Hostname: page-component-745bb68f8f-5r2nc Total loading time: 0 Render date: 2025-01-22T13:43:01.176Z Has data issue: false hasContentIssue false

A certified lightweight non-interference Java bytecode verifier

Published online by Cambridge University Press:  17 May 2013

GILLES BARTHE
Affiliation:
IMDEA Software Institute, Campus Montegancedo, 28660-Boadilla del Monte, Madrid, Spain Email: [email protected]
DAVID PICHARDIE
Affiliation:
INRIA Rennes–Bretagne Atlantique, Campus de Beaulieu, 35042 Rennes CedexFrance. Email: [email protected]
TAMARA REZK
Affiliation:
INRIA Sophia Antipolis–Méditerranée, 2004 Route des Lucioles, BP 93, 06902 Sophia Antipolis CedexFrance Email: [email protected]

Abstract

Non-interference guarantees the absence of illicit information flow throughout program execution. It can be enforced by appropriate information flow type systems. Much of the previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions and method calls. We define an information flow type system for a sequential JVM-like language that includes all these programming features, and we prove, in the Coq proof assistant, that it guarantees non-interference. An additional benefit of the formalisation is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to the best of our knowledge, the first sound and certified information flow type system for such an expressive fragment of the JVM.

Type
Paper
Copyright
Copyright © Cambridge University Press 2013 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

This work was partially funded by European Projects FP7-231620 HATS and FP7-256980 NESSoS, Spanish project TIN2009-14599 DESAFIOS 10, Madrid Regional project S2009TIC-1465 PROMETIDOS and French Brittany region project CertLogS.

References

Abadi, M., Banerjee, A., Heintze, N. and Riecke, J. (1999) A core calculus of dependency. In: POPL ‘99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages 147–160.CrossRefGoogle Scholar
Agat, J. (2000) Type Based Techniques for Covert Channel Elimination and Register Allocation, Ph.D. thesis, Chalmers University of Technology and Gothenburg University.Google Scholar
Amtoft, T., Bandhakavi, S. and Banerjee, A. (2006) A logic for information flow in object-oriented programs. In: Morrisett, G. and Jones, S. P. (eds.) POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 91–102.CrossRefGoogle Scholar
Appel, A. W. (2001) Foundational proof-carrying code. In: Halpern, J. (ed.) LICS ‘01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science 247.CrossRefGoogle Scholar
Askarov, A. and Sabelfeld, A. (2005) Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S. and Syverson, P. and Gollmann, D. (eds.) Proceedings European Symposium On Research In Computer Security – ESORICS 2005. Springer-Verlag Lecture Notes in Computer Science 3679 197221.CrossRefGoogle Scholar
Aydemir, B. E.et al. (2005) Mechanized metatheory for the masses: The PoplMark challenge. In: Hurd, J. and Melham, T. (eds.) Theorem Proving in Higher Order Logics – Proceedings 18th International Conference, TPHOLs 2005. Springer-Verlag Lecture Notes in Computer Science 3603 5065.CrossRefGoogle Scholar
Banerjee, A. and Naumann, D. (2005) Stack-based access control for secure information flow. Journal of Functional Programming 15 131177. (Special Issue on Language-Based Security.)CrossRefGoogle Scholar
Barthe, G., Basu, A. and Rezk, T. (2004) Security types preserving compilation. In Steffen, B. and Levi, G. (eds.) Verification, Model Checking and Abstract Interpretation. Springer-Verlag Lecture Notes in Computer Science 2934 215.CrossRefGoogle Scholar
Barthe, G., Cavadini, S. and Rezk, T. (2008) Tractable enforcement of declassification policies. In: Proceedings 21st IEEE Computer Security Foundations Symposium, CSF 2008 83–97.CrossRefGoogle Scholar
Barthe, G., Naumann, D. and Rezk, T. (2006) Deriving an information flow checker and certifying compiler for Java. In: Proceedings 2006 IEEE Symposium on Security and Privacy 230–242.CrossRefGoogle Scholar
Barthe, G., Pichardie, D. and Rezk, T. (2007) A certified lightweight non-interference Java bytecode verifier. In: Nicola, R. (ed.) Programming Languages and Systems: Proceedings of the 16th European Symposium on Programming, ESOP 2007. Springer-Verlag Lecture Notes in Computer Science 4421 125140.CrossRefGoogle Scholar
Barthe, G. and Rezk, T. (2005) Non-interference for a JVM-like language. In: Fähndrich, M. (ed.) TLDI ‘05: Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation 103–112.CrossRefGoogle Scholar
Barthe, G., Rezk, T., Russo, A. and Sabelfeld, A. (2010) Security of multithreaded programs by compilation. ACM Transactions on Information and System Security 13 (3).CrossRefGoogle Scholar
Barthe, G. and Rivas, E. (2011) Static enforcement of information flow policies for a concurrent JVM-like language. In: Bruni, R. and Sassone, V. (eds.) Trustworthy Global Computing: Revised Selected Papers 6th International Symposium, TGC 2011. Springer-Verlag Lecture Notes in Computer Science 7173 7378.CrossRefGoogle Scholar
Bernardeschi, C. and Francesco, N. D. (2002) Combining Abstract Interpretation and Model Checking for Analysing Security Properties of Java Bytecode. In: Cortesi, A. (ed.) Verification, Model Checking and Abstract Interpretation: Revised Papers Third International Workshop, VMCAI 2002. Springer-Verlag Lecture Notes in Computer Science 2294 115.CrossRefGoogle Scholar
Besson, F., Jensen, T. P., Pichardie, D. and Turpin, T. (2010) Certified result checking for polyhedral analysis of bytecode programs. In: Wirsing, M., Hofmann, M. and Rauschmayer, A. (eds.) Trustworthly Global Computing: Revised Selected Papers 5th International Symposium, TGC 2010. Springer-Verlag Lecture Notes in Computer Science 6084 253267.CrossRefGoogle Scholar
Bieber, P., Cazin, J., Girard, P., Lanet, J.-L., Wiels, V. and Zanon, G. (2002) Checking secure interactions of smart card applets: Extended version. Journal of Computer Security 10 (4)369398.CrossRefGoogle Scholar
Bonelli, E., Compagnoni, A. B. and Medel, R. (2005) Information flow analysis for a typed assembly language with polymorphic stacks. In: Barthe, G., Grégoire, B., Huisman, M. and Lanet, J.-L. (eds.) Construction and Analysis of Safe, Secure, and Interoperable Smart Devices: Revised Selected Papers Second International Workshop, CASSIS 2005. Springer-Verlag Lecture Notes in Computer Science 3956 3756.CrossRefGoogle Scholar
Deng, Z. and Smith, G. (2004) Lenient array operations for practical secure information flow. In: Proceedings 17th IEEE Computer Security Foundations Workshop, 2004. CSFW 115–124.CrossRefGoogle Scholar
Freund, S. N. and Mitchell, J. C. (2003) A type system for the Java bytecode language and verifier. Journal of Automated Reasoning 30 (3–4)271321.CrossRefGoogle Scholar
Genaim, S. and Spoto, F. (2005) Information flow analysis for Java bytecode. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings 6th International Conference, VMCAI 2005. Springer-Verlag Lecture Notes in Computer Science 3385 346362.CrossRefGoogle Scholar
Girard, P. (1999) Which security policy for multiapplication smart cards? In: Workshop on Smart Card Technology, USENIX Association.Google Scholar
Hammer, C., Krinke, J. and Snelting, G. (2006) Information flow control for Java based on path conditions in dependence graphs. In: IEEE International Symposium on Secure Software Engineering (ISSSE 2006) 1–10.Google Scholar
Hankin, C., Nielson, F. and Nielson, H. R. (2005) Principles of Program Analysis, second edition, Springer-Verlag.Google Scholar
Hedin, D. and Sands, D. (2006) Noninterference in the presence of non-opaque pointers. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 217–229.CrossRefGoogle Scholar
Hunt, S. and Sands, D. (2006) On flow-sensitive security types. In: Proceedings POPL ‘06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages 79–90CrossRefGoogle Scholar
Kobayashi, N. and Shirane, K. (2002) Type-based information analysis for low-level languages. In: Proceedings of the Third Asian Workshop on Programming Languages and Systems, APLAS'02 302–316.Google Scholar
Leroy, X. (2002) Bytecode verification on Java smart cards. Software – Practice and Experience 32 (4)319340.CrossRefGoogle Scholar
Mantel, H. and Sabelfeld, A. (2003) A Unifying Approach to the Security of Distributed and Multi-threaded Programs. Journal of Computer Security 11 (4)615676.CrossRefGoogle Scholar
Medel, R., Compagnoni, A. B. and Bonelli, E. (2005) A typed assembly language for non-interference. In: Coppo, M., Lodi, E. and Pinna, G. M. (eds.) Theoretical Computer Science: Proceedings 9th Italian Conference, ICTCS 2005. Springer-Verlag Lecture Notes in Computer Science 3701 360374.CrossRefGoogle Scholar
Montgomery, M. and Krishna, K. (1999) Secure object sharing in Java Card. In: Workshop on Smart Card Technology, USENIX Association.Google Scholar
Morrisett, G., Walker, D., Crary, K. and Glew, N. (1999) From system F to typed assembly language. In: Pugh, W. (ed.) ACM Transactions on Programming Languages and Systems (TOPLAS) 21 (3)527568. (Expanded version of a paper presented at POPL 1998.)CrossRefGoogle Scholar
Myers, A. C. (1999) JFlow: Practical mostly-static information flow control. In Proceedings 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages – POPL ‘99 228–241. (Ongoing development at http://www.cs.cornell.edu/jif/.)CrossRefGoogle Scholar
O'Neill, K. R., Clarkson, M. R. and Chong, S. (2006) Information-flow security for interactive programs. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 190–201.Google Scholar
Pottier, F. and Simonet, V. (2003) Information flow inference for ML. ACM Transactions on Programming Languages and Systems 25 (1)117158.CrossRefGoogle Scholar
Rezk, T. (2006) Verification of confidentiality policies for mobile code, Ph.D. thesis, Université de Nice Sophia-Antipolis.Google Scholar
Rose, E. (2003) Lightweight bytecode verification. Journal of Automated Reasoning 31 (3–4)303334.CrossRefGoogle Scholar
Russo, A. and Sabelfeld, A. (2006) Securing interaction between threads and the scheduler. In: 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006) 177–189.CrossRefGoogle Scholar
Sabelfeld, A. and Myers, A. (2003) Language-based information-flow security. IEEE Journal on Selected Areas in Communication 21 519.CrossRefGoogle Scholar
Volpano, D. and Smith, G. (1997) A type-based approach to program security. In: Bidoit, M. and Dauchet, M. (eds.) Proceedings TAPSOFT ‘97: Theory and Practice of Software Development – 7th International Joint Conference CAAP/FASE. Springer-Verlag Lecture Notes in Computer Science 1214 607621.CrossRefGoogle Scholar
Volpano, D. and Smith, G. (1998) Probabilistic noninterference in a concurrent language. In: Procedings 11th IEEE Computer Security Foundations Workshop 34–43.CrossRefGoogle Scholar
Yu, D. and Islam, N. (2006) A typed assembly language for confidentiality. In: Sestoft, P. (ed.) Programming Languages and Systems: Proceedings of the 15th European Symposium on Programming, ESOP 2006. Springer-Verlag Lecture Notes in Computer Science 3924 162179.CrossRefGoogle Scholar