Skip to main content Accessibility help
×
Home

A certified lightweight non-interference Java bytecode verifier

  • GILLES BARTHE (a1), DAVID PICHARDIE (a2) and TAMARA REZK (a3)

Abstract

Non-interference guarantees the absence of illicit information flow throughout program execution. It can be enforced by appropriate information flow type systems. Much of the previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions and method calls. We define an information flow type system for a sequential JVM-like language that includes all these programming features, and we prove, in the Coq proof assistant, that it guarantees non-interference. An additional benefit of the formalisation is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to the best of our knowledge, the first sound and certified information flow type system for such an expressive fragment of the JVM.

Copyright

Footnotes

Hide All

This work was partially funded by European Projects FP7-231620 HATS and FP7-256980 NESSoS, Spanish project TIN2009-14599 DESAFIOS 10, Madrid Regional project S2009TIC-1465 PROMETIDOS and French Brittany region project CertLogS.

Footnotes

References

Hide All
Abadi, M., Banerjee, A., Heintze, N. and Riecke, J. (1999) A core calculus of dependency. In: POPL ‘99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages 147–160.
Agat, J. (2000) Type Based Techniques for Covert Channel Elimination and Register Allocation, Ph.D. thesis, Chalmers University of Technology and Gothenburg University.
Amtoft, T., Bandhakavi, S. and Banerjee, A. (2006) A logic for information flow in object-oriented programs. In: Morrisett, G. and Jones, S. P. (eds.) POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 91–102.
Appel, A. W. (2001) Foundational proof-carrying code. In: Halpern, J. (ed.) LICS ‘01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science 247.
Askarov, A. and Sabelfeld, A. (2005) Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S. and Syverson, P. and Gollmann, D. (eds.) Proceedings European Symposium On Research In Computer Security – ESORICS 2005. Springer-Verlag Lecture Notes in Computer Science 3679 197221.
Aydemir, B. E.et al. (2005) Mechanized metatheory for the masses: The PoplMark challenge. In: Hurd, J. and Melham, T. (eds.) Theorem Proving in Higher Order Logics – Proceedings 18th International Conference, TPHOLs 2005. Springer-Verlag Lecture Notes in Computer Science 3603 5065.
Banerjee, A. and Naumann, D. (2005) Stack-based access control for secure information flow. Journal of Functional Programming 15 131177. (Special Issue on Language-Based Security.)
Barthe, G., Basu, A. and Rezk, T. (2004) Security types preserving compilation. In Steffen, B. and Levi, G. (eds.) Verification, Model Checking and Abstract Interpretation. Springer-Verlag Lecture Notes in Computer Science 2934 215.
Barthe, G., Cavadini, S. and Rezk, T. (2008) Tractable enforcement of declassification policies. In: Proceedings 21st IEEE Computer Security Foundations Symposium, CSF 2008 83–97.
Barthe, G., Naumann, D. and Rezk, T. (2006) Deriving an information flow checker and certifying compiler for Java. In: Proceedings 2006 IEEE Symposium on Security and Privacy 230–242.
Barthe, G., Pichardie, D. and Rezk, T. (2007) A certified lightweight non-interference Java bytecode verifier. In: Nicola, R. (ed.) Programming Languages and Systems: Proceedings of the 16th European Symposium on Programming, ESOP 2007. Springer-Verlag Lecture Notes in Computer Science 4421 125140.
Barthe, G. and Rezk, T. (2005) Non-interference for a JVM-like language. In: Fähndrich, M. (ed.) TLDI ‘05: Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation 103–112.
Barthe, G., Rezk, T., Russo, A. and Sabelfeld, A. (2010) Security of multithreaded programs by compilation. ACM Transactions on Information and System Security 13 (3).
Barthe, G. and Rivas, E. (2011) Static enforcement of information flow policies for a concurrent JVM-like language. In: Bruni, R. and Sassone, V. (eds.) Trustworthy Global Computing: Revised Selected Papers 6th International Symposium, TGC 2011. Springer-Verlag Lecture Notes in Computer Science 7173 7378.
Bernardeschi, C. and Francesco, N. D. (2002) Combining Abstract Interpretation and Model Checking for Analysing Security Properties of Java Bytecode. In: Cortesi, A. (ed.) Verification, Model Checking and Abstract Interpretation: Revised Papers Third International Workshop, VMCAI 2002. Springer-Verlag Lecture Notes in Computer Science 2294 115.
Besson, F., Jensen, T. P., Pichardie, D. and Turpin, T. (2010) Certified result checking for polyhedral analysis of bytecode programs. In: Wirsing, M., Hofmann, M. and Rauschmayer, A. (eds.) Trustworthly Global Computing: Revised Selected Papers 5th International Symposium, TGC 2010. Springer-Verlag Lecture Notes in Computer Science 6084 253267.
Bieber, P., Cazin, J., Girard, P., Lanet, J.-L., Wiels, V. and Zanon, G. (2002) Checking secure interactions of smart card applets: Extended version. Journal of Computer Security 10 (4)369398.
Bonelli, E., Compagnoni, A. B. and Medel, R. (2005) Information flow analysis for a typed assembly language with polymorphic stacks. In: Barthe, G., Grégoire, B., Huisman, M. and Lanet, J.-L. (eds.) Construction and Analysis of Safe, Secure, and Interoperable Smart Devices: Revised Selected Papers Second International Workshop, CASSIS 2005. Springer-Verlag Lecture Notes in Computer Science 3956 3756.
Deng, Z. and Smith, G. (2004) Lenient array operations for practical secure information flow. In: Proceedings 17th IEEE Computer Security Foundations Workshop, 2004. CSFW 115–124.
Freund, S. N. and Mitchell, J. C. (2003) A type system for the Java bytecode language and verifier. Journal of Automated Reasoning 30 (3–4)271321.
Genaim, S. and Spoto, F. (2005) Information flow analysis for Java bytecode. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings 6th International Conference, VMCAI 2005. Springer-Verlag Lecture Notes in Computer Science 3385 346362.
Girard, P. (1999) Which security policy for multiapplication smart cards? In: Workshop on Smart Card Technology, USENIX Association.
Hammer, C., Krinke, J. and Snelting, G. (2006) Information flow control for Java based on path conditions in dependence graphs. In: IEEE International Symposium on Secure Software Engineering (ISSSE 2006) 1–10.
Hankin, C., Nielson, F. and Nielson, H. R. (2005) Principles of Program Analysis, second edition, Springer-Verlag.
Hedin, D. and Sands, D. (2006) Noninterference in the presence of non-opaque pointers. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 217–229.
Hunt, S. and Sands, D. (2006) On flow-sensitive security types. In: Proceedings POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 79–90
Kobayashi, N. and Shirane, K. (2002) Type-based information analysis for low-level languages. In: Proceedings of the Third Asian Workshop on Programming Languages and Systems, APLAS'02 302–316.
Leroy, X. (2002) Bytecode verification on Java smart cards. Software – Practice and Experience 32 (4)319340.
Mantel, H. and Sabelfeld, A. (2003) A Unifying Approach to the Security of Distributed and Multi-threaded Programs. Journal of Computer Security 11 (4)615676.
Medel, R., Compagnoni, A. B. and Bonelli, E. (2005) A typed assembly language for non-interference. In: Coppo, M., Lodi, E. and Pinna, G. M. (eds.) Theoretical Computer Science: Proceedings 9th Italian Conference, ICTCS 2005. Springer-Verlag Lecture Notes in Computer Science 3701 360374.
Montgomery, M. and Krishna, K. (1999) Secure object sharing in Java Card. In: Workshop on Smart Card Technology, USENIX Association.
Morrisett, G., Walker, D., Crary, K. and Glew, N. (1999) From system F to typed assembly language. In: Pugh, W. (ed.) ACM Transactions on Programming Languages and Systems (TOPLAS) 21 (3)527568. (Expanded version of a paper presented at POPL 1998.)
Myers, A. C. (1999) JFlow: Practical mostly-static information flow control. In Proceedings 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages – POPL ‘99 228–241. (Ongoing development at http://www.cs.cornell.edu/jif/.)
O'Neill, K. R., Clarkson, M. R. and Chong, S. (2006) Information-flow security for interactive programs. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 190–201.
Pottier, F. and Simonet, V. (2003) Information flow inference for ML. ACM Transactions on Programming Languages and Systems 25 (1)117158.
Rezk, T. (2006) Verification of confidentiality policies for mobile code, Ph.D. thesis, Université de Nice Sophia-Antipolis.
Rose, E. (2003) Lightweight bytecode verification. Journal of Automated Reasoning 31 (3–4)303334.
Russo, A. and Sabelfeld, A. (2006) Securing interaction between threads and the scheduler. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 177–189.
Sabelfeld, A. and Myers, A. (2003) Language-based information-flow security. IEEE Journal on Selected Areas in Communication 21 519.
Volpano, D. and Smith, G. (1997) A type-based approach to program security. In: Bidoit, M. and Dauchet, M. (eds.) Proceedings TAPSOFT ‘97: Theory and Practice of Software Development – 7th International Joint Conference CAAP/FASE. Springer-Verlag Lecture Notes in Computer Science 1214 607621.
Volpano, D. and Smith, G. (1998) Probabilistic noninterference in a concurrent language. In: Procedings 11th IEEE Computer Security Foundations Workshop 34–43.
Yu, D. and Islam, N. (2006) A typed assembly language for confidentiality. In: Sestoft, P. (ed.) Programming Languages and Systems: Proceedings of the 15th European Symposium on Programming, ESOP 2006. Springer-Verlag Lecture Notes in Computer Science 3924 162179.

Related content

Powered by UNSILO

A certified lightweight non-interference Java bytecode verifier

  • GILLES BARTHE (a1), DAVID PICHARDIE (a2) and TAMARA REZK (a3)

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed.