Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Engineering Secure Software and Systems

ESSoS 2016: Engineering Secure Software and Systems pp 20–37Cite as

Progress-Sensitive Security for SPARK

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9639))

Abstract

SPARK 2014 is a safety critical language subset of Ada developed by Altran and used for developing safe and secure software by major industrial players in the aviation, commercial, medical, space, and military domains. This paper puts a spotlight on the SPARK flow analysis. Articulating the boundaries of what is achievable by the analysis, we spell out attacks to exploit termination, progress, resource exhaustion, and timing channels. We harden the analysis to achieve security against stronger attackers, with the focus on progress-sensitive security as our baseline. Instead of redesigning and reimplementing the enforcement, we leverage known flow analyses for weaker attackers by a transform on program dependence graphs. We establish the soundness of this approach for a core language and demonstrate that it can be applied as a source-to-source transform of SPARK code when modifying the compiler is undesirable. A case study, derived from publicly available code for a control unit of a missile, indicates the usefulness of the approach.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The SPARK 2014 documentation states that SPARK programs are allowed to raise exceptions, but may not handle them. However, in our experiments with SPARK GPL 2015, we found that the flow analysis did not track flows through exceptions.

References

  1. Amtoft, T.: Slicing for modern program structures: A theory for eliminating irrelevant loops. Inf. Process. Lett. 106(2), 45–51 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  2. Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL, pp. 91–102 (2006)

    Google Scholar 

  3. Amtoft, T., Dodds, J., Zhang, Z., Appel, A., Beringer, L., Hatcliff, J., Ou, X., Cousino, A.: A certificate infrastructure for machine-checked proofs of conditional information flow. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 369–389. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Amtoft, T., Hatcliff, J., Rodríguez, E.: Precise and automated contract-based reasoning for verification and certification of information flow properties of programs with arrays. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 43–63. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  5. Amtoft, T., Hatcliff, J., Rodríguez, E., Robby, E., Hoag, J., Greve, D.: Specification and checking of software contracts for conditional information flow. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 229–245. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  6. Askarov, A., Chong, S., Mantel, H.: Hybrid monitors for concurrent noninterference. In: CSF, July 2015

    Google Scholar 

  7. Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  8. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proceeding of the IEEE Computer Security Foundations Symposium, July (2009)

    Google Scholar 

  9. Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA (2003)

    Google Scholar 

  10. Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in webkit’s javascript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  11. Birgisson, A., Sabelfeld, A.: Multi-run security. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 372–391. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  12. Bohannon, A., Pierce, B., Sjöberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: ACM Conference on Computer and Communications Security, pp. 79–90, November 2009

    Google Scholar 

  13. Boudol, G., Castellani, I.: Non-interference for concurrent programs and thread systems. Theor. Comput. Sci. 281(1), 109–130 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  14. Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  15. Clark, D., Hunt, S.: Noninterference for deterministic interactive programs. In: Workshop on Formal Aspects in Security and Trust (FAST 2008), October 2008

    Google Scholar 

  16. Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, Academic Press, pp. 297–335 (1978)

    Google Scholar 

  17. Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: PLDI, pp. 415–426 (2006)

    Google Scholar 

  18. Denning, D.E.: A lattice model of secure information flow. Comm. ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  19. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  20. Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)

    Article  MATH  Google Scholar 

  21. Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 11–20, April 1982

    Google Scholar 

  22. Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: A web browser with flexible and precise information flow control. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  23. Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)

    Article  Google Scholar 

  24. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: Tracking information flow in JavaScript and its APIs. In: Proceeding of the 29th ACM Symposium on Applied Computing (2014)

    Google Scholar 

  25. Hilton, A.J.: High Integrity Hardware-Software Codesign. Ph.D. thesis, The Open University, April 2004

    Google Scholar 

  26. Horwitz, S., Reps, T.W., Binkley, D.: Interprocedural slicing using dependence graphs. In: PLDI, pp. 35–46 (1988)

    Google Scholar 

  27. Kroening, D., Sharygina, N., Tsitovich, A., Wintersteiger, C.M.: Termination analysis with compositional transition invariants. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 89–103. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  28. Moore, S., Askarov, A., Chong, S.: Precise enforcement of progress-sensitive security. In: ACM Conference on Computer and Communications Security, pp. 881–893(2012)

    Google Scholar 

  29. The Muen Separation Kernel. http://muen.codelabs.ch/

  30. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java Information Flow. Software release. Located at, July 2001 http://www.cs.cornell.edu/jif

  31. O’Neill, K., Clarkson, M., Chong, S.: Information-flow security for interactive programs. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 190–201, July 2006

    Google Scholar 

  32. Rafnsson, W., Hedin, D., Sabelfeld, A.: Securing interactive programs. In: Proceedings of the IEEE Computer Security Foundations Symposium, June 2012

    Google Scholar 

  33. Rafnsson, W., Sabelfeld, A.: Compositional security for interactive systems. In: CSF, pp. 277–292 (2014)

    Google Scholar 

  34. Ranganath, V.P., Amtoft, T., Banerjee, A., Hatcliff, J., Dwyer, M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29, 5 (2007)

    Article  MATH  Google Scholar 

  35. Refined Information Flow Requirement. http://lists.forge.open-do.org/pipermail/spark2014-discuss/2012-December/000683.html

  36. Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. 2009 Marktoberdorf Summer School (IOS Press) (2009)

    Google Scholar 

  37. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  38. Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)

    Article  Google Scholar 

  39. Workstation, M.: High-Security Framework, Pilot, and Formalization Architecture. http://www.secunet.com/fileadmin//sina_downloads/Produktinfo_englisch/SINA-Multilevel_Brochure_en.pdf

  40. Simonet, V.: The Flow Caml system. Software release. Located at, July 2003. http://cristal.inria.fr/~simonet/soft/flowcaml

  41. Smith, G.: A new type system for secure information flow. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 115–125, June 2001

    Google Scholar 

  42. SPARK (programming language). http://en.wikipedia.org/wiki/SPARK_%28programming_language%29

  43. Development, T.: Support: INFORMED Design Method for SPARK. http://docs.adacore.com/sparkdocs-docs/Informed.htm

  44. SPARK (2014). http://www.spark-2014.org/

  45. Spoto, F., Mesnard, F., Payet, É.: A termination analyzer for java bytecode based on path-length. ACM Trans. Program. Lang. Syst. 32(3), Article no. 8, 70 (2010)

    Google Scholar 

  46. Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J.C., Maziéres, D.: Addressing covert termination and timing channels in concurrent information flow systems. In: ICFP, pp. 201–214 (2012)

    Google Scholar 

  47. Stefan, D., Russo, A., Mitchell, J., Mazières, D.: Flexible dynamic information flow control in haskell. In Proceedings of the Haskell Symposium, pp. 95–106. ACM (2011)

    Google Scholar 

  48. Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 156–168, June 1997

    Google Scholar 

  49. Rafnsson, W., Garg, D., Sabelfeld, A.: Progress-Sensitive Security forSPARK. Full version: http://research.precise.li/pub/2016essos

  50. Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS, pp. 31–44 (2009)

    Google Scholar 

Download references

Acknowledgments

Thanks are due to Angela Wallenburg for inspiration and regular updates about developments on SPARK. This work was funded by the European Community under the ProSecuToR and WebSand projects, the Swedish research agencies SSF and VR and the German DFG priority program “Reliably Secure Software Systems” (RS3). This research was supported in part by US Navy grant N000141310156; NSF grants 1320470.

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, USA

    Willard Rafnsson

  2. Max Planck Institute for Software Systems, Kaiserslautern and Saarbruecken, Germany

    Deepak Garg

  3. Chalmers University of Technology, Gothenburg, Sweden

    Andrei Sabelfeld

Authors
  1. Willard Rafnsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Deepak Garg
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Willard Rafnsson .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

  2. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

  3. VU University, Amsterdam, The Netherlands

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Rafnsson, W., Garg, D., Sabelfeld, A. (2016). Progress-Sensitive Security for SPARK. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30806-7_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation