Skip to main content Accessibility help
×
Home
Hostname: page-component-55b6f6c457-ln9sz Total loading time: 0.215 Render date: 2021-09-25T04:24:29.938Z Has data issue: true Feature Flags: { "shouldUseShareProductTool": true, "shouldUseHypothesis": true, "isUnsiloEnabled": true, "metricsAbstractViews": false, "figures": true, "newCiteModal": false, "newCitedByModal": true, "newEcommerce": true, "newUsageEvents": true }

A certified lightweight non-interference Java bytecode verifier

Published online by Cambridge University Press:  17 May 2013

GILLES BARTHE
Affiliation:
IMDEA Software Institute, Campus Montegancedo, 28660-Boadilla del Monte, Madrid, Spain Email: gilles.barthe@imdea.org
DAVID PICHARDIE
Affiliation:
INRIA Rennes–Bretagne Atlantique, Campus de Beaulieu, 35042 Rennes CedexFrance. Email: David.Pichardie@inria.fr
TAMARA REZK
Affiliation:
INRIA Sophia Antipolis–Méditerranée, 2004 Route des Lucioles, BP 93, 06902 Sophia Antipolis CedexFrance Email: Tamara.Rezk@inria.fr

Abstract

Non-interference guarantees the absence of illicit information flow throughout program execution. It can be enforced by appropriate information flow type systems. Much of the previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions and method calls. We define an information flow type system for a sequential JVM-like language that includes all these programming features, and we prove, in the Coq proof assistant, that it guarantees non-interference. An additional benefit of the formalisation is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to the best of our knowledge, the first sound and certified information flow type system for such an expressive fragment of the JVM.

Type
Paper
Copyright
Copyright © Cambridge University Press 2013 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

This work was partially funded by European Projects FP7-231620 HATS and FP7-256980 NESSoS, Spanish project TIN2009-14599 DESAFIOS 10, Madrid Regional project S2009TIC-1465 PROMETIDOS and French Brittany region project CertLogS.

References

Abadi, M., Banerjee, A., Heintze, N. and Riecke, J. (1999) A core calculus of dependency. In: POPL ‘99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages 147–160.CrossRefGoogle Scholar
Agat, J. (2000) Type Based Techniques for Covert Channel Elimination and Register Allocation, Ph.D. thesis, Chalmers University of Technology and Gothenburg University.Google Scholar
Amtoft, T., Bandhakavi, S. and Banerjee, A. (2006) A logic for information flow in object-oriented programs. In: Morrisett, G. and Jones, S. P. (eds.) POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 91–102.CrossRefGoogle Scholar
Appel, A. W. (2001) Foundational proof-carrying code. In: Halpern, J. (ed.) LICS ‘01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science 247.CrossRefGoogle Scholar
Askarov, A. and Sabelfeld, A. (2005) Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S. and Syverson, P. and Gollmann, D. (eds.) Proceedings European Symposium On Research In Computer Security – ESORICS 2005. Springer-Verlag Lecture Notes in Computer Science 3679 197221.CrossRefGoogle Scholar
Aydemir, B. E.et al. (2005) Mechanized metatheory for the masses: The PoplMark challenge. In: Hurd, J. and Melham, T. (eds.) Theorem Proving in Higher Order Logics – Proceedings 18th International Conference, TPHOLs 2005. Springer-Verlag Lecture Notes in Computer Science 3603 5065.CrossRefGoogle Scholar
Banerjee, A. and Naumann, D. (2005) Stack-based access control for secure information flow. Journal of Functional Programming 15 131177. (Special Issue on Language-Based Security.)CrossRefGoogle Scholar
Barthe, G., Basu, A. and Rezk, T. (2004) Security types preserving compilation. In Steffen, B. and Levi, G. (eds.) Verification, Model Checking and Abstract Interpretation. Springer-Verlag Lecture Notes in Computer Science 2934 215.CrossRefGoogle Scholar
Barthe, G., Cavadini, S. and Rezk, T. (2008) Tractable enforcement of declassification policies. In: Proceedings 21st IEEE Computer Security Foundations Symposium, CSF 2008 83–97.Google Scholar
Barthe, G., Naumann, D. and Rezk, T. (2006) Deriving an information flow checker and certifying compiler for Java. In: Proceedings 2006 IEEE Symposium on Security and Privacy 230–242.Google Scholar
Barthe, G., Pichardie, D. and Rezk, T. (2007) A certified lightweight non-interference Java bytecode verifier. In: Nicola, R. (ed.) Programming Languages and Systems: Proceedings of the 16th European Symposium on Programming, ESOP 2007. Springer-Verlag Lecture Notes in Computer Science 4421 125140.CrossRefGoogle Scholar
Barthe, G. and Rezk, T. (2005) Non-interference for a JVM-like language. In: Fähndrich, M. (ed.) TLDI ‘05: Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation 103–112.CrossRefGoogle Scholar
Barthe, G., Rezk, T., Russo, A. and Sabelfeld, A. (2010) Security of multithreaded programs by compilation. ACM Transactions on Information and System Security 13 (3).CrossRefGoogle Scholar
Barthe, G. and Rivas, E. (2011) Static enforcement of information flow policies for a concurrent JVM-like language. In: Bruni, R. and Sassone, V. (eds.) Trustworthy Global Computing: Revised Selected Papers 6th International Symposium, TGC 2011. Springer-Verlag Lecture Notes in Computer Science 7173 7378.CrossRefGoogle Scholar
Bernardeschi, C. and Francesco, N. D. (2002) Combining Abstract Interpretation and Model Checking for Analysing Security Properties of Java Bytecode. In: Cortesi, A. (ed.) Verification, Model Checking and Abstract Interpretation: Revised Papers Third International Workshop, VMCAI 2002. Springer-Verlag Lecture Notes in Computer Science 2294 115.CrossRefGoogle Scholar
Besson, F., Jensen, T. P., Pichardie, D. and Turpin, T. (2010) Certified result checking for polyhedral analysis of bytecode programs. In: Wirsing, M., Hofmann, M. and Rauschmayer, A. (eds.) Trustworthly Global Computing: Revised Selected Papers 5th International Symposium, TGC 2010. Springer-Verlag Lecture Notes in Computer Science 6084 253267.CrossRefGoogle Scholar
Bieber, P., Cazin, J., Girard, P., Lanet, J.-L., Wiels, V. and Zanon, G. (2002) Checking secure interactions of smart card applets: Extended version. Journal of Computer Security 10 (4)369398.CrossRefGoogle Scholar
Bonelli, E., Compagnoni, A. B. and Medel, R. (2005) Information flow analysis for a typed assembly language with polymorphic stacks. In: Barthe, G., Grégoire, B., Huisman, M. and Lanet, J.-L. (eds.) Construction and Analysis of Safe, Secure, and Interoperable Smart Devices: Revised Selected Papers Second International Workshop, CASSIS 2005. Springer-Verlag Lecture Notes in Computer Science 3956 3756.CrossRefGoogle Scholar
Deng, Z. and Smith, G. (2004) Lenient array operations for practical secure information flow. In: Proceedings 17th IEEE Computer Security Foundations Workshop, 2004. CSFW 115–124.Google Scholar
Freund, S. N. and Mitchell, J. C. (2003) A type system for the Java bytecode language and verifier. Journal of Automated Reasoning 30 (3–4)271321.CrossRefGoogle Scholar
Genaim, S. and Spoto, F. (2005) Information flow analysis for Java bytecode. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings 6th International Conference, VMCAI 2005. Springer-Verlag Lecture Notes in Computer Science 3385 346362.CrossRefGoogle Scholar
Girard, P. (1999) Which security policy for multiapplication smart cards? In: Workshop on Smart Card Technology, USENIX Association.Google Scholar
Hammer, C., Krinke, J. and Snelting, G. (2006) Information flow control for Java based on path conditions in dependence graphs. In: IEEE International Symposium on Secure Software Engineering (ISSSE 2006) 1–10.Google Scholar
Hankin, C., Nielson, F. and Nielson, H. R. (2005) Principles of Program Analysis, second edition, Springer-Verlag.Google Scholar
Hedin, D. and Sands, D. (2006) Noninterference in the presence of non-opaque pointers. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 217–229.CrossRefGoogle Scholar
Hunt, S. and Sands, D. (2006) On flow-sensitive security types. In: Proceedings POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 79–90Google Scholar
Kobayashi, N. and Shirane, K. (2002) Type-based information analysis for low-level languages. In: Proceedings of the Third Asian Workshop on Programming Languages and Systems, APLAS'02 302–316.Google Scholar
Leroy, X. (2002) Bytecode verification on Java smart cards. Software – Practice and Experience 32 (4)319340.CrossRefGoogle Scholar
Mantel, H. and Sabelfeld, A. (2003) A Unifying Approach to the Security of Distributed and Multi-threaded Programs. Journal of Computer Security 11 (4)615676.CrossRefGoogle Scholar
Medel, R., Compagnoni, A. B. and Bonelli, E. (2005) A typed assembly language for non-interference. In: Coppo, M., Lodi, E. and Pinna, G. M. (eds.) Theoretical Computer Science: Proceedings 9th Italian Conference, ICTCS 2005. Springer-Verlag Lecture Notes in Computer Science 3701 360374.CrossRefGoogle Scholar
Montgomery, M. and Krishna, K. (1999) Secure object sharing in Java Card. In: Workshop on Smart Card Technology, USENIX Association.Google Scholar
Morrisett, G., Walker, D., Crary, K. and Glew, N. (1999) From system F to typed assembly language. In: Pugh, W. (ed.) ACM Transactions on Programming Languages and Systems (TOPLAS) 21 (3)527568. (Expanded version of a paper presented at POPL 1998.)CrossRefGoogle Scholar
Myers, A. C. (1999) JFlow: Practical mostly-static information flow control. In Proceedings 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages – POPL ‘99 228–241. (Ongoing development at http://www.cs.cornell.edu/jif/.)Google Scholar
O'Neill, K. R., Clarkson, M. R. and Chong, S. (2006) Information-flow security for interactive programs. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 190–201.CrossRefGoogle Scholar
Pottier, F. and Simonet, V. (2003) Information flow inference for ML. ACM Transactions on Programming Languages and Systems 25 (1)117158.CrossRefGoogle Scholar
Rezk, T. (2006) Verification of confidentiality policies for mobile code, Ph.D. thesis, Université de Nice Sophia-Antipolis.Google Scholar
Rose, E. (2003) Lightweight bytecode verification. Journal of Automated Reasoning 31 (3–4)303334.CrossRefGoogle Scholar
Russo, A. and Sabelfeld, A. (2006) Securing interaction between threads and the scheduler. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 177–189.CrossRefGoogle Scholar
Sabelfeld, A. and Myers, A. (2003) Language-based information-flow security. IEEE Journal on Selected Areas in Communication 21 519.CrossRefGoogle Scholar
Volpano, D. and Smith, G. (1997) A type-based approach to program security. In: Bidoit, M. and Dauchet, M. (eds.) Proceedings TAPSOFT ‘97: Theory and Practice of Software Development – 7th International Joint Conference CAAP/FASE. Springer-Verlag Lecture Notes in Computer Science 1214 607621.CrossRefGoogle Scholar
Volpano, D. and Smith, G. (1998) Probabilistic noninterference in a concurrent language. In: Procedings 11th IEEE Computer Security Foundations Workshop 34–43.Google Scholar
Yu, D. and Islam, N. (2006) A typed assembly language for confidentiality. In: Sestoft, P. (ed.) Programming Languages and Systems: Proceedings of the 15th European Symposium on Programming, ESOP 2006. Springer-Verlag Lecture Notes in Computer Science 3924 162179.CrossRefGoogle Scholar
10
Cited by

Send article to Kindle

To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

A certified lightweight non-interference Java bytecode verifier
Available formats
×

Send article to Dropbox

To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

A certified lightweight non-interference Java bytecode verifier
Available formats
×

Send article to Google Drive

To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

A certified lightweight non-interference Java bytecode verifier
Available formats
×
×

Reply to: Submit a response

Please enter your response.

Your details

Please enter a valid email address.

Conflicting interests

Do you have any conflicting interests? *