Abstract
Automatic information flow control (IFC) can be used to guarantee the absence of information leaks in security-critical applications. However, IFC of real-world, complex, distributed systems is challenging. In this paper, we show how a model-driven approach for development of such applications consisting of mobile apps and web services can help solve those challenges using automatic code abstractions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See http://isse.de/iflow for models and code of our case studies.
References
Ben Said, N., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) ETAPS 2014. LNCS, vol. 8415, pp. 1–20. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54848-2_1
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association (2011)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM (2011)
Graf, J., Hecker, M., Mohr, M., Snelting, G.: Checking applications using security APIs with JOANA. In: 8th International Workshop on Analysis of Security APIs, July 2015
Hammer, C.: Information Flow Control for Java - A Comprehensive Approach based on Path Conditions in Dependence Graphs. Ph.D. thesis, Universität Karlsruhe (TH), Fak. f. Informatik, July 2009. ISBN 978-3-86644-398-3
Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_4
Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Model-driven development of information flow-secure systems with IFlow. ASE Sci. J. 2(2), 65–82 (2013)
Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Modeling information flow properties with UML. In: 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). IEEE Conference Publications (2015). https://doi.org/10.1109/NTMS.2015.7266507
Küsters, R., Scapin, E., Truderung, T., Graf, J.: Extending and applying a framework for the cryptographic verification of Java programs. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 220–239. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_12
Küsters, R., Truderung, T., Graf, J.: A framework for the cryptographic verification of java-like programs. In: Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF 2012, pp. 198–212. IEEE Computer Society, Washington, DC (2012)
Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The Soot framework for Java program analysis: a retrospective. In: Cetus Users and Compiler Infrastructure Workshop, Galveston Island, TX, October 2011
Mohr, M., Graf, J., Hecker, M.: JoDroid: adding android support to a static information flow control tool. In: Gemeinsamer Tagungsband der Workshops der Tagung Software Engineering 2015, Dresden, Germany, 17.–18. März 2015. CEUR Workshop Proceedings, vol. 1337, pp. 140–145. CEUR-WS.org (2015)
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS (2014)
Seehusen, F.: Model-driven security: exemplified for information flow properties and policies. Ph.D. thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, January 2009
Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Formalizing information flow control in a model-driven approach. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds.) ICT-EurAsia 2014. LNCS, vol. 8407, pp. 456–461. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55032-4_46
Stenzel, K., Katkalov, K., Borek, M., Reif, W.: Declassification of information with complex filter functions. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy, pp. 490–497 (2016)
Acknowledgments
This work is sponsored by the Priority Programme 1496 “Reliably Secure Software Systems - RS\(^{3}\)” of the Deutsche Forschungsgemeinschaft (DFG).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Katkalov, K., Stenzel, K., Reif, W. (2017). Code Abstractions for Automatic Information Flow Control in a Model-Driven Approach. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10658. Springer, Cham. https://doi.org/10.1007/978-3-319-72395-2_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-72395-2_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72394-5
Online ISBN: 978-3-319-72395-2
eBook Packages: Computer ScienceComputer Science (R0)