skip to main content
10.1145/2508859.2516721acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Relational abstract interpretation for the verification of 2-hypersafety properties

Published: 04 November 2013 Publication History

Abstract

Information flow properties of programs can be formalized as hyperproperties specifying the relation of multiple executions. In this paper, we therefore introduce a framework for proving 2-hypersafety properties by means of abstract interpretation. The main idea is to apply abstract interpretation on the self-compositions of the control flow graphs of programs. As a result, our method is inherently capable of analyzing relational properties of even dissimilar programs.
Constructing self-compositions of control flow graphs is nontrivial. Therefore, we present an algorithm for constructing quality self-compositions driven by a tree distance measure between the abstract syntax trees of subprograms. Finally, we demonstrate the applicability of the approach by proving intricate information flow properties of programs written in a simple language for tree manipulation motivated by the Web Services Business Process Execution Language.

References

[1]
R. Abassi, F. Jacquemard, M. Rusinowitch, and S. G. El Fatmi. XML access control: from XACML to annotated schemas. In Second International Conference on Communications and Networking (ComNet), pages 1--8, Tozeur, Tunisie, 2010. IEEE Computer Society Press.
[2]
R. Accorsi and A. Lehmann. Automatic information flow analysis of business process models. In A. P. Barros, A. Gal, and E. Kindler, editors, Business Process Management - 10th International Conference, BPM 2012, volume 7481 of Lecture Notes in Computer Science, pages 172--187. Springer, 2012.
[3]
A. Alves, A. Arkin, S. Askary, C. Barreto, B. Bloch, F. Curbera, M. Ford, Y. Goland, A. Guzar, N. Kartha, C. K. Liu, R. Khalaf, D. Koenig, M. Marin, V. Mehta, S. Thatte, D. Rijn, P. Yendluri, and A. Yiu. Web services business process execution language version 2.0 (OASIS standard). WS-BPEL TC OASIS, http://docs.oasis-open.org/wsbpel/2.0/wsbpel-v2.0.html, 2007.
[4]
R. Barbuti, C. Bernardeschi, and N. D. Francesco. Checking security of Java bytecode by abstract interpretation. In Proceedings of the 2002 ACM Symposium on Applied Computing (SAC), pages 229--236. ACM, 2002.
[5]
G. Barthe, J. M. Crespo, and C. Kunz. Relational verification using product programs. In M. Butler and W. Schulte, editors, 17th International Symposium on Formal Methods (FM 2011), volume 6664 of Lecture Notes in Computer Science, pages 200--214. Springer, 2011.
[6]
G. Barthe, J. M. Crespo, and C. Kunz. Beyond 2-safety: Asymmetric product programs for relational program verification. In S. N. Artemov and A. Nerode, editors, Logical Foundations of Computer Science, International Symposium, LFCS 2013, volume 7734 of Lecture Notes in Computer Science, pages 29--43. Springer, 2013.
[7]
G. Barthe, P. R. D'Argenio, and T. Rezk. Secure information flow by self-composition. In 17th IEEE Computer Security Foundations Workshop, (CSFW-17 2004), pages 100--114. IEEE Computer Society, 2004.
[8]
A. Berglund, S. Boag, D. Chamberlin, M. F. Fernandez, M. Kay, J. Robie, and J. Simeon. XML path language (XPath) 2.0 (second edition). World Wide Web Consortium, Recommendation REC-xpath20-20101214, 14 December 2010.
[9]
N. Broberg and D. Sands. Paralocks: role-based information flow control and beyond. In M. V. Hermenegildo and J. Palsberg, editors, Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, pages 431--444. ACM, 2010.
[10]
M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157--1210, 2010.
[11]
H. Comon, M. Dauchet, R. Gilleron, C. Loding, F. Jacquemard, D. Lugiez, S. Tison, and M. Tommasi. Tree automata techniques and applications. Available on: http://www.grappa.univ-lille3.fr/tata, 2007. release October, 12th 2007.
[12]
P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In R. M. Graham, M. A. Harrison, and R. Sethi, editors, Conference Record of the Fourth ACM Symposium on Principles of Programming Languages (POPL), pages 238--252. ACM, 1977.
[13]
E. Damiani, S. D. C. di Vimercati, S. Paraboschi, and P. Samarati. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur., 5(2):169--202, 2002.
[14]
A. Darvas, R. Hahnle, and D. Sands. A theorem proving approach to analysis of secure information flow. In D. Hutter and M. Ullmann, editors, Security in Pervasive Computing, Second International Conference, SPC 2005, volume 3450 of Lecture Notes in Computer Science, pages 193--209. Springer, 2005.
[15]
D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236--243, 1976.
[16]
G. Dufay, A. P. Felty, and S. Matwin. Privacy-sensitive information flow with JML. In R. Nieuwenhuis, editor, CADE-20, 20th International Conference on Automated Deduction, volume 3632 of Lecture Notes in Computer Science, pages 116--130. Springer, 2005.
[17]
I. Fundulaki and M. Marx. Specifying access control policies for XML documents with XPath. In T. Jaeger and E. Ferrari, editors, SACMAT 2004, 9th ACM Symposium on Access Control Models and Technologies, pages 61--69. ACM, 2004.
[18]
R. Giacobazzi and I. Mastroeni. Abstract non-interference: parameterizing non-interference by abstract interpretation. In N. D. Jones and X. Leroy, editors, Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, pages 186--197. ACM, 2004.
[19]
J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11--20, 1982.
[20]
C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec., 8(6):399--422, 2009.
[21]
J. B. Kam and J. D. Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7(3):305--317, September 1977.
[22]
M. Kay. XSL transformations (XSLT) version 2.0. World Wide Web Consortium, Recommendation REC-xslt20-20070123, 23 January 2007.
[23]
M. Kovacs. Relational abstract interpretation for the verification of 2-hypersafety properties (proofs). Technical Report TUM-I1340, Technische Universitat Munchen, Institut fur Informatik, Aug. 2013.
[24]
M. Kovacs and H. Seidl. Runtime enforcement of information flow security in tree manipulating processes. In G. Barthe, B. Livshits, and R. Scandariato, editors, Engineering Secure Software and Systems - 4th International Symposium, ESSoS 2012, volume 7159 of Lecture Notes in Computer Science, pages 46--59. Springer, 2012.
[25]
A. Mller and M. I. Schwartzbach. XML graphs in program analysis. Sci. Comput. Program., 76(6):492--515, 2011.
[26]
M. Murata, A. Tozawa, M. Kudo, and S. Hada. XML access control using static analysis. ACM Trans. Inf. Syst. Secur., 9(3):292--324, 2006.
[27]
A. C. Myers. JFlow: Practical mostly-static information flow control. In A. W. Appel and A. Aiken, editors, POPL '99, Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 228--241. ACM, 1999.
[28]
A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP '97: Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles, pages 129--142, New York, NY, USA, 1997. ACM Press.
[29]
A. Nanevski, A. Banerjee, and D. Garg. Verification of information flow and access control policies with dependent types. In IEEE Symposium on Security and Privacy, pages 165--179. IEEE Computer Society, 2011.
[30]
D. A. Naumann. From coupling relations to mated invariants for checking information flow. In D. Gollmann, J. Meier, and A. Sabelfeld, editors, ESORICS 2006, 11th European Symposium on Research in Computer Security, volume 4189 of Lecture Notes in Computer Science, pages 279--296. Springer, 2006.
[31]
F. Nielson, H. R. Nielson, and H. Seidl. Normalizable Horn clauses, strongly recognizable relations, and Spi. In M. V. Hermenegildo and G. Puebla, editors, Static Analysis, 9th International Symposium, SAS 2002, volume 2477 of Lecture Notes in Computer Science, pages 20--35. Springer, 2002.
[32]
M. Pawlik and N. Augsten. RTED: A robust algorithm for the tree edit distance. PVLDB, 5(4):334--345, 2011.
[33]
A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In M. Backes and P. Ning, editors, ESORICS 2009, 14th European Symposium on Research in Computer Security, volume 5789 of Lecture Notes in Computer Science, pages 86--103. Springer, 2009.
[34]
K.-C. Tai. The tree-to-tree correction problem. Journal of the ACM, 26(3):422--433, 1979.
[35]
5T. Terauchi and A. Aiken. Secure information flow as a safety problem. In C. Hankin and I. Siveroni, editors, Static Analysis, 12th International Symposium, SAS 2005, volume 3672 of Lecture Notes in Computer Science, pages 352--367. Springer, 2005.
[36]
D. M. Volpano, C. E. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2/3):167--188, 1996.
[37]
C. Weidenbach. Towards an automatic analysis of security protocols in first-order logic. In H. Ganzinger, editor, CADE-16, 16th International Conference on Automated Deduction, volume 1632 of Lecture Notes in Computer Science, pages 314--328. Springer, 1999.
[38]
C. Weidenbach, D. Dimova, A. Fietzke, R. Kumar, M. Suda, and P. Wischnewski. SPASS version 3.5. In R. A. Schmidt, editor, CADE-22, 22nd International Conference on Automated Deduction, volume 5663 of Lecture Notes in Computer Science, pages 140--145. Springer, 2009.
[39]
M. Zanotti. Security typings by abstract interpretation. In M. V. Hermenegildo and G. Puebla, editors, Static Analysis, 9th International Symposium, SAS 2002, volume 2477 of Lecture Notes in Computer Science, pages 360--375. Springer, 2002.

Cited By

View all
  • (2025)Sliver: A Scalable Slicing-Based Verification for Information Flow SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.340365322:1(457-473)Online publication date: Jan-2025
  • (2024)Input-Relational Verification of Deep Neural NetworksProceedings of the ACM on Programming Languages10.1145/36563778:PLDI(1-27)Online publication date: 20-Jun-2024
  • (2024)Automated Software Verification of HyperlivenessTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57249-4_10(196-216)Online publication date: 6-Apr-2024
  • Show More Cited By

Index Terms

  1. Relational abstract interpretation for the verification of 2-hypersafety properties

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
    November 2013
    1530 pages
    ISBN:9781450324779
    DOI:10.1145/2508859
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 November 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. abstract interpretation
    2. hyperproperties
    3. information flow control
    4. semi-structured data

    Qualifiers

    • Research-article

    Conference

    CCS'13
    Sponsor:

    Acceptance Rates

    CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)25
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 17 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Sliver: A Scalable Slicing-Based Verification for Information Flow SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.340365322:1(457-473)Online publication date: Jan-2025
    • (2024)Input-Relational Verification of Deep Neural NetworksProceedings of the ACM on Programming Languages10.1145/36563778:PLDI(1-27)Online publication date: 20-Jun-2024
    • (2024)Automated Software Verification of HyperlivenessTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57249-4_10(196-216)Online publication date: 6-Apr-2024
    • (2023)An Algebra of Alignment for Relational VerificationProceedings of the ACM on Programming Languages10.1145/35712137:POPL(573-603)Online publication date: 11-Jan-2023
    • (2023)The WhyRel Prototype for Modular Relational Verification of Pointer ProgramsTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-30820-8_11(133-151)Online publication date: 22-Apr-2023
    • (2022)Proving hypersafety compositionallyProceedings of the ACM on Programming Languages10.1145/35632986:OOPSLA2(289-314)Online publication date: 31-Oct-2022
    • (2022)Stratified guarded first-order transition systemsFormal Methods in System Design10.1007/s10703-022-00404-9Online publication date: 22-Nov-2022
    • (2022)RHLE: Modular Deductive Verification of Relational $$\forall \exists $$ PropertiesProgramming Languages and Systems10.1007/978-3-031-21037-2_4(67-87)Online publication date: 25-Nov-2022
    • (2022)Generalized Arrays for Stainless FramesVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-94583-1_17(332-354)Online publication date: 14-Jan-2022
    • (2021)An abstract interpretation for SPMD divergence on reducible control flow graphsProceedings of the ACM on Programming Languages10.1145/34343125:POPL(1-31)Online publication date: 4-Jan-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media