Abstract
SPARK 2014 is a safety critical language subset of Ada developed by Altran and used for developing safe and secure software by major industrial players in the aviation, commercial, medical, space, and military domains. This paper puts a spotlight on the SPARK flow analysis. Articulating the boundaries of what is achievable by the analysis, we spell out attacks to exploit termination, progress, resource exhaustion, and timing channels. We harden the analysis to achieve security against stronger attackers, with the focus on progress-sensitive security as our baseline. Instead of redesigning and reimplementing the enforcement, we leverage known flow analyses for weaker attackers by a transform on program dependence graphs. We establish the soundness of this approach for a core language and demonstrate that it can be applied as a source-to-source transform of SPARK code when modifying the compiler is undesirable. A case study, derived from publicly available code for a control unit of a missile, indicates the usefulness of the approach.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The SPARK 2014 documentation states that SPARK programs are allowed to raise exceptions, but may not handle them. However, in our experiments with SPARK GPL 2015, we found that the flow analysis did not track flows through exceptions.
References
Amtoft, T.: Slicing for modern program structures: A theory for eliminating irrelevant loops. Inf. Process. Lett. 106(2), 45–51 (2008)
Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL, pp. 91–102 (2006)
Amtoft, T., Dodds, J., Zhang, Z., Appel, A., Beringer, L., Hatcliff, J., Ou, X., Cousino, A.: A certificate infrastructure for machine-checked proofs of conditional information flow. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 369–389. Springer, Heidelberg (2012)
Amtoft, T., Hatcliff, J., Rodríguez, E.: Precise and automated contract-based reasoning for verification and certification of information flow properties of programs with arrays. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 43–63. Springer, Heidelberg (2010)
Amtoft, T., Hatcliff, J., Rodríguez, E., Robby, E., Hoag, J., Greve, D.: Specification and checking of software contracts for conditional information flow. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 229–245. Springer, Heidelberg (2008)
Askarov, A., Chong, S., Mantel, H.: Hybrid monitors for concurrent noninterference. In: CSF, July 2015
Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008)
Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proceeding of the IEEE Computer Security Foundations Symposium, July (2009)
Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA (2003)
Bichhawat, A., Rajani, V., Garg, D., Hammer, C.: Information flow control in webkit’s javascript bytecode. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 159–178. Springer, Heidelberg (2014)
Birgisson, A., Sabelfeld, A.: Multi-run security. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 372–391. Springer, Heidelberg (2011)
Bohannon, A., Pierce, B., Sjöberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: ACM Conference on Computer and Communications Security, pp. 79–90, November 2009
Boudol, G., Castellani, I.: Non-interference for concurrent programs and thread systems. Theor. Comput. Sci. 281(1), 109–130 (2002)
Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013)
Clark, D., Hunt, S.: Noninterference for deterministic interactive programs. In: Workshop on Formal Aspects in Security and Trust (FAST 2008), October 2008
Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, Academic Press, pp. 297–335 (1978)
Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: PLDI, pp. 415–426 (2006)
Denning, D.E.: A lattice model of secure information flow. Comm. ACM 19(5), 236–243 (1976)
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. ACM 20(7), 504–513 (1977)
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 11–20, April 1982
Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: A web browser with flexible and precise information flow control. In: ACM Conference on Computer and Communications Security (2012)
Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: Tracking information flow in JavaScript and its APIs. In: Proceeding of the 29th ACM Symposium on Applied Computing (2014)
Hilton, A.J.: High Integrity Hardware-Software Codesign. Ph.D. thesis, The Open University, April 2004
Horwitz, S., Reps, T.W., Binkley, D.: Interprocedural slicing using dependence graphs. In: PLDI, pp. 35–46 (1988)
Kroening, D., Sharygina, N., Tsitovich, A., Wintersteiger, C.M.: Termination analysis with compositional transition invariants. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 89–103. Springer, Heidelberg (2010)
Moore, S., Askarov, A., Chong, S.: Precise enforcement of progress-sensitive security. In: ACM Conference on Computer and Communications Security, pp. 881–893(2012)
The Muen Separation Kernel. http://muen.codelabs.ch/
Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java Information Flow. Software release. Located at, July 2001 http://www.cs.cornell.edu/jif
O’Neill, K., Clarkson, M., Chong, S.: Information-flow security for interactive programs. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 190–201, July 2006
Rafnsson, W., Hedin, D., Sabelfeld, A.: Securing interactive programs. In: Proceedings of the IEEE Computer Security Foundations Symposium, June 2012
Rafnsson, W., Sabelfeld, A.: Compositional security for interactive systems. In: CSF, pp. 277–292 (2014)
Ranganath, V.P., Amtoft, T., Banerjee, A., Hatcliff, J., Dwyer, M.B.: A new foundation for control dependence and slicing for modern program structures. ACM Trans. Program. Lang. Syst. 29, 5 (2007)
Refined Information Flow Requirement. http://lists.forge.open-do.org/pipermail/spark2014-discuss/2012-December/000683.html
Russo, A., Sabelfeld, A., Li, K.: Implicit flows in malicious and nonmalicious code. 2009 Marktoberdorf Summer School (IOS Press) (2009)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009)
Workstation, M.: High-Security Framework, Pilot, and Formalization Architecture. http://www.secunet.com/fileadmin//sina_downloads/Produktinfo_englisch/SINA-Multilevel_Brochure_en.pdf
Simonet, V.: The Flow Caml system. Software release. Located at, July 2003. http://cristal.inria.fr/~simonet/soft/flowcaml
Smith, G.: A new type system for secure information flow. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 115–125, June 2001
SPARK (programming language). http://en.wikipedia.org/wiki/SPARK_%28programming_language%29
Development, T.: Support: INFORMED Design Method for SPARK. http://docs.adacore.com/sparkdocs-docs/Informed.htm
SPARK (2014). http://www.spark-2014.org/
Spoto, F., Mesnard, F., Payet, É.: A termination analyzer for java bytecode based on path-length. ACM Trans. Program. Lang. Syst. 32(3), Article no. 8, 70 (2010)
Stefan, D., Russo, A., Buiras, P., Levy, A., Mitchell, J.C., Maziéres, D.: Addressing covert termination and timing channels in concurrent information flow systems. In: ICFP, pp. 201–214 (2012)
Stefan, D., Russo, A., Mitchell, J., Mazières, D.: Flexible dynamic information flow control in haskell. In Proceedings of the Haskell Symposium, pp. 95–106. ACM (2011)
Volpano, D., Smith, G.: Eliminating covert flows with minimum typings. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 156–168, June 1997
Rafnsson, W., Garg, D., Sabelfeld, A.: Progress-Sensitive Security forSPARK. Full version: http://research.precise.li/pub/2016essos
Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS, pp. 31–44 (2009)
Acknowledgments
Thanks are due to Angela Wallenburg for inspiration and regular updates about developments on SPARK. This work was funded by the European Community under the ProSecuToR and WebSand projects, the Swedish research agencies SSF and VR and the German DFG priority program “Reliably Secure Software Systems” (RS3). This research was supported in part by US Navy grant N000141310156; NSF grants 1320470.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Rafnsson, W., Garg, D., Sabelfeld, A. (2016). Progress-Sensitive Security for SPARK. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)