Skip to main content
SpringerLink
Log in

Code Abstractions for Automatic Information Flow Control in a Model-Driven Approach

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10658))

  • 2908 Accesses

Abstract

Automatic information flow control (IFC) can be used to guarantee the absence of information leaks in security-critical applications. However, IFC of real-world, complex, distributed systems is challenging. In this paper, we show how a model-driven approach for development of such applications consisting of mobile apps and web services can help solve those challenges using automatic code abstractions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See http://isse.de/iflow for models and code of our case studies.

References

  1. Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) ETAPS 2014. LNCS, vol. 8415, pp. 1–20. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54848-2_1

    Chapter  Google Scholar 

  2. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association (2011)

    Google Scholar 

  3. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM (2011)

    Google Scholar 

  4. Graf, J., Hecker, M., Mohr, M., Snelting, G.: Checking applications using security APIs with JOANA. In: 8th International Workshop on Analysis of Security APIs, July 2015

    Google Scholar 

  5. Hammer, C.: Information Flow Control for Java - A Comprehensive Approach based on Path Conditions in Dependence Graphs. Ph.D. thesis, Universität Karlsruhe (TH), Fak. f. Informatik, July 2009. ISBN 978-3-86644-398-3

    Google Scholar 

  6. Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_4

    Chapter  Google Scholar 

  7. Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Model-driven development of information flow-secure systems with IFlow. ASE Sci. J. 2(2), 65–82 (2013)

    Google Scholar 

  8. Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Modeling information flow properties with UML. In: 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). IEEE Conference Publications (2015). https://doi.org/10.1109/NTMS.2015.7266507

  9. Küsters, R., Scapin, E., Truderung, T., Graf, J.: Extending and applying a framework for the cryptographic verification of Java programs. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 220–239. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_12

    Chapter  Google Scholar 

  10. Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of java-like programs. In: Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF 2012, pp. 198–212. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

  11. Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The Soot framework for Java program analysis: a retrospective. In: Cetus Users and Compiler Infrastructure Workshop, Galveston Island, TX, October 2011

    Google Scholar 

  12. Mohr, M., Graf, J., Hecker, M.: JoDroid: adding android support to a static information flow control tool. In: Gemeinsamer Tagungsband der Workshops der Tagung Software Engineering 2015, Dresden, Germany, 17.–18. März 2015. CEUR Workshop Proceedings, vol. 1337, pp. 140–145. CEUR-WS.org (2015)

    Google Scholar 

  13. Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS (2014)

    Google Scholar 

  14. Seehusen, F.: Model-driven security: exemplified for information flow properties and policies. Ph.D. thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, January 2009

    Google Scholar 

  15. Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Formalizing information flow control in a model-driven approach. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds.) ICT-EurAsia 2014. LNCS, vol. 8407, pp. 456–461. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55032-4_46

    Chapter  Google Scholar 

  16. Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Declassification of information with complex filter functions. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy, pp. 490–497 (2016)

    Google Scholar 

Download references

Acknowledgments

This work is sponsored by the Priority Programme 1496 “Reliably Secure Software Systems - RS\(^{3}\)” of the Deutsche Forschungsgemeinschaft (DFG).

Author information

Authors and Affiliations

  1. Department of Software Engineering and Programming Languages, University of Augsburg, Augsburg, Germany

    Kuzman Katkalov, Kurt Stenzel & Wolfgang Reif

Authors
  1. Kuzman Katkalov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kurt Stenzel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wolfgang Reif
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kuzman Katkalov .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Edith Kinney Gaylord Presidential Professor, University of Oklahoma, Norman, Oklahoma, USA

    Mohammed Atiquzzaman

  3. Aalto University, Espoo, Finland

    Zheng Yan

  4. University of Texas at San Antonio, San Antonio, Texas, USA

    Kim-Kwang Raymond Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Katkalov, K., Stenzel, K., Reif, W. (2017). Code Abstractions for Automatic Information Flow Control in a Model-Driven Approach. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10658. Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72395-2_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72394-5

  • Online ISBN: 978-3-319-72395-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation