Abstract
Failure to ensure data confidentiality can have a significant financial and reputational impact on companies. To aggravate the issue, frequently used methods like testing are insufficient when proving data confidentiality in software systems. Existing information flow based approaches require heavy implementation and specification efforts or lack the expressiveness programmers desire. To tackle the issues, we propose a novel hybrid system for information flow control in low-level languages. By combining an information flow monitor with a type system that instruments programs with runtime security checks, we support value-dependent security types in a low-level setting. We formalise our type system and monitor using a TAL-like calculus and prove that they guarantee termination-insensitive non-interference. We present the first hybrid type system for information flow control with support for value-dependent types. We also introduce the first value-dependent hybrid mechanism for a low-level intermediate representation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Agrawal, P.: Keeping your account secure. https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html. Accessed 15 Oct 2021
Aldous, P., Might, M.: Static analysis of non-interference in expressive low-level languages. In: Blazy, S., Jensen, T. (eds.) SAS 2015. LNCS, vol. 9291, pp. 1–17. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48288-9_1
Aldous, P., Might, M.: A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages. In: IEEE Security and Privacy Workshops, pp. 179–184 (2016)
Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (2009)
Balliu, M., Dam, M., Guanciale, R.: Automating information flow analysis of low level code. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 1080–1091 (2014)
Barthe, G., Pichardie, D., Rezk, T.: certified lightweight non-interference java bytecode verifier. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 125–140. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71316-6_10
Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: TLDI 2005, pp. 103–112. (2005)
Barthe, G., Rezk, T., Naumann, D.: Deriving an information flow checker and certifying compiler for java. In: IEEE Symposium on Security and Privacy, pp. 230–242 (2006)
Cimpanu, C.: Github accidentally recorded some plaintext passwords in its internal logs (May 2018), https://www.bleepingcomputer.com/news/security/github-accidentally-recorded-some-plaintext-passwords-in-its-internal-logs/. Accessed 15 Oct 2021
Damas, L., Milner, R.: Principal type-schemes for functional programs. In: ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 207–212 (1982)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 236–243 (1976)
Disney, T., Flanagan, C.: Gradual information flow typing. In: STOP 2011 (2011)
ECMA International: Standard ECMA-335 - Common Language Infrastructure (CLI), December 2010
Erlingsson, U., Schneider, F.B.: Sasi enforcement of security policies: a retrospective. In: Workshop on New Security Paradigms, pp. 87–95 (1999)
Fennell, L., Thiemann, P.: Gradual security typing with references. In: IEEE Computer Security Foundations Symposium, pp. 224–239 (2013)
Fennell, L., Thiemann, P.: LJGS: gradual security types for object-oriented languages. In: European Conference on Object-Oriented Programming, pp. 9:1–9:26 (2016)
Ferreira, P.J.A.D.: M.sc. dissertation. information flow analysis using data-dependent logical propositions, faculdade de Ciências e Tecnologia, Universidade Nova de Lisboa (2012)
Fragoso Santos, J., Jensen, T., Rezk, T., Schmitt, A.: Hybrid typing of secure information flow in a Javascript-like language. In: Ganty, P., Loreti, M. (eds.) TGC 2015. LNCS, vol. 9533, pp. 63–78. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-28766-9_5
Ghosal, S., Shyamasundar, R.K.: Pifthon: A compile-time information flow analyzer for an imperative language. CoRR (2021)
Hedin, D., Bello, L., Sabelfeld, A.: Value-sensitive hybrid information flow control for a javascript-like language. In: IEEE Computer Security Foundations Symposium, p. 351–365 (2015)
Hedin, D., Sabelfeld, A.: Information-flow security for a core of Javascript. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 3–18 (2012)
Hedin, D., Sabelfeld, A.: A perspective on information-flow control. In: Software Safety and Security - Tools for Analysis and Verification, pp. 319–347 (2012)
Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis and transformation. In: International Symposium on Code Generation and Optimization, March 2004
Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst. 121–141 (1979)
Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java Virtual Machine Specification, Java SE 8 Edition (2014)
Lourenço, L., Caires, L.: Dependent information flow types. In: SIGPLAN Not, pp. 317–328, January 2015
Lourenço, L., Caires, L.: Information flow analysis for valued-indexed data security compartments. In: Abadi, M., Lluch Lafuente, A. (eds.) TGC 2013. LNCS, vol. 8358, pp. 180–198. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05119-2_11
Milner, R.: A theory of type polymorphism in programming. J. Comput. Syst. Sci. 348–375 (1978)
Morrisett, G., Walker, D., Crary, K., Glew, N.: From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 527–568 (1999)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif 3.0: Java information flow (2006). Accessed 15 Oct 2021
O’Flaherty, K.: Facebook exposed up to 600 million passwords - here’s what to do, March 2019. https://www.forbes.com/sites/kateoflahertyuk/2019/03/21/facebook-has-exposed-up-to-600-million-passwords-heres-what-to-do/#6f301fe4bc90. Accessed on 15 Oct 2021
Polikarpova, N., Stefan, D., Yang, J., Itzhaky, S., Hance, T., Solar-Lezama, A.: Liquid information flow control. Lang, Proc. ACM Program (2020)
Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44577-3_6
Siek, J., Taha, W.: Gradual typing for objects. In: Ernst, E. (ed.) ECOOP 2007. LNCS, vol. 4609, pp. 2–27. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73589-2_2
Simonet, V., Rocquencourt, I.: Flow caml in a nutshell. In: First APPSEM-II Workshop, April 2003
Toro, M., Garcia, R., Tanter, E.: Type-driven gradual security with references. ACM Trans. Program. Lang. Syst. 40, 1–55 (2018)
Winder, D.: Facebook quietly confirms millions of unencrypted Instagram passwords exposed - change yours now, April 2019. https://www.forbes.com/sites/daveywinder/2019/04/19/facebook-quietly-confirms-millions-of-unencrypted-instagram-passwords-exposed-change-yours-now/#22e5d5844537. Accessed 15 Oct 2021
Acknowledgements
This work is supported by FCT/MCTES SFRH/BD/149043/2019, FCT/MCTES Grant NOVA LINCS - UIDB/04516/2020 and GOLEM Lisboa-01-0247-Feder-045917, INESC-ID multi-annual funding (UIDB/50021/2020) and INFOCOS (PTDC/CCI-COM/32378/2017).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Geraldo, E., Santos, J.F., Seco, J.C. (2021). Hybrid Information Flow Control for Low-Level Code. In: Calinescu, R., Păsăreanu, C.S. (eds) Software Engineering and Formal Methods. SEFM 2021. Lecture Notes in Computer Science(), vol 13085. Springer, Cham. https://doi.org/10.1007/978-3-030-92124-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-92124-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92123-1
Online ISBN: 978-3-030-92124-8
eBook Packages: Computer ScienceComputer Science (R0)