/3-540-44905-1_3
Chess B., McGraw G.: Static analysis for security. IEEE Secur. Priv. 2(6), 76–79 (2004). doi:10.1109/MSP.2004.111
Clark D., Hankin C., Hunt S.: Information flow for Algol-like languages. Comput. Lang. Syst. Struct. 28(1), 3–28 (2002). doi:10.1016/S0096-0551(02)00006-1
Cohen, E.S.: Foundations of Secure Computation, chap. Information Transmission in Sequential Programs, pp. 297–335. Academic Press, Orlando (1978). Paper presented at a 3 day workshop held at Georgia Inst. of Technology, Atlanta, Oct. 1977
Ferrante J., Ottenstein K.J., Warren J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987). doi:10.1145/24039.24041
Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA (tool demonstration). In: Proceedings of 8th IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268 (2008). doi:10.1109/SCAM.2008.17
Giffhorn D., Hammer C.: Precise slicing of concurrent programs—an evaluation of precise slicing algorithms for concurrent programs. J. Autom. Softw. Eng. 16(2), 197–234 (2009). doi:10.1007/s10515-009-0048-x
Goguen, J.A., Meseguer, J.: Interference control and unwinding. In: Proceedings of Symposium on Security and Privacy, pp. 75–86. IEEE, New York (1984). doi:10.1109/SP.1984.10019
Hammer, C.: Information flow control for Java. Ph.D. thesis, Universität Karlsruhe (TH) (2009, Forthcoming)
Hammer, C., Krinke, J., Nodes, F.: Intransitive noninterference in dependence graphs. In: Proceedings of Second International Symposium on Leveraging Application of Formal Methods, Verification and Validation (ISoLA 2006), pp. 119–128. IEEE Computer Society, Washington, DC (2006). doi:10.1109/ISoLA.2006.39
Hammer, C., Krinke, J., Snelting, G.: Information flow control for Java based on path conditions in dependence graphs. In: Proceedings of IEEE International Symposium on Secure Software Engineering (ISSSE’06), pp. 87–96 (2006)
Hammer, C., Schaade, R., Snelting, G.: Static path conditions for Java. In: PLAS ’08: Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 57–66. ACM, New York (2008). doi:10.1145/1375696.1375704
Hammer, C., Snelting, G.: An improved slicer for Java. In: PASTE ’04: Proceedings of the 5th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, pp. 17–22. ACM Press, New York (2004). doi:10.1145/996821.996830
Hardekopf, B., Lin, C.: Semi-sparse flow sensitive pointer analysis. In: POPL ’09: Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 226–238. ACM, New York (2009). doi:10.1145/1480881.1480911
Horwitz, S., Prins, J., Reps, T.: On the adequacy of program dependence graphs for representing programs. In: POPL ’88: Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 146–157. ACM, New York (1988). doi:10.1145/73560.73573
Horwitz S., Reps T., Binkley D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990). doi:10.1145/77606.77608
Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL ’06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 79–90. ACM Press, New York (2006). doi:10.1145/1111037.1111045
Jayaraman, G., Ranganath, V.P., Hatcliff, J.: Kaveri: Delivering the Indus Java program slicer to Eclipse. In: Proceedings of Fundamental Approaches to Software Engineering (FASE’05). Lecture Notes in Computer Sciences, vol. 3442, pp. 269–272. Springer, Berlin (2005). doi:10.1007/b107062
Kam J.B., Ullman J.D.: Monotone data flow analysis frameworks. Acta Inform. 7(3), 305–317 (1977). doi:10.1007/BF00290339
Klein G., Nipkow T.: A machine-checked model for a Java-like language, virtual machine, and compiler. ACM Trans. Program. Lang. Syst. 28(4), 619–695 (2006). doi:10.1145/1146809.1146811
Krinke, J.: Context-sensitive slicing of concurrent programs. In: ESEC/FSE-11: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 178–187. ACM, New York (2003). doi:10.1145/940071.940096
Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering, vol. 3: Recent Advances. World Scientific, Singapore (2005)
Lhoták, O., Hendren, L.: Scaling Java points-to using Spark. In: Proceedings of 12th International Conference on Compiler Construction. Lecture Notes in Computer Sciences, vol. 2622, pp. 153–169 (2003). doi:10.1007/3-540-36579-6_12
Livshits, B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the Usenix Security Symposium, pp. 271–286. Baltimore, Maryland (2005). http://portal.acm.org/citation.cfm?id=1251416
Mantel, H., Reinhard, A.: Controlling the what and where of declassification in language-based security. In: ESOP ’07: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Sciences, vol. 4421, pp. 141–156. Springer, Berlin (2007). doi:10.1007/978-3-540-71316-6
Mantel, H., Sands, D.: Controlled declassification based on intransitive noninterference. In: Proceedings of the 2nd Asian Symposium on Programming Languages and Systems, APLAS 2004. Lecture Notes in Computer Sciences, vol. 3302, pp. 129–145. Springer, Taipei (2004). doi:10.1007/b102225
Myers, A.C., Chong, S., Nystrom, N., Zheng, L., Zdancewic, S.: Jif: Java information flow. http://www.cs.cornell.edu/jif/
Myers A.C., Liskov B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000). doi:10.1145/363516.363526
Nanda M.G., Ramesh S.: Interprocedural slicing of multithreaded programs with applications to Java. ACM Trans. Program. Lang. Syst. 28(6), 1088–1144 (2006). doi:10.1145/1186632.1186636
Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL—A Proof Assistant for Higher-Order Logic. Lecture Notes in Computer Sciences, vol. 2283. Springer, Berlin (2002). http://www4.informatik.tu-muenchen.de/~nipkow/LNCS2283/
Pistoia, M., Banerjee, A., Naumann, D.A.: Beyond stack inspection: a unified access-control and information-flow security model. In: SP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 149–163. IEEE Computer Society, Washington, DC (2007). doi:10.1109/SP.2007.10
Pistoia M., Chandra S., Fink S.J., Yahav E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007). doi:10.1147/sj.462.0265
Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural analysis for privileged code placement and tainted variable detection. In: Proceedings of the 9th European Conference on Object-Oriented Programming. Lecture Notes in Computer Sciences, vol. 3586, pp. 362–386. Springer, Berlin (2005). doi:10.1007/11531142_16
Ranganath V.P., Amtoft T., Banerjee A., Hatcliff J., Dwyer M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29(5), 27 (2007). doi:10.1145/1275497.1275502
Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: SIGSOFT ’94: Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of Software Engineering, pp. 11–20. ACM, New York (1994). doi:10.1145/193173.195287
Reps, T., Yang, W.: The semantics of program slicing. Tech. Rep. 777, Computer Sciences Department, University of Wisconsin-Madison (1988). http://www.cs.wisc.edu/techreports/viewreport.php?report=777
Robschink, T., Snelting, G.: Efficient path conditions in dependence graphs. In: ICSE ’02: Proceedings of the 24th International Conference on Software Engineering, pp. 478–488. ACM Press, New York (2002). doi:10.1145/581339.581398
Rountev, A., Milanova, A., Ryder, B.G.: Points-to analysis for Java using annotated constraints. In: OOPSLA ’01: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pp. 43–55. ACM, New York (2001). doi:10.1145/504282.504286
Sabelfeld A., Myers A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003). doi:10.1109/JSAC.2002.806121
Sabelfeld A., Sands D.: A PER model of secure information flow in sequential programs. Higher Order Symbol. Comput. 14(1), 59–91 (2001). doi:10.1023/A:1011553200337
Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, pp. 255–269. IEEE Computer Society, Washington, DC (2005). doi:10.1109/CSFW.2005.15
Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. In: Proceedings of Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 25–34 (2008). doi:10.1109/SCAM.2008.22
Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: POPL ’98: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 355–364. ACM, New York (1998). doi:10.1145/268946.268975
Snelting, G.: Combining slicing and constraint solving for validation of measurement software. In: SAS ’96: Proceedings of the Third International Symposium on Static Analysis, pp. 332–348. Springer, London (1996). doi:10.1007/3-540-61739-6_51
Snelting G., Robschink T., Krinke J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006). doi:10.1145/1178625.1178628
Volpano, D.M., Smith, G.: A type-based approach to program security. In: TAPSOFT ’97: Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development. Lecture Notes in Computer Sciences, vol. 1214, pp. 607–621. Springer, London (1997). doi:10.1007/BFb0030629
Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS ’09: Proceedings of the 4th Workshop on Programming Languages and Analysis for Security. ACM, New York (2009). doi:10.1145/1554339.1554345
Yokomori R., Ohata F., Takata Y., Seki H., Inoue K.: An information-leak analysis system based on program slicing. Inform. Softw. Technol. 44(15), 903–910 (2002). doi:10.1016/S0950-5849(02)00127-1
Author information
Authors and Affiliations
Corresponding author
Additional information
This research was supported by Deutsche Forschungsgemeinschaft (DFG grant Sn11/9-2). Preliminary versions of parts of this article appeared in [20,21].
Rights and permissions
About this article
Cite this article
Hammer, C., Snelting, G. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8, 399–422 (2009). https://doi.org/10.1007/s10207-009-0086-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-009-0086-1