Skip to main content

Hybrid Information Flow Control for Low-Level Code

  • Conference paper
  • First Online:
Software Engineering and Formal Methods (SEFM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 13085))

Included in the following conference series:

  • 890 Accesses

Abstract

Failure to ensure data confidentiality can have a significant financial and reputational impact on companies. To aggravate the issue, frequently used methods like testing are insufficient when proving data confidentiality in software systems. Existing information flow based approaches require heavy implementation and specification efforts or lack the expressiveness programmers desire. To tackle the issues, we propose a novel hybrid system for information flow control in low-level languages. By combining an information flow monitor with a type system that instruments programs with runtime security checks, we support value-dependent security types in a low-level setting. We formalise our type system and monitor using a TAL-like calculus and prove that they guarantee termination-insensitive non-interference. We present the first hybrid type system for information flow control with support for value-dependent types. We also introduce the first value-dependent hybrid mechanism for a low-level intermediate representation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrawal, P.: Keeping your account secure. https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html. Accessed 15 Oct 2021

  2. Aldous, P., Might, M.: Static analysis of non-interference in expressive low-level languages. In: Blazy, S., Jensen, T. (eds.) SAS 2015. LNCS, vol. 9291, pp. 1–17. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48288-9_1

    Chapter  Google Scholar 

  3. Aldous, P., Might, M.: A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages. In: IEEE Security and Privacy Workshops, pp. 179–184 (2016)

    Google Scholar 

  4. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (2009)

    Google Scholar 

  5. Balliu, M., Dam, M., Guanciale, R.: Automating information flow analysis of low level code. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 1080–1091 (2014)

    Google Scholar 

  6. Barthe, G., Pichardie, D., Rezk, T.: certified lightweight non-interference java bytecode verifier. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 125–140. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71316-6_10

    Chapter  Google Scholar 

  7. Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI 2005, pp. 103–112. (2005)

    Google Scholar 

  8. Barthe, G., Rezk, T., Naumann, D.: Deriving an information flow checker and certifying compiler for java. In: IEEE Symposium on Security and Privacy, pp. 230–242 (2006)

    Google Scholar 

  9. Cimpanu, C.: Github accidentally recorded some plaintext passwords in its internal logs (May 2018), https://www.bleepingcomputer.com/news/security/github-accidentally-recorded-some-plaintext-passwords-in-its-internal-logs/. Accessed 15 Oct 2021

  10. Damas, L., Milner, R.: Principal type-schemes for functional programs. In: ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 207–212 (1982)

    Google Scholar 

  11. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 236–243 (1976)

    Google Scholar 

  12. Disney, T., Flanagan, C.: Gradual information flow typing. In: STOP 2011 (2011)

    Google Scholar 

  13. ECMA International: Standard ECMA-335 - Common Language Infrastructure (CLI), December 2010

    Google Scholar 

  14. Erlingsson, U., Schneider, F.B.: Sasi enforcement of security policies: a retrospective. In: Workshop on New Security Paradigms, pp. 87–95 (1999)

    Google Scholar 

  15. Fennell, L., Thiemann, P.: Gradual security typing with references. In: IEEE Computer Security Foundations Symposium, pp. 224–239 (2013)

    Google Scholar 

  16. Fennell, L., Thiemann, P.: LJGS: gradual security types for object-oriented languages. In: European Conference on Object-Oriented Programming, pp. 9:1–9:26 (2016)

    Google Scholar 

  17. Ferreira, P.J.A.D.: M.sc. dissertation. information flow analysis using data-dependent logical propositions, faculdade de Ciências e Tecnologia, Universidade Nova de Lisboa (2012)

    Google Scholar 

  18. Fragoso Santos, J., Jensen, T., Rezk, T., Schmitt, A.: Hybrid typing of secure information flow in a Javascript-like language. In: Ganty, P., Loreti, M. (eds.) TGC 2015. LNCS, vol. 9533, pp. 63–78. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-28766-9_5

    Chapter  Google Scholar 

  19. Ghosal, S., Shyamasundar, R.K.: Pifthon: A compile-time information flow analyzer for an imperative language. CoRR (2021)

    Google Scholar 

  20. Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a javascript-like language. In: IEEE Computer Security Foundations Symposium, p. 351–365 (2015)

    Google Scholar 

  21. Hedin, D., Sabelfeld, A.: Information-flow security for a core of Javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18 (2012)

    Google Scholar 

  22. Hedin, D., Sabelfeld, A.: A perspective on information-flow control. In: Software Safety and Security - Tools for Analysis and Verification, pp. 319–347 (2012)

    Google Scholar 

  23. Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis and transformation. In: International Symposium on Code Generation and Optimization, March 2004

    Google Scholar 

  24. Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. 121–141 (1979)

    Google Scholar 

  25. Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification, Java SE 8 Edition (2014)

    Google Scholar 

  26. Lourenço, L., Caires, L.: Dependent information flow types. In: SIGPLAN Not, pp. 317–328, January 2015

    Google Scholar 

  27. Lourenço, L., Caires, L.: Information flow analysis for valued-indexed data security compartments. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 180–198. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05119-2_11

    Chapter  Google Scholar 

  28. Milner, R.: A theory of type polymorphism in programming. J. Comput. Syst. Sci. 348–375 (1978)

    Google Scholar 

  29. Morrisett, G., Walker, D., Crary, K., Glew, N.: From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 527–568 (1999)

    Article  Google Scholar 

  30. Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)

    Article  Google Scholar 

  31. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif 3.0: Java information flow (2006). Accessed 15 Oct 2021

    Google Scholar 

  32. O’Flaherty, K.: Facebook exposed up to 600 million passwords - here’s what to do, March 2019. https://www.forbes.com/sites/kateoflahertyuk/2019/03/21/facebook-has-exposed-up-to-600-million-passwords-heres-what-to-do/#6f301fe4bc90. Accessed on 15 Oct 2021

  33. Polikarpova, N., Stefan, D., Yang, J., Itzhaky, S., Hance, T., Solar-Lezama, A.: Liquid information flow control. Lang, Proc. ACM Program (2020)

    Google Scholar 

  34. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  35. Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44577-3_6

    Chapter  Google Scholar 

  36. Siek, J., Taha, W.: Gradual typing for objects. In: Ernst, E. (ed.) ECOOP 2007. LNCS, vol. 4609, pp. 2–27. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73589-2_2

    Chapter  Google Scholar 

  37. Simonet, V., Rocquencourt, I.: Flow caml in a nutshell. In: First APPSEM-II Workshop, April 2003

    Google Scholar 

  38. Toro, M., Garcia, R., Tanter, E.: Type-driven gradual security with references. ACM Trans. Program. Lang. Syst. 40, 1–55 (2018)

    Article  Google Scholar 

  39. Winder, D.: Facebook quietly confirms millions of unencrypted Instagram passwords exposed - change yours now, April 2019. https://www.forbes.com/sites/daveywinder/2019/04/19/facebook-quietly-confirms-millions-of-unencrypted-instagram-passwords-exposed-change-yours-now/#22e5d5844537. Accessed 15 Oct 2021

Download references

Acknowledgements

This work is supported by FCT/MCTES SFRH/BD/149043/2019, FCT/MCTES Grant NOVA LINCS - UIDB/04516/2020 and GOLEM Lisboa-01-0247-Feder-045917, INESC-ID multi-annual funding (UIDB/50021/2020) and INFOCOS (PTDC/CCI-COM/32378/2017).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Eduardo Geraldo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Geraldo, E., Santos, J.F., Seco, J.C. (2021). Hybrid Information Flow Control for Low-Level Code. In: Calinescu, R., Păsăreanu, C.S. (eds) Software Engineering and Formal Methods. SEFM 2021. Lecture Notes in Computer Science(), vol 13085. Springer, Cham. https://doi.org/10.1007/978-3-030-92124-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92124-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92123-1

  • Online ISBN: 978-3-030-92124-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics